Live from TechEd: Exchange 12

I spent most of the day yesterday in a fairly small room that was filled to bursting... with information on Exchange 12. This release is going to rock. I'm immensely enthusiastic about some of the improvements, particularly around unified messaging, message hygeine, and scalability-- all areas where Exchange already has a strong competitive advantage. Of course, it's too early to talk about most of the changes, but Dave Thompson's presentation yesterday covered some of the biggest highlights.

Live from TechEd: it's true

This week I had to choose between going to TechEd and attending Apple's WWDC. The big WWDC news: Apple will start shipping x86 Macintoshes in 2007 next year. Wow.

Update: Edited to change the shipping date; Apple is shipping x86 machines starting next year. Also, I've seen several questions in various places asking whether Apple will allow running Mac OS X on other vendors' hardware. Phil Schiller says "heck no" in this interview.

Live from TechEd: Cookbook samples

If you're at TechEd, go by the O'Reilly Media booth and get a free sample of Exchange Cookbook content-- it's a nicely finished booklet that contains a dozen or so recipes that give you a flavor (pardon the expression) of what's in the completed book.

Live from TechEd: FabriKam

I couldn't get in to the "Exchange Today and Tomorrow" session-- by the time I got out of the keynote, which ran 30 minutes long, it was full. I went to John's session on FabriKam instead, and have been posting cookbook scripts in the background.

Live from TechEd: Ballmer's keynote

Thanks to the magic of Verizon Wireless, I'm posting live from Hall A at TechEd, where Steve Ballmer is about to take the stage for his keynote.

Update: Samatha Bee from The Daily Show is the emcee for the opener. She's doing some funny bits skewering Apple, IBM, eBay, and Google.

Update: Ballmer takes the stage and says "we got through the bubble" and we're "in a period of long-term, sustained, and positive growth". [ed: everything here on out is paraphrased unless it's in quotes] More pep and excitement in the industry. "I don't think there's ever been a better, more exciting time to be in the IT industry than right now." Impact of IT in the next 10 years will be bigger than the IT's impact in the preceding 10 years.

10-yr anniversary of Win95 launch, which had the most palpable excitement and energy of any product introduction. The next 10 years will be even more exciting and create even more opportunity for everyone in the room. Theme for my speech today: enabling people to drive business success.

"Each and every one of these scenarios is unfulfilled today": improving cust interaction, personal productivity, unified comms, supply chain optimization, team collab, finding information, spotting trends, engaging in business processes.

Update: Samantha Bee again (disclaimer: I don't know who she is and she's not all that funny). Employees are now repositioned as "free-range information workers". She's slagging users pretty bad. Top 5 most requested requests from information workers: one identity and password, online presence, network access, synchronization ("can't my BlackBerry do this now?"), self-service, rights management (labeled as "5 1/2").

Update: Ballmer takes the stage and introduces Avanade video. Ricardo Arroyo: can easily measure the benefits of self-service infrastructure. Closing line: "It's a great time to be an IT guy".

Ballmer again: Avanade wants to connect people and information. Need the tools to facilitate them delivering that connection. IWs inside Avenade are all IT professionals themselves. "Flywheel of activity": design & build with .NET, deploy and operate with Dynamic Systems Initiative (DSI), act and interact with "New World of Work" stuff. "We think we've come a long way" with .NET. Thanks to the .NET RDs.

Next piece: make sure those apps can be deployed and operated. Want to connect closely to design / build of new applications. Big DSI milestone: shipment of Visual Studio 2005, which will "actually connect the flywheel" where "you build the management instrumentation into every application you build".

New world of work builds on 3 principles: access without compromise, self-service infrastructure, "policy gives IT mgt control". built on presence, identity & rights mgmt, network access-- all implemented as shared infrastructure services. "More and more of what you provide, instead of being point solutions, can be infrastructure that IWs can provision themselves."

Rich comprehensive roadmap based on AD: 86% of large enterprises that use directories use AD, 41% use NT4 domains, 15% use NDS, 9% use eDirectory. "When we first brought AD to market, you were slow to adopt it... Good concept, but go back to work".

Windows R2 ships within the next 12 months with better branch office support, ADFS, and storage virtualization and support. New "Compute Cluster Edition" for grid computing. "We want to be the best" at a long lis of areas, including messaging, directory, and "all applications that are about connecting information workers to information. I think that is incontrovertible." "Investing in new scenarios where, if you will, we still have improvements to make and market share to gain."

"You can know without hesitation, no matter what you're trying to do, around Windows Server, it's the right tool for almost every job.

Update: Exchange 2003 SP2 and Messaging and Security feature Pack for Windows Mobile 5.0. "Some people say Microsoft's a good marketing company, but I have a hard time saying all that." "Direct Push" delivers always-up-to-date connectivity over a persistent IP connection. "The kind that we have not delivered, and RIM has historically. But we have also delivered that with no additional management cost". Policy based control for remote device wipe and PIN management. All included with Exchange. No additional licensing cost.

Exchange 2003 SP2 also ups the 16GB limit for Standard Edition and Small Business Server to 75GB. Install SP2; no other changes necessary.

Mike Hall joins Ballmer on stage. He's toting an X41 ThinkPad Tabler. [ed: I'm going to buy one as fast as I can] 6hr battery life, fingerprint reader. Ballmer took it offstage; now there's a video with a buy wo looks like Ed Brill sitting in the back of the cab calling his kids, his office, checking his email, etc. Guy drops his device as he gets out of the cab. Punk kid finds it. "Last year in Chicago, 85000 cell phones were lost-- that's 4 for every cab in Chicago". Guy's admin gets a call from his house telling her that "Dad lost the phone". She calls IT who says they can remotely wipe the device. Punk kid gives it back to the taxi driver.

Now Hall is demonstrating VoIP with Office Communicator and Exchange 2003 SP2 security features, along with MSN Desktop Search. Longhorn demo: "it's not so much about search, as about how you visualize information". Demoing filtering based on metadata (e.g. author, keywords). [ed note: Better UI than Apple's Spotlight.] Controls for minimum PIN length, inactivity lock time, local and remote wipe. Can define exceptions to wipe settings.

New Symbol MC50 device-- nice-looking device with QWERTY keyboard. Greatly simplified device-side setup user interface. Virtual Earth preview. [ed: this is wicked cool!]

Update: Samantha Bee again with interview on "IT pro-developer mediation techniques". Puppet show. Pretty funny.

Update: Ballmer again. .NET momentum is building; 43% "of all developers" use .NET as primary tool vs 35% using Java (Win32 non-.NET is #3). 90% of MS global accounts are using .NET in some way. Three important products: SQL Server 2005 with embedded .NET runtime; Visual Studio 2005 with .NET 2.0, and BizTalk Server 2006. Ideal for connected systems (instead of J2EE), lifecycle dev (instead of Rational), most demanding DB apps (instead of Oracle or DB2), and "lightweight web app development" (instead of LAMP).

.NET 2.0 is 25%-40% better than .NET 1.1 on Sun's WSTest 1.1, and up to 200% faster than WebSphere.

Update: BJ Holtgrewe showing VS 2005 features. New Outlook add-in support. Demoing integrated CRM and Maestro (new tool for BI, reporting, and scorecards). Links Outlook to SQL 2005 Reporting Services. Access to SharePoint, database, syndicated wbe search, and Outlook data. All synced using SQL Server Express for offline/mobility sync. Customer video: Bank of America and Korn/Ferry. "Everything revolves around your inbox, so why not plug everything into Outlook?" "Now it's all about funneling all of our information into Outlook." "We see Office as a platform."

Update: Ballmer again. Talking about Office 12 XML format. VS2005 delivers System Definition Model (SDM) info; SDM will be consumable by MOM and SMS in "System Center wave 2" coming in future. Bill Anderson from mgmt team doing demo showing remote reimaging and managing Solaris servers. Ballmer pulls two fans from the Sun server and MOM generates an alert. MOM-driven failover to backup Solaris box.

Update: Ballmer again. Security is job #1. Showing vulns YTD for Windows 2003 vs SuSE 9 vs RedHat 3. 1 high/29 other for Windows vs 28/136 and 14/174 for the other two. Similar counts for web server role (33 high/19 other for Win2003, 48/84 for RedHat minimum config, 77/97 for RedHat default config). Patching costs 13-14% less for Windows than Linux. "None of this is designed to tell you that our job is done. None of this is designed to tell you that we think our security job is done".

Announcing Microsoft Update: consolidated update service for consumer, small biz, medium biz, and enterprise. Automatic updates for low end, MBSA 2.0 for medium, Windows Server Update Services and SMS for medium-to-large.

Wrapup: "flywheel" graphic again. "We are committed absolutely to making sure that you have the leading-edge innovations that you need to be successful connecting people and information." Closed by thanking audience and giving out his email address.

[Ed: they handed out RFID tags at check-in, with a promised demo-- but then they didn't do the demo. I bet there's an interesting story there!]

MS' position on software replication

I'd previously written about MS' support position on VERITAS Storage Foundation for Exchange. Sometime between then and now, MS released a KB article (895847) that sets out their support policy for hardware and software replication solutions. It outlines support boundaries for three important categories: asynchronous software replication, synchronous hardware replication in a geographically dispersed cluster, and sync hardware replication not in a dispersed cluster. Well worth a read if you're interested in this category of products.

Exchange Cookbook: now on Amazon

I'm delighted to announce that the Exchange Server Cookbook (which I cowrote with Missy Koslosky, Devin Ganger, and Tom Meunier) is now available from Amazon! It should ship sometime next month... and yes, that is a baboon on the cover.

Entourage and RPC-over-HTTP

"Does Entourage use RPC-over-HTTP?" I've run across this question several times in the public newsgroups, on mailing lists, and in direct conversation. Now Mike Wendland's asking, so I figured I'd write a long answer and just refer to it in the future.

In the beginning, there was MAPI, the Mail Application Programming Interface. Microsoft Mail (remember that?) used MAPI, as did the long-forgotten Windows Messaging and Exchange Client applications. When the Outlook team began working on Outlook, it used MAPI also. MAPI communication between client and server are actually implemented using remote procedure calls (RPCs) that travel over the Windows RPC subsystem, which uses TCP ports 135 and 443 and UDP ports 137 and 139. Because early versions of Windows had a number of RPC-related security vulnerabilities, admins quickly learned to block these ports from the Internet, meaning that you had to dial in or establish a VPN session to get your mail with Outlook from outside the corporate network.

In the meantime, lots of other applications started tunneling their data over the standard HTTP port, TCP port 80. This has the advantage (for users) of letting these applications run without special permissions or changes to the firewall. With Outlook 2003, Microsoft implemented RPC-over-HTTP tunneling so that you can establish a native Outlook MAPI session from outside the firewall without using the default RPC ports. This is good from a security and convenience standpoint. Why security? Think about it: if you establish a VPN session, you're trusting the remote machine to be clean, and you're trusting the remote user not to do anything malicious on your network. With RPC-over-HTTP, all the remote user can do is get mail, so you don't have to worry that they're going to screw up anything else.

Entourage for Mac OS X doesn't use RPC-over-HTTP. Instead, it uses WebDAV, an XML-based technology that travels over HTTP connections. It has nothing to do with MAPI or with RPCs, and it works with Exchange 2000 and Exchange Server 2003-- RPC-over-HTTP requires Exchange Server 2003 running on Windows Server 2003.

Both technologies have the same effect: an outside user can establish a connection to the Exchange server using HTTP (which had better be protected with SSL) to talk to the server.

Now, on to Mike's specific question: Apple Mail 2 supports Exchange accounts using WebDAV, so if your employer supports WebDAV and is running Exchange 2000 or later, you should be good to go. You'll probably need to enter the same server name that you use for Outlook Web Access to get Mail to find the right server. Good luck!

Secure Messaging reviewed, at least partly

Michael Murphy, a TechNet presenter for Microsoft, has been reading Secure Messaging with Microsoft Exchange Server 2003. So far, I like his approach to reviewing the book; he's posted an article that describes his reaction to the first two chapters, including an explanation of what's in them. One of the best parts of writing a security-focused book was that I had the luxury of including background material to help Exchange admins get the right vocabulary and mindset to talk security with real security folks. This makes my book very different from other Exchange books, since they normally have to cover so many topics that they can't provide much depth in any one area. In fact, the first five chapters are broad enough to be of interest to admins running any messaging or collaboration software on Windows-- so all you Notes folks who secretly read my blog, go get a copy :)

Office Communicator released to manufacturing

Congratulations to the Microsoft Office Communicator team! They just RTM'd their product. If you haven't already tried it, grab the evaluation version and give it a spin.

Neat virtual SMTP server connection restriction trick

I was floored to hear about this, but maybe that just shows I need to get out more. Turns out that you can flip a metabase flag to get some additional control over SMTP relaying. By default, if you require authentication and list one or more allowed IP addresses, both of those restrictions apply. However, you can set the SMTPIPRestrictionFlag value to use the logical-OR of those two factors, so that you can relay if you authenticate or if you're coming from an allowed IP address. Mad props to Konstantin Ryvkin for admitting to this and to Devin for blogging it.

Brilliant move by Singlefin

Singlefin announced today that they're giving away their hosted spam filtering service, free, to organizations with 10 or fewer mailboxes. The press release (which isn't on their site yet) quotes their CEO as saying "Of course, we know that small companies can become large companies and if we extend this generous offer now while they are still growing, we are confident it will translate into brand loyalty and solid customer referrals down the road". Here's the most interesting part:

Any organization anywhere in the world is eligible to take advantage of this protection without the need for cumbersome software or expensive hardware. Singlefin solutions are 100% managed or “hosted” meaning protection for customer networks is all enabled through network redirects. One simple change to a customer’s DNS enables 100% protection from spam, viruses and other malware via Singlefin’s Enterprise Email Filter. The Web and Instant Message Filters are enabled through similar network changes.

This is a terrific move on Singlefin's part; the incremental cost for them to host these small organizations is low, but the brand-building value is very high. There are so many anti-spam solutions on the market that it's hard for vendors to differentiate themselves, but this should definitely help build awareness of Singlefin.

Fabrikam goes live

My partners at 3sharp have been involved in a huge project over the last few months: building credible enterprise-level sample applications using Office as a development platform. Behold: Fabrikam, a Microsoft Office System Solutions Learning Platform! Hats off to Peter, John, Anup, Kevin, David, Chris, Greg, and Phil.

Turn MBSA scan results into Visio diagrams

Now this is pretty slick: the Visio 2003 Connector for MBSA turns an MBSA scan into a color-coded Visio network diagram. (Actually, you have to create the network diagram first, but that's trivial with Visio 2003 Professional). What a great add-on to MBSA's built-in scanning functionality. Get it here.

Greg Hughes on mobile email devices

Greg Hughes has a great dissection of his recent search for a replacement for his BlackBerry. In the end, he went back to the old familiar BlackBerry, but not until after he tried the Audiovox 5600, the SX66/XV6600, the Treo 650, and the BlackBerry 7100 series. He started with a BlackBerry device and tried the others to see how they compared as mobile email devices and as phones. Perhaps unsurprisingly, he ended up with his same preferred device. It's fascinating to see how big a role inertia plays in PDA/smartphone selection, compared to the larger mobile phone market. Of course, device cost (and the cost of installed software) make a huge difference. I considered the BlackBerry 7100s, but since I can't run any of my stable of useful Palm apps, that wasn't going to happen. (I still have to post a longer review of the XV6600, besides my initial thoughts).

BlackBerry and Windows Mobile clients for Live Communications Server

Huge news from the Real-Time Communications product team at Microsoft. First, we'll be getting a Live Communications Server client for Windows Mobile devices sometime in the second half of this year. I've been happy using the MSN Messenger client that comes with the Windows Mobile-powered Audiovox XV6600, but being able to communicate with other corporate LCS users will be a huge win-- right now, if I want to IM with someone inside Microsoft's perimeter, I have to dig out the ol' laptop. MS hasn't yet announced pricing or functionality; I think it's safe to assume that the Windows Mobile client will have a subset of Office Communicator's functionality, in the same way that Pocket Outlook is a subset of desktop Outlook.

The other news astonished me: Research In Motion, producers of the BlackBerry line, have signed an agreement with MS to produce a Live Communications Server client for the BlackBerry platform. This is terrific news for the LCS team, and great news for BlackBerry users who want to combine their existing mobile e-mail service with IM and presence. Of course, it raises the bar for the Windows Mobile team, who now have to contend with the loss of what would otherwise have been a significant capability advantage. With Magneto around the corner, though, I bet they have some other tricks up their sleeve.

Update: looks like RIM's been busy; yesterday they also announced an agreement with IBM Lotus to provide a native Sametime client for BlackBerry. The plot thickens...

Statistically improbable? Sez you

Amazon has a new feature with which they do various kinds of analysis on (many of) the books in their catalog. One of these analyses is the "statistically improbably phrase" test; this shows phrases for a given book that appear much more often in one book than in the whole corpus of books in their Search Inside program. For my book, here are the SIPs Amazon found:

relaying configuration, antivirus product vendors, relaying settings, archive sink, htr files, perimeter scanner, constrained delegation, check pox, default response rule, mailbox database, key archival, attachment access, perimeter network, message tracking, mailbox administrators, messaging security, retention categories, smart card enrollment station, machine certificates, delegate access, dialog hox, segmentation value, privilege escalation, inbound mail, event sink

Note "check pox" and "dialog hox"; those are probably my favorites. I can't wait to see what the list for the Cookbook looks like!

Ongoing discussion on MS vs IBM

There's a fascinating thread of comments over at Ed Brill's blog on this post. Ed and Alan Lepofsky, along with various other luminaries in the Notes communities, have been having a generally professional discussion with Cliff Reeves of Microsoft. David Madison of Microsoft may have gotten the last word, though, as Ed has promised to turn off comments on the post. It's his blog, and so of course it's his right to do so, but I'm sorry to see it, since I think the exchange has been very illuminating-- particularly since Ed has (quite fairly) criticized Microsoft in the past for not taking part in strategy debates at various public conferences.

If Cliff, David, or any of the other participants in the thread who don't have their own blogs want to carry this on, I'll be happy to guest-post their comments here.

Optimizing Collab and Communications in DC

Another week, another event! This time, I was in DC, where I had a great group of attendees. The highlight was probably during my demo of Microsoft Office Communicator, when I accidentally called Devin. I'd forgotten that the SIP-to-PSTN gateway was active, and I right-clicked his name and used the "Call" context menu to show that his contact information was there, prefilled from my personal Contacts folder. I was quite surprised when Devin's phone started ringing in my computer speakers (and so was he), but we had a short call and the crowd loved it. It's always great to surprise people like that-- I think I may work it into my demo script as a permanent item. Live Communications Server 2005's voice and telephony integration is pretty compelling, and I'm glad that came out in the demo.

Cool new Exchange tool: exmon

Microsoft has established a good pattern: they've been taking tools that they use internally, polishing them up, and releasing them as free tools through their web release (WR) program. This flow most recently brought us ExBPA 2.0, and now a new tool joins the family: the Exchange User Monitor, or ExMon. The cool thing (as Chris points out on the Exchange team blog) is that ExMon can both aggregate data and show you user-specific performance data. If you have a user or two who consistently complain about performance, ExMon gives you a quantitative tool to ID and fix the underlying problem. Check it out.

Forbes pimp-slaps Lotus

Wow, that's gotta hurt. This article, by Daniel Lyons, effectively claims that the air is going out of the Notes balloon, citing market share and revenue data from Gartner, IDC, Ferris, Meta, Radicati, and ITRG. It'll be interesting to see how IBM/Lotus respond to the article; with their 2004 numbers not yet released, the public data to refute some of Lyons' arguments may not be available yet.

IBM "Exchange Alternatives" debrief

So, yesterday I was in Manhattan, again. This time it was to attend IBM's "Microsoft Exchange Alternatives" seminar, held at IBM's building on Madison Avenue. I had to get up at 0400 to drive to Detroit and catch the first flight in to LGA; despite that, the flight was delayed. (That gave me time to finish a paper I've been working on, which I emailed from the back of the taxi on the way to IBM. Good news: I can send email from taxicabs. Bad news: sometimes I have to.) As Ed said, the seminar was well-attended, with about 20 folks in the room from a variety of customers.

There were four presenters: Ed did his overview of IBM's collab strategy; Jennifer Meade from ThroughBox IT did a somewhat lackluster review of three customer case studies, Henry Bestritsky from Binary Tree talked about their Common Migration Tool (CMT) and how it can be used to move from Exchange to Notes, and Brendan Crotty wrapped the morning up with a solid demo of the Domino Access for Microsoft Outlook (DAMO) tool.

Overall, I thought it was a good first effort. As I pointed out to Ed when I met him afterwards, there wasn't any convincing discussion about quantified business value. Interestingly, IBM had several Linux sales folks in the audience, and a common theme underlying Ed and Brendan's presentations was that IBM is promoting server OS choice. I'll save my analysis of that meme for another day :) I don't think the seminar content accurately reflected Microsoft's current collab strategy and why IBM thinks theirs is better. In fairness, that's not what this event was intended to cover. IBM did a good job of positively conveying their message, though, and I think mixing in the partners was a good touch.

How does this compare to our "Optimizing Collaboration and Communications" event? We have more demos, including an extended "day in the life" demo that lets me show how I actually use Microsoft's tools to get my daily work done. We also have a lot more quantitative information about the business benefits of extending Notes/Domino infrastructures with MS' tools. We'll see what Ed thinks when he attends our Chicago event.

Unlike Ed, I made it out of LGA before the weather turned bad :)

Symbian licenses Exchange ActiveSync

Getting on the bus well after it's left the station, Symbian announced today that they're licensing the Exchange ActiveSync protocol. With more than 25 million Symbian OS devices worldwide, this is a big announcement for both sides, although no firm timeline was disclosed. Symbian's already got a good mobile connectivity story; this makes it better while simultaneously highlighting Exchange 2003's advantages as a wireless messaging platform.

Registering for IBM's switcher workshop

After seeing Ed Brill mention IBM's "Microsoft Alternatives" session in Manhattan next week, I decided to sign up for it.. or at least to attempt to. There's no online registration, so I sent mail to the listed address asking to register. No response. So, I tried again just now, and added a voicemail for good measure. Hopefully that will do the trick; it sounds like an interesting seminar.

Update: got the call yesterday; I'm confirmed, and looking forward to it. I don't know much about BinaryTree and their migration tools, so this should be a good learning opportunity.

Second Optimizing Collab & Comm workshop: big hit

This week I'm on the road in Boston and New York City, presenting the second and third iterations of the Microsoft "Optimizing Collaborations and Communications" roadshow that I wrote about last week. Yesterday's event was well attended, and the attendees asked some tough questions about Microsoft's C&C strategy. However, the session evaluation results indicate that they liked the answers they were hearing. MS' message-- that you can augment Notes/Domino installations by adding technologies that drive better business value-- seems to be resonating with these folks. Today, I go to Manhattan via the Acela (which I'll blog about later, or maybe during), then tomorrow it's St Paddy's Day in the Big Apple. I didn't bring anything green, so I need to do some shopping lest I face the wrath of the Irish.

MS buys Groove, gets new CTO

The AP is reporting that Microsoft is buying Groove, which I think is great news. Groove adds some critical capacity to Office System and SharePoint. Lots of other folks will be analyzing this in more detail. The most interesting detail to me is that the AP's report says that Ray Ozzie is going to be the new Microsoft chief technology officer. That certainly raises some very interesting possibilities.

Communications and presence cost

I'm supposed to be working on something else, but I couldn't resist the urge to answer Ed's post on the Microsoft Office Communicator launch, which in turn is in response to this Microsoft Monitor piece (which, by the way, contains a couple of errors).

First, let's consider public IM connectivity. Right now, if you want to interoperate with (say) AOL, you have to install AIM or an AIM-compatible client on your desktops... at which point you lose the security and compliance capabilities that Live Communications Server and Sametime/Workplace both offer. On the other hand, if you have a genuine business need for public IM connectivity, you can use the PIC feature of Live Communications Server to interoperate (selectively) with MSN Messenger, AIM, and Yahoo! Messenger users and still maintain both security and compliance. It's true that PIC is currently priced as a subscription. Ask yourself this: why did AOL suddenly decide to allow a competitor to interoperate? Normally their MO is to break interoperating clients as soon as they can get away with it. Are they getting a cut of the revenue? I don't know, but it certainly wouldn't surprise me.

Next, let's take Ed's point that the Microsoft collaboration platform has more than one piece (he actually uses the phrase "jigsaw puzzle"). Back in the day, Microsoft's claim was simple: Exchange does it all. They have since repented of that, instead delivering a broad suite of collaboration and communication tools that you can mix and match. You can deploy them together or separately. If you don't need, e.g., SharePoint Portal Server, fine-- don't buy it. There's significant stand-alone value in each of the components. In fact, I'm seeing a groundswell of interest in Live Meeting and Live Communication Server deployment among customers that aren't currently using Exchange. Why? Neither of those products require Exchange, and both add measurable business value.

Now, it's also true that the more pieces of the MS platform you deploy, the more capability you get. This is no different from Workplace, except that many of Microsoft's platform components are more mature than their Workplace equivalents. It's a little disingenuous of Microsoft Monitor to claim that you have to buy all of the features; that's like saying that I have to buy the Hemi when I buy a Dodge Magnum (well, OK, I would have to buy the Hemi, but that's another blog post).

About those Microsoft Monitor article mistakes: I count two simple typos ("Instanbul" and the confusion between SharePoint Portal and Windows SharePoint Services) and a misunderstanding of the Outlook/LCS connection. You can deploy Outlook 2003 without Exchange 2003 (in fact, you can even use Outlook 2003 against Notes/Domino servers, using either MS' or IBM's connectors). Every Exchange 2003 CAL includes an Outlook license, but Outlook is also licensable separately.

Optimizing Communication and Collaboration workshops get started

So, you might have seen Gary or Ed mention this, but now that it's underway I have time to talk about it too. 3sharp is presenting a 10-city roadshow called "Optimizing Communication and Collaboration with Microsoft Technologies". The thrust behind the roadshow is simple: you can get a lot of mileage from Microsoft's investment in communications and collaboration technologies by deploying them in parallel with-- not necessarily as a replacement for-- whatever you're currently using. The structure of the events is simple: if you're a developer, you go to John's excellent class on how to extend Notes apps by having them produce, or consume, data from .NET web services; if you're a technical decision maker, you come hear the Burton Group's forecast on market dynamics in the C&C space, then I get to explain the pieces of MS' collaboration strategy, with copious use of demos.

Our first event in Dallas this week went really well. My content was well-received; it was obvious to the attendees that we're not suggesting they rip-and-replace their existing infrastructures (well, maybe if you're using OCS). Instead, we're making a solid case for extending their business systems with Microsoft's collaboration and communications platform. Next stop: Waltham! (Personal to Ed Brill: the Chicago show got moved to 4/21, so please adjust your calendar!)

Adzilla: worse than Autolink?

Lots of discussion about Autolink, which is good. So far, though, I haven't seen very much discussion around Adzilla. Their white paper for service providers describes their services for stripping banner ads (and other ad-related content) and letting the ISP insert its own ads. Yikes. I can't imagine that content providers are going to be too happy about that. Imagine going to CNN.com and seeing locally-inserted ads from your cable modem provider.

Fix for Entourage transaction log problem

Back in November, I wrote about a problem with Entourage and Exchange transaction logs-- sending a message that was larger than the Exchange global message size limit would cause Entourage to resubmit the message each time it tried to send mail, and this would lead to a flood of transaction log files. There's now a server-side hotfix for this problem: MS KB 889525 (An e-mail message stays in the Outbox and the Exchange Server 2003 transaction log files grow when an Entourage user tries to send a message that exceeds the size limit in Global Settings).

Microsoft Security Response Center blog

Dang, I never thought I'd see this happen: the Microsoft Security Response Center (MSRC) has a blog. Pretty cool, and definitely good news for MS' ongoing attempts to broaden the degree of security communications.

Adomo's DEMO appearance

The Weblogs Inc folks covered Adomo's unveiling here (including a picture that's just begging for a caption). I suggested that the Adomo folks contact Robert Scoble before the show; their product is a natural for discussion on his blog, since it's a) MS-centric b) built with .NET and c) very, very cool. I don't know if they did, and now he's offline. However, he gave them (and everyone else) the same advice.

Nokia licenses Exchange ActiveSync and Windows Media

Now this is a surprise, and a pleasant one. Nokia announced that they're licensing Exchange ActiveSync for their Series 60 and Series 80-based phones. This is excellent news for the Exchange team; clearly their effort to get EAS more widely deployed is bearing fruit. (Nokia also licensed Flash.. just what I want on my phone, not.) Interestingly, the WIndows Mobile team has been busy at 3GSM World too; they announced that Flextronics, a large original device manufacturer (ODM), will be building "Peabody", a new, lower-cost, reference platform for Windows Mobile devices. It should be interesting to see how this plays out.

Update: it turns out that Nokia is also licensing a bunch of Windows Media technologies, including Windows Media DRM and the Media Transfer Protocol. Take that, Apple and your not-yet-shipping Motorola iTunes phone!

Adomo: integated voicemail for Exchange

Today a startup named Adomo is launching their new product, Adomo Voice Messaging. They briefed me on it a month or so ago, and I've been eagerly waiting for today (the start of the DEMO 2005 conference) for the embargo to lift so I could talk about it. What they're essentially trying to do is build a comprehensive unified messaging (UM) solution that uses Exchange not just as a message store (like Cisco's Unity) but as the communications backbone. I think they're on the right track, taking what I privately label the CommVault approach: they're leveraging Exchange as much as possible, instead of building a product and trying to make it work, not very well, with multiple back ends.

The Adomo system has three parts: an appliance (running their own *NIX variant, I forget which-- maybe FreeBSD?) that handles up to 36 ports from the PBX, a connector that ties the appliance to the Exchange message store, and a really slick speech-based auto-attendant. You can chain appliances to use more than 36 ports, and Adomo's literature shows smaller 12- and 24-port appliances being used in remote offices. Adomo claims that a single 36-port appliance is enough to serve between 1800 and 3600 users, depending on usage; they're purposefully targeting organizations with more than 500 users. The appliance compresses incoming messages using the GSM codec (which means that you can listen to messages on pretty much any Windows, Mac OS X, or Linux machine-- the codec is ubiquitous, unlike Cisco's ACELP implementation) and sends them to the Exchange connector.

The Exchange connector is where the action happens: incoming messages are directed to the user's mailbox, where they appear as regular email messages. This is particularly important because it allows you to deploy their solution without any desktop changes: there are no required plugins or Outlook bits to add, and VM attachments are available on any device that can handle email attachments (including handhelds, OWA, and so on). Messages are delivered using an Exchange form that includes buttons that let you play your VM on your phone, call the sender, and take other appropriate actions; Adomo has promised tighter integration with Outlook for future versions, but the existing integration is pretty darn good.

One of Adomo's big selling points is that you don't have to touch the Exchange server or Active Directory to implement their product. You only need one connector per Exchange organization. The connector doesn't have to be on an Exchange server, and there are no AD schema changes required. You provision user accounts for voicemail by specifying the associated phone numbers, so there's no need for a separate user management tool. Adomo hasn't said which AD attributes they use, but their literature does claim that you can do all the provisioning through AD Users and Computers or through scripts.

Messages appear with Caller ID data, and the connector is smart enough to match that data against the user's Contacts folder so that messages appear with the correct sender information. That makes it easy to prioritize and handle VMs (either manually or with rules) in the same way you would any other email. In addition to the ubiquitous "message waiting" light, the connector can send SMS messages to a mobile phone or alerts (including the Caller ID number in the subject line) to BlackBerry or other non-audio-capable devices.

It's hard to do the auto-attendant justice in this form, but I'll try. When you call in, the attendant answers and plays its recorded greeting. You can speak a name at any time, and their speech recognizer will attempt to find the name in the GAL (with conflict resolution, so it can ask the user which John Smith ("John Smith in Sales, or John Smith in Engineering?") to connect to based on OU, domain, or group membership. This in itself is very cool; the cooler part is that the attendant has access to a wealth of user-specific data, including your schedule and presence data from LCS. Imagine being able to set a rule that says "if my wife calls on her cell phone, IM me to tell me; otherwise, dump all incoming calls to voicemail". From a user perspective, imagine calling a contact and having the attendant tell you "Jane's in a meeting until 3pm Central; do you want me to notify her that you're calling?" (based, of course, on Jane's decision to trust you with that information as a contact in her Contacts folder). There are almost limitless possibilities for future expansion here, particularly given that the Adomo solution can be used with SIP products (conveniently including LCS 2005).

Of course, given Adomo's target market focus, their solution won't work for everyone. First, it requires Exchange 2003. Second, they haven't released pricing data (at least to me) but since their focus is on 500-plus seat organizations, it likely won't be cheap. (One interesting note: Adomo's pitch talks about the benefits of their product for organizations that sell hosted Exchange services-- this could potentially be a nice revenue sweetener for hosting companies). However, in terms of functionality, their nearest competitor is the Wildfire service, which (last I checked) was $70-150/month/user-- so they've definitely got some pricing maneuvering room. I think their product will be successful, but I'm sure it will be interesting to see how Microsoft's announced UM support in Exchange 12 plays against Adomo's solution, which now has a year or two to get traction before E12 ships.

Surprise! MS buying Sybari

Interesting news: Microsoft is buying Sybari, makers of the outstanding Antigen line of anti-virus products (and some pretty good anti-spam tools, too). Interestingly, there are Antigen versions for Exchange, Live Communications Server, SharePoint, and even Domino; I expect that the breadth of their product line made them a more appealing target than some of their peers. It'll be interesting to see how this acquisition works in conjunction with MS' buy of GeCAD's RAV technology. However, it will be even more interesting to see what effect this announcement has on the second-tier AV vendors-- companies like Command and Panda have got to be sweating now. (Not to mention that many organizations who have stuck with products they don't really like will now use this as an excuse to move!)

Filter update for Exchange Intelligent Message Filter

I could snark about this filter update taking so long, but at least Microsoft's making the IMF freely available-- some messaging systems have no integrated spam filtering. Anyway, there's now a filter update for the IMF available here.

Call for Papers: Exchange Connections Fall 2005!

Ordinarily I wouldn't post this announcement here, but I'm going to break tradition and do so because I'm one of the conference co-chairs. As such, I have to help find speakers, so I want this call for papers to go out far and wide.

Windows IT Pro is now accepting session proposals for the Oct-Nov. 2005 Windows Connections conference. We're heading to San Diego October 30 to November 2, 2005, for the premier Windows technical conference, and we'd like to hear from you!

If you're interested in speaking on Exchange-related topics at the show, send your abstracts to paul@robichaux.net by February 18. We want proposals for regular 75-minute sessions, as well as 1/2 day and full day pre-conference and post-conference sessions.

Note that we have a limited number of speaking slots, and all participants must be able to present a minimum of three 75-minute sessions. There are three basic requirements:

• Send a minimum of 3 session proposals (4 or 5 is ideal for discussion purposes)
• Include a biographical statement with your session proposals
• Include any additional pre- or post-con session proposals, if applicable

Please adhere to the February 18 deadline as we need to make speaker and session selections right away. (We plan to have a conference brochure ready to distribute at TechEd in June.)

Script to retrieve white space for Exchange databases

Here's a very cool trick: Glen Scales wrote a script that finds all of your mailbox and public folder stores, then queries their servers' event logs to find event ID 1221s indicating how much white space is available. This is a slick solution to the vexing problem of monitoring how much white space is lurking in your databases.

Inter-Organization Distribution List Migration

Rui J.M. Silva posted a cool script on his blog for migrating distribution list objects between Exchange organizations. The script is meant to be run against an Exchange 5.5 directory, from which it extracts the DLs with ldifde. It then extracts the 5.5 directory with csvde, matches the display and account names, and outputs a file that can imported using ldifde. The last step actually imports the DLs as universal distribution groups. If you want the DLs to be populated, you must already be using the ADC so that user accounts are synchronized, but the script is still a nice bit of work.

MS releases beta anti-spyware app

As has been widely reported elsewhere, MS has released the public beta of their new anti-spyware tool. Go get it and try it out; I've been running a test build for a while now and have been very impressed with it.

Why I run the MSN toolbar

I've been using the Google toolbar for a long time, but no more. Now I'm using the MSN toolbar instead. Why? Six simple reasons, five of which are security-related:

1. The MSN toolbar doesn't index the browser cache or history file. That means that it won't find cached information like credit card or online banking statements.
2. Every user on a multi-user machine has a separate set of index processes and files.
3. The MSN toolbar never sends any data back to Microsoft. Google's toolbar, of course, sends tons of data back to Google, although they're up-front about it.
4. Index files are obfuscated, raising the bar for casual snoopers (of course, snooping requires admin privileges in the first place :)
5. MSN never automatically downloads updates. You can ask it to do so, but you don't have to.
6. It searches Outlook.

50% off Trend ScanMail

This is a pretty good deal: 50% off new licenses of Trend's ScanMail suite if you're migrating from Exchange 5.5 to Exchange 2003. You have to have more than 1,000 seats, and you have to have proof of migration (evidenced by a current SA license or Exchange 2003 CALs purchased after 6/15/04), and the offer is only good until 12/31/04.

When "it's the pits" is actually GOOD

Microsoft today released a hotfix for the Windows 2003 SMTP stack that provides tarpitting for SMTP. (If you don't already know what tarpitting is, check this explanation). The idea is that you install software that intentionally slows down SMTP throughput for bogus requests. This helps make it uneconomical for spammers to ply their trade. The hotfix requires you to install a package and set a registry key, then you're done. Highly recommended.

Word of the day

What do you call a hotfix that doesn't actually fix the problem it's supposed to cure?

I vote for notfix, but I welcome your suggestions. The best suggestion posted as a comment here by December 15th wins... uh... something cool. Yeah, that's it-- your choice of a signed copy of one of my books or a $25 donation to the charity of your choice. Get those creative juices flowing.

Getting started with Workplace

So, here's a question for Ed and any other Lotus-Knowledgeable readers out there. What's the best way to start learning about Workplace Messaging? So far I've learned some peripheral facts, like that it has outrageous system requirements (quad 2GHz procs + 2 GB of RAM), that it's licensed per-processor (so you need 4 server licenses for that 4-proc machine), and that every initial license includes 12 months of maintenance. However, I haven't found a clear, comprehensive source of getting-started information, apart from this tutorial. That's probably just because I don't know where on IBM's gargantuan web site to look, hence this post. If you do know, please share.

Update: I just spoke to a friendly IBM sales rep who made it very clear that Workplace products are not licensed per-server or per-CPU, but per-user. My earlier post was based on something I saw at vowe.net. Caveat lector.

Motorola embraces EAS

Now this is interesting: Motorola has announced that they've licensed Exchange ActiveSync and will start supporting it when they release the A780 phone next year. That means that Exchange ActiveSync will be available on a Linux-based device, along with the PalmOS-based Treo 650. While this might seem like the kind of thing to give the Windows Mobile apoplexy, Motorola sees (and has labeled) the A780 as a midtier device that doesn't compete with the feature-rich(er) Windows Mobile devices now on the market. EAS will be integrated with Motorola's propietary MOTOSYNC protocol; it's too early for me to tell what form the integration might take.

Exchange ActiveSync troubleshooting

I'm working on an article on Exchange ActiveSync for the magazine. Unfortunately, I don't have it working for my device yet-- John's iPaq 6315 works on 3sharp's server, but something is funny with my server here at home, and I'm going to be troubleshooting it this week. A couple of resources that look useful: this extremely detailed TechNet webcast and Chris De Herrera's troubleshooting guide (which mostly covers "regular" ActiveSync) on CEWindows.net.

Comments re-enabled

I have re-enabled comments, with the added requirement that you use TypeKey (which, fortunately, is free). As soon as I can get MT-Blacklist to work properly, I'll enable unregistered comments, but for now you'll need to sign in before commenting. Sorry about the inconvenience.

Tony Redmond's newest book, not reviewed

The publisher was kind enough to send me a review copy of Tony Redmond's latest book, Tony Redmond's Microsoft Exchange Server 2003 : with SP1. I haven't had a chance to even open it yet, but I can say this: at $37.77 from Amazon, and at 4.3 lbs, it comes in at a very respectable US$8.78/lb. By way of comparison, Stanek's Exchange Server 2003 Administrator's Pocket Companion costs $14.13/lb, and my security book weighs in at $14.34/lb. Tthat's just because it's packed full of so much information. Or something.

Entourage and runaway transaction logs

Jeremy Kelly is reporting an unusual interaction between Entourage and Exchange 2003. The symptom: transaction log bloat. The problem seems to occur when an Entourage client tries to submit a message that's too large for the maximum message size limit set on that user's mailbox store. Instead of reporting the error (and not resubmitting the message), Entourage happily tries to send the message each time it connects. If the message is large enough, and if this goes on long enough, the server will eventually run out of log space. Jeremy recommends a temporary fix of turning off httpdav, removing the offending message from the client, and re-enabling httpdav; no word yet on an ETA for a better fix.

Everything you ever wanted to know about Smartphone development

I just ordered an AT&T Audiovox SMT5600, so I went digging for development information. Then I found this page, which will keep me in reading material until at least this time next year. Wow. If you're at all interested in the .NET Compact Framework, this would be a great place to start.

Two Windows Mobile webcasts

Next week is Windows Mobile webcast week. There are two webcasts of particular interest for Exchange 2003 administrators: one on best practices for Windows Mobile deployments, and one for Windows Mobile/Exchange troubleshooting.

New Live Communications Server blog

Tom Laciano has a new blog focused on Live Communications Server. Based on what he's posted so far, this will be one to watch. For example, this post on using certificates for mutual TLS authentication in LCS 2003 is pure technical gold. I plan to follow it regularly.

New white paper on Exchange regulatory compliance

What do you get when you combine Exchange Server 2003, KVS Enterprise Vault, KVS Discovey Accelerator, and SharePoint?

An integrated solution for getting compliant with Sarbanes-Oxley, portions of HIPAA, Gramm-Leach-Bliley, or SEC 17a4, that's what. Missy Koslosky and Devin Ganger of 3sharp wrote an excellent white paper on the topic, which is finally now public.

New white paper: MSIT experience with Exchange 2003 mobile messaging

Microsoft has what's probably the largest deployment of OMA and Exchange ActiveSync. What have they learned about how to scale and provision these services?

Quite a bit, as it turns out. See this whitepaper for the details. Basically, they provide OMA, OWA, and EAS service for 50,000 users using two Exchange 2003 front-ends and their associated back-end mailbox servers. The paper doesn't provide any real performance data, but it does mention that you can do your own stress and scalability tests with ESP-- always a good idea.

Cool command-line mailbox manipulation tool

Joe has a number of really nifty free tools on his site, including the world-famous ADFind. However, I just stumbled across a new tool he wrote while working on the Exchange chapter of the Windows Server 2003 Cookbook (forthcoming from O'Reilly).

ExchMbx provides a simple command-line interface for creating and moving mailboxes, mail-enabling or disabling objects, setting the Internet mail encoding format, and performing some other miscellaneous but useful tasks. Since it's free, I highly recommend it. Joe points out that it can "quickly make some serious changes to your directory", so be careful with it.

Microsoft and Cisco hook up NAC and NAP

Now <em>this</em> is interesting: Microsoft and Cisco are hooking up and exchanging some network-protection DNA. Microsoft mentioned their Network Access Protection (NAP, a somewhat unfortunate acronym) at their worldwide partner conference in July; now MS is pushing the release of NAP back to Longhorn Server in order to integrate support for Cisco's Network Access Control (NAC). This interview with Windows GM Bob Kelly says that MS and Cisco will work to ensure that NAP and NAC are fully interoperable, which is great news; since NAC is already shipping, it would have been counterproductive for MS to complete their own, incompatible, solution and make customers choose between them.

Cisco's PR has a bit more information; MS and Cisco will develop and share APIs so that NAC and NAP can share enforcement information (e.g. so a device blocked by one will be blocked by the other). According to the PR, "Cisco is giving Microsoft a license to evaluate the Cisco NAC wire protocol for use as part of the Microsoft quarantine system, and Microsoft is giving Cisco a license to evaluate the Microsoft NAP client and server APIs as a way to build interoperability into future versions of Cisco NAC." We'll have to wait to see what fruit this collaboration bears, but it certainly seems to be a step in the right direction.

Best practices: we're not kidding

Clearly Microsoft isn't kidding about the rules for ExBPA being very thorough. I was delighted to see this "critical issue" flagged while running ExBPA on an intentionally-screwed-up Exchange server image. Way to go, Paul, Jon, and team!

BugTraq RSS feed

It's hard to keep track of who's blogging, particularly as automated tools that make RSS feeds for automated systems proliferate. Personally, I want to see as much data in RSS form as possible, especially for fast-changing or noisy systems like, oh, mailing lists.

The fine folks at Djeaux.com have a bunch of feeds, including one they just added for the bugtraq mailing list. There are verbose and brief versions, either one of which will still give you the lowdown.

MS releases SP1 for Mac Office 2004

Excellent! Microsoft has released Service Pack 1 for Office 2004. I haven't found a list of fixes yet, and I'm away from my Mac so I can't download it to try it out. It's supposed to be available via the Microsoft AutoUpdate tool or directly from the MS Mac page.

I commend the Mac BU on getting this out so quickly, and I'm pleased to see that the PR is pushing MERP, the Microsoft Error Reporting Protocol. MERP is the Mac version of the Office Corporate Error Reporting (CER) tool. Netscape pioneered this kind of automatic error reporting in 1996 or so, and Microsoft has refined it into a variety of tools that give them a great deal of quantitative data about what breaks, when, and under what conditions. I've been very pleased with the overall stability of Office 2004, and the quick release of this SP is an excellent sign.

More on the Treo and Exchange ActiveSync

This afternoon I had a call with the PR folks from PalmOne to get their take on the Exchange ActiveSync for Treo announcement. As is to be expected, they were mum on the details most people really want. The new devices, which they didn't explicitly name, are being released "this fall-- before the end of the year". When I asked if they were prepared to say which carriers would offer them, all I got was a chuckle.

Interestingly, Palm sees Exchange ActiveSync support as broadening the market for their devices by making them attractive to sites that might otherwise have standardized on Windows Mobile. Since they already support Good and BlackBerry, this is a credible argument.

Unfortunately, the initial implementation of Exchange ActiveSync doesn't have feature parity with the Windows Mobile version. You get wireless access to, and synchronization of, your inbox and calendar: no subfolders, and no wireless contact sync. For their target market, this isn't a big deal. You can still sync contacts via the desktop conduit, and you can create multiple profiles in VersaMail so that your desktop-synced mail profiles have your subfolders. There's no support for Always Up-to-Date, either. Future releases will improve the Exchange ActiveSync feature set, but the PalmOne reps said that they had not yet decided on a schedule, or a delivery method, for those future releases. That's fair, too; after all, they have to ship the first release first.

Microsoft, PalmOne announce Exchange ActiveSync for Treo

This is big and rich: Microsoft announced today that they've licensed the Exchange ActiveSync protocol to palmOne for use in their new, officially-unannounced line of Treo smartphones (including the 650). I want one.

Why is this a big deal? Well, pick your reasons. First, it shows that the Exchange team is going to do the right thing for customers by providing a broad range of supported EAS devices, even though I bet the Windows Mobile folks are really torqued off about it. Second, it puts a stake in the ground: MS is not backing away from Exchange ActiveSync in the face of vigorous competition from RIM and Good Technologies; Good is already shipping GoodLink for Treo, and RIM announced BlackBerry software for Palm OS in December 2003.

Next, it broadens the reach of ActiveSync to embrace Palm OS devices. That's good for Exchange, since many organizations have stuck with Palm as their standard mobile platform. Palm OS users can now have the crunchy Always Up-to-Date goodness formerly reserved for Windows Mobile devices.

IMHO the most significant impact of this deal has little to do with the specific technologies involved: if it is successful, it will validate Microsoft's fairly new, and still somewhat untested, approach of licensing key networking/communications protocols to all comers. Overall, this is a very important approach for MS to embrace if they want to stay competitive against the many organizations that want to knock them off their pedestal.

Updated: added a link to the MS press release.
Updated: removed note about AUTD support, which isn't in the first release.

Death knell for Sender ID?

Now, this is interesting: the IETF Sender ID working group is apparently defunct. This is more or less the equivalent of that milestone of farce comedies, the divorce due to irreconcilable differences.

The MARID working group was charged with adopting a standard, but factions within the working group were unable to reach agreement on whether Sender ID should be that standard. That's because Microsoft holds some key patents on Sender ID components, and the IETF generally doesn't want to see patented technologies enshrined as IETF standards. That's a laudable goal, but unfortunately it's torpedoed the adoption of SPF or Sender ID at this point. We'll have to wait and see what happens, and whether any vendors sign on to Sender ID despite the unlikelihood of it ever becoming an IETF standard.

MS announces Data Protection Server

This Computerworld story (and the related MS press release) announce the arrival of a new Windows product: the Data Protection Server (DPS). DPS is basically a distributed tool that puts agents on the file servers you want to protect; the agents then run scheduled disk-to-disk backups. Depending on how this is implemented, this might be a significant improvement over the kind of ad-hoc disk-to-disk backup schemes most small and medium organizations use. DPS combines replication and point-in-time copies, which places it squarely into competition with products from Legato and Veritas (among others).

It's pretty clear that MS is firing a shot across the bows of other software replication providers; it's also clear that given their market presence, and the list of partners signed up for DPS, that they'll probably get replication into a lot of shops that have resisted it so far. What's not so clear is what this means for the enterprise, and what it means for Exchange. This Q&A with Yuval Neeman says that future versions of DPS will protect SQL and Exchange, but that's awfully generic. (I wonder if you could take a VSS snap of an Exchange volume using a VSS-aware backup tool and then use DPS to replicate it? Hmmm....)

Microsoft releases Exchange Best Practices Analyzer tool

This is very, very cool: the Exchange Best Practices Analyzer is a new tool from Microsoft that checks your Exchange infrastructure for good design practices. To be more specific, the tool investigates various parameters (including some from AD, a few perfmon counters, the IIS metabase, and your DNS) to see how well your operational configuration conforms to generally accepted best practices.

ExBPA's purpose is to automate some of the basic health-and-sanity checks that an experienced Exchange administrator, consultant, or PSS engineer might do when evaluating an unfamiliar environment. It's not designed to find every possible mistake you can make (heaven knows there are plenty); instead, it's intended to help you quickly find well-known misconfigurations and administrator errors. It checks the protocol configurations for SMTP, POP, IMAP, LDAP, and HTTP; GC/DC accessibility; hop counts and routing latency for message routing; the packet size and contents of the link state table; and basic DNS configuraton stuff.

You can tweak the rules to control which specific areas ExBPA checks for, which is handy. ExBPA generates XML report files that you can parse yourself, or import into another instance of ExBPA on another machine. One output is a list of issues that the tool found-- this is similar in concept to the problem report you get from MBSA, and it serves the same purpose of allowing you to quickly pinpoint and fix whatever needs fixing. It's a very useful tool, and it nicely complements the other free diagnostic and management tools that Microsoft's been making available. Hats off to Paul Bowden and his team for getting this released!

Controlling Always-Up-To-Date timing

I've been fiddling with Exchange ActiveSync lately, and I'm actually pretty impressed with it-- it's a neat feature. If you're not familiar with it, it basically sends periodic notifications of new mail to your Windows Mobile device; when the device receives the AUTD message, it wakes up and pulls new messages from your Exchange server. This gives you more-or-less continuous access to the contents of your mailbox.

However, there's no obvious way to control how often Exchange ActiveSync sends these notifications to your device. By default, it uses an interval of 15 minutes, but that may not be right for your particular installation. There's a way to control the batching behavior, but it's not obvious: you have to create a new REG_DWORD named BatchingTimer under the Software\Microsoft\Exchange\OMA key (if OMA doesn't exist, create it first). Possible values are:

• 0 means don't batch at all: send notifications as each individual message arrives. I wouldn't do this if I were you, since every notification will generate an SMS message to your device, and that normally costs money.
  
• Any value below 900000 (which just happens to be the number of milliseconds in 15 minutes, the default interval) will cause the interval to be kept at 15 minutes
  
• Any value above 900000 will be taken as the actual value. For example, 3600000 will set the batching timer to one hour.
  

Windows NT 4.0 and Windows 98 Threat Mitigation Guide released

At long last, Microsoft's released a document that describes what you can do to mitigate threats to your network from Windows 98 and Windows NT 4.0 machines: the Windows NT 4.0 and Windows 98 Threat Mitigation Guide.

Of course, the best way to mitigate the threats posed by these versions of Windows is to upgrade them to Windows XP or Windows Server 2003, but that's not always feasible. The guide (downloadable here) describes some of the other things you can do, including network segmentation, appropriate use of NTLMv2, and patch management. Check it out.

Another Exchange SURBL filter

I just got a note from Martijn Jongen mentioning that he has a SURBL filter for Exchange.

While I haven't examined it in detail, it certainly seems easier to install and configure than the regexfilter. When I get a few minutes, I'll poke into it and give it a try. However, Martijn's site has a pretty active user forum where many people have made happy noises about previous releases, so that's probably a good place to start reading.

New IMF hotfix for 15-character names

This is a pretty rare problem, but still: if you're running the Exchange IMF on a machine with a 15-character NetBIOS name, the IMF won't actually filter the inbound messages. This is kind of a silly bug.

Fortunately, though, it's fixed: see KB 873434. (Hat tip: Evan)

Preset the language for OMA users

Imagine that you have a bunch of OMA users who don't use English as their native language. Wouldn't it be nice to set the default OMA language that they see when they log on, without making them learn enough English to navigate OMA's interface and set it themselves?

Exchange MVP Richard Matheisen posed this question, and it turns out to have a surprisingly simple answer. Just set the msExchEmbCultureInfo attribute on the root folder of the user's mailbox to the LCID of the language you want that user to have for OMA, and you're done. (Updated to fix my bug; I'd originally said that this attr was on the mailbox, and it's not.)

Configuring per-server IMF gateway settings

I hate it when this happens! I just sent off a Troubleshooter column question for the December issue on how to create separate settings on separate IMF servers. My answer involved multiple forests and was fairly ugly. I then decided to relax and do a little blog surfing. Lo and behold, It turns out that (courtesy of Evan's blog) there's a much more elegant solution to this problem.

The answer is "registry override". The gateway settings are read first from the AD, but the registry on the IMF gateway server is also consulted and if there is an override setting configured, these "per-server" override settings are used instead.

It turns out that HKLM\Software\Microsoft\Exchange\ContentFilter can accept a value named GatewayThreshold; its range is 0-9, just like the SCL. Set the GatewayAction DWORD value to 0 (no action), 1 (delete), 2 (reject), or 5 (archive + delete) and you're in business. Thanks, Evan!

What's in a SID?

Larry Osterman has a terrific post up today on the guts of Windows security identifiers, or SIDs. A small taste:

Each domain controller allocates RIDs for that domain, each principal created gets its own RID.  In general, for NT principals, the SID for each user in a domain will be identical, except for the last RID (that’s why it’s a “relative” ID – the value in SubAuthority[n] is relative to SubAuthority[n-1]).  In Windows NT (before Win2000), RID allocation was trivial – user accounts could only be created at the primary domain controller (there was only one  PDC, with multiple backup domain controllers) so the PDC could manage the list of RIDs that was allocated easily.  For Windows 2000 and later, user accounts can be created on any domain controller, so the RID allocation algorithm is somewhat more complicated.

Order in the port: Port Reporter Parser released

Port Reporter is a nifty tool from Microsoft that you can use to log TCP and UDP activity on Windows machines; it logs port activity on ports that you specify to a text file. It's extremely useful for monitoring traffic from specified machines or services, and it has a variety of useful features that I won't enumerate-- go download it already.

One thin Port Reporter didn't have was a good way to parse the data it recorded in an easily-readable form. Of course, this is just the sort of thing that you'd want a tool for, and the Port Reporter author delivered in spades with Port Reporter Parser (PR-Parser). The parser (described in KB article 884289) adds some pretty slick analysis and parsing capabilities that can be very useful for incident response or troubleshooting. Check it out.

VERITAS buys KVS

Well, this is interesting: VERITAS buys KVS for $225 million in cash. Considering VERITAS' failure to turn their own archiving product for Windows into a real competitor for KVS, this is an interesting move.

Ultimately, I think it's a good one, provided that VERITAS is able to effectively leverage the addition of KVS' staff and products. One of the problems I found when I was there was that their sales force is incentivized to sell UNIX products, and so that's what they do. Perhaps the addition of these new products will change the mix enough to help get the direct and channel sales forces on track. Since I still own some VRTS stock, that'd be good news.

E-mail free Fridays Jeremy Burton has a good idea: declare Friday as an "email-free day" in his department. This story, which I first saw in the WSJ, has grown legs as people debate whether this is a good idea or not. I think the stimulus that led to Burton's edict is something we can all identify with: he wondered how much time his folks were wasting on email. The response, though, is throwing the baby out with the bathwater; instead of working with his employees to help them use email more productively, he's banned it for 20% of his org's working hours so that he's effectively reducing their productivity one day a week. One thing I learned in the Marines: you manage people according to their results. If the marketing folks at VERITAS aren't getting their jobs done, it's probably not because they're sending too many email messages on Fridays.

Barracuda Spam Firewall: first look

I've been testing the Barracuda Networks Spam Firewall 300 for the last couple of weeks. So far, I'm very pleased with it; it has done an effective job of filtering spam and virus messages. The best thing is that it incorporates rate control along with other more conventional filtering (including Bayesian and header analysis); this saved me from a huge comment-spam attack last week (see the big blue spike on the "daily mail statistics" graph in the picture below). The unit was very easy to set up and install, and it has worked without interruption since I installed it.

This summary screen shows a big blue spike for earlier in the week-- that turned out to be because of a huge comment spam attack that generated more than 2,000 messages. Fortunately, all of those got blocked so I didn't have to deal with them (although a few did leak through, slowly, after Pair sent them to my secondary MX). The ability to subject-tag suspect messages is valuable, too, since my users can easily filter them. I don't have cost information, but my guess is that the unit I have is probably price-competitive with high-end software solutions like MailMarshal and PolicyPatrol. I'll write a more detailed analysis of the Spam Firewall after I've had a chance to work with it more, but for now-- It Just Works.

Commercial support for SURBL in Exchange

So, last week I wrote a column about SURBL. This week's column, which went out today, is about the regexfilter, a free filter that-- among its many other tricks-- happens to support SURBL. No sooner did it go out than I got two press releases from Jeff Chan of SURBL.org.

First, STAT Communications has added SURBL support to their spam filter set for Mercury/32. Second, Red Earth Software added SURBL support to version 3.5 of Policy Patrol. This will hopefully be the start of a welcome trend, since it's much easier to stem spam given the "fan-out" nature of blocking spammers' target URLs.

Free SPF filter

I just finished a lengthy article on Microsoft's Sender ID specification; it should hit print in November. One of the points I had to address was the sad fact that Exchange itself currently doesn't support either SPF or Sender ID. This makes it hard to aggressively advocate that people deploy a Microsoft standard that isn't currently supported by their own products.

As it turns out, there is a solution for Exchange 2000 and Exchange Server 2003. Michael Brumm has a free SPF filter for Exchange; as a bonus, it also works with the IIS and Windows XP SMTP services. GFI has purchased this technology for possible future inclusion in MailEssentials, but they're allowing the author to continue to distribute his filter until they ship their own version. Get it and check it out. SPF and Sender ID aren't perfect technical solutions, but they can be useful if they're widely enough deployed.

Passwords vs passphrases, redux

So, Robert Hensing started it off by saying something simple: "you should NOT be using passwords of any kind" on your Windows network. Instead, he recommends that you use passphrases. Good advice... or is it?

Dana Epps then jumped in with a response:

However, by using passPHRASES you break down the password in distinct elements, in this case in the english language we call those WORDS. So the parser breaks down the above passphrase into 14 distinct components which are guessable. (You break out punctuation as its own word here). Attackers know this. And can use that to their advantage.

He then goes on to advocate making passwords out of passphrases, so that "From the halls of Montezuma / To the shores of Tripoli.." becomes "FthoMttsoT!", which isn't too bad of a password, as long as you can remember to type it properly. Of course, I couldn't resist adding my $0.02. If you take Dana's approach, and pick something too simple or well-known (like, say, lines from The Marines' Hymn), you are at least theoretically vulnerable to dictionary attacks that try combinations of Beatles lyrics, quotes from The Princess Bride, or whatever. One good point that Robert makes is that current tools are compute- and storage-limited, and the math favors the defender. However, cracking tools keep getting better too.

Can you do even better? Sure. Two simple words: shocking nonsense, described in the PGP passphrase FAQ. Simply pick out a shocking but nonsensical phrase, just like you might with refrigerator magnets. Something along the lines of "Vixen clowns fart noisily in church" could be a good start. Then use combination and substitution, so that you end up with "Vcl0wnsfnNc". Voila! the benefits of an easy-to-remember phrase that isn't vulnerable to dictionary attacks.

Cleaning up after classified email

I recently posted about LANL's email troubles, and that inspired me to write a column about the same topic. Of course, not all of us have classified data actually on our servers.

However, everyone's got some kind of sensitive information in their organizations. Are there things so secret that they shouldn't go in your mail? For example, some companies keep all discussion of legal matters out of email so they can't be subpoenaed. What do you do if those secrets do get in your mail server? It's worth considering that now so that you have a plan in place before you need it.

Geek out: Exchange Server 2003 Technical Reference Guide

Wow. 400+ pages of extremely detailed information about Exchange internals. Microsoft says that this guide is "not for beginning administrators", which means they might as well be posting a big red "READ ME FIRST" on the cover. Most folks don't like to think of themselves as beginners. Ever wonder which ESM operations use MAPI and which use DAV? Want to know how ESM decides to use DNS or WINS to find the server you want to manage? Curious about exactly what's in the link state table? This guide will tell you all that, and a bunch more besides. Highly recommended. Here's a taste:

Microsoft support for VERITAS Storage Foundation

Man, am I glad to see this: an official statement on MS' support position for VERITAS Storage Foundation. The bottom line is very simple:

To be very clear: Microsoft will provide support for Microsoft Exchange issues if you run Exchange on a VERITAS Storage Foundation platform. However, Microsoft will only troubleshoot and attempt to resolve Exchange-specific issues up to the point that the source of the problem can be reasonably attributed to an issue or incompatibility with VERITAS software. This same principle also applies to other third party products.

The same is true, of course, from replication products from all other vendors, too: Microsoft supports Exchange, not random replication (or AV, or anti-spam, or ...) tools. PSS won't tell you to jump in a lake when you call them with a problem, but if the problem turns out to be caused by the third party product, MS will direct you to them for troubleshooting.

RSS feeds from public folders

Thanks to fellow MVP Glen Scales, it's now trivial to create an RSS feed from a public folder. This is very, very cool. Why? Well, for starters, we keep a public folder of security bulletins and alerts from various sources-- presto! it's an RSS feed. Many of my cow orkers who don't pay attention to public folders nonetheless will read anything that shows up in their aggregator.

It's NAP time

No, not that kind of NAP: in this case, Network Access Protection (NAP) Is Microsoft's name for the network quarantine feature they're shipping in Windows Server 2003 R2. The NAP white paper makes for an interesting read, but the NAP FAQ might be a better place to start. In brief, NAP works by allowing administrators to set policies (like "system must have version X of antivirus product Y") or ("system must have patches A, B, and C from Windows Update").

Clients that meet these policies (as assessed by an agent running on the client) are allowed to connect to the network; systems that do not meet the policies cannot. The NAP architecture description has lots more detail, including details on what kind of network isolation is available (DHCP and VPN are both supported) and how you can set up quarantine resources on an isolated subnet. This last is a particular interest of mine; being able to quarantine "unhealthy" systems is good, but it's better if they then can get immediate access to a set of resources (like AV software or signatures or your local SUS server) to get whatever updates they need to be compliant.

"Working with Exchange Server" Entourage white paper released

Microsoft's released a white paper on how to make Entourage work with Exchange. That's good. Unfortunately, some of the guidance in the troubleshooting section is frustratingly generic. For example, check this note: "In an Active Directory or network infrastructure that is heavily secured, Entourage 2004 Exchange clients can experience difficulty in locating the Active Directory global access server and authenticating the user account. Environments where the servers are locked down and the required ports are closed will experience these problems, and Entourage auto-configure might not work." So, it might not work, but you're not going to tell me why it might not work, nor what to do about it.

On the other hand, there are lots of good tips:

• Always send to fully qualified addresses (e.g. use "user@FQDN" and not just "user"). This bites me sometimes when I send messages to distribution groups; if I don't remember to add the FQDN, when the message arrives recipients' Outlook rules won't catch the message properly.
  
• If you change the IP address of your Mac, you have to quit and relaunch Entourage or it will refuse to connect to your Exchange server
  
• Using the "Send / Receive Now" command doesn't do anything; Exchange synchronization is automatic and basically unaffected by anything you do (other than quitting and relaunching, or switching Entourage identities)
  
• If you add a second Exchange account, by default it does not sync contacts and calendar data with the server. If you enable syncing on multiple Exchange accounts, they all sync according to the settings you define. I love this feature, since it keeps my calendar unified between three different accounts, but it was nice of them to have it default to "off" to avoid rude surprises.
  

MSDN Product Feedback Center

This is really cool: a new web-based engine for tracking product bugs and feedback for Microsoft products. It will eventually replace BetaPlace (and not a moment too soon IMHO). You and I can now report bugs, not to mention being able to find existing bugs and "vote" for them to raise their priority/visibility. This doesn't have any direct impact on Exchange, yet, but it's safe to bet that when Exchange Edge Services hits beta that this will be the feedback mechanism for it.

The really interesting part of this project (code-named "Ladybug") is that bugs reported by users are automatically loaded into Microsoft's internal product development bug tracking engine, where engineers can directly see them just like other bugs (e.g. those generated by internal tests, early adopter deployments, and so on). The sync isn't two-way, so Ladybug users don't get to see bugs filed by internal users. However, this brings Microsoft solidly ahead of a number of their competitors (including Apple's lame RADAR database), and it should provide a welcome channel for feedback on product wishes and deficiencies. You can see a demo of the new product in action here, or you can just try it yourself.

IMF archive reviewing

Over at the real Exchange blog, Neil posted a note about a cool web-based tool for reviewing messages archived by the Exchange Intelligent Message Filter. Written by Daryl Maunder, the tool is simple to install (create a new IIS virtual directory on your Exchange server, copy the tool files to it, and voila!) and works well. In the comments to that post, the tireless KC Lemson noted another filter, this one a C# tool written by James Webster of the Exchange team. Both work well; I currently prefer Webster's tool because it shows both the message and the contents of the P2 recipient data, using a sort of preview pane arrangement; I also like the fact that it's open-source. Maunder's web-based tool is cool too because you can access it from other machines on your LAN (or via VPN). Either tool is an improvement over the minimal functionality the IMF itself provides for reviewing archived messages-- try them both and see which you prefer. (Note to both authors: please, please implement a way to select multiple messages for action-- that would be a big help.)

The OWAAdmin tool

This week's column was on the very cool OWAAdmin tool. I neglected to mention that Tosh Meston, one of the developers on the OWA team, mentioned it in his blog-- sorry, Tosh.

This tool, which you can install on any Microsoft IIS server that runs version 1.1 of the Microsoft .NET Framework and ASP.NET, lets you remotely administer your OWA servers from anywhere in the organization. Although OWA offers quite a few features, the process of controlling OWA servers has always been a hassle because it depends on the creation of registry keys or values. Every Windows administrator knows how to do that, I know; the problem arises when you want to make configuration changes to multiple machines. Doing so manually is a bother and is even harder when you factor in common security settings that restrict or prevent remote registry access. You can always create your own Administrative Template file and attach it to a Group Policy Object (GPO), but only if you have the proper permissions in Active Directory (AD). Exchange administrators are often dependent on some other person or group to make directory changes.

PFDAVAdmin for setting public folder permissions

You might consider this an error from the book, but it's really more of an omission: I never mentioned that you can use PFDAVAdmin to view, modify, and set public folder permissions, including fixing the "invalid windows handle ID" error that we all know and love. The MS Exchange Blog has a good overview piece, and I made PFDAVAdmin the topic of this week's UPDATE column,

Online maintenance explained thoroughly

Jeremy Kelly of Microsoft has a great post on online maintenance over at his blog. If you've ever wondered what happens during the online maintenance window, now you can find out.

Microsoft offers security bulletins in RSS Finally! You can sign up to get Microsoft security bulletins through RSS. Thanks, guys.

Journaling with Exchange 2003 white paper

During TechEd last week, Microsoft sneaked out a new white paper on Exchange 2003 journaling. It covers the new SP1 "envelope journaling" feature, as well as finally explaining where Exchange journaling doesn't work. It also, at long last, describes how to deploy journaling as part of an overall DCAR solution. Good stuff.

Think your password policy is too lax?

Check this out: for 15+ years, the permissive action link system that controlled US land-based nuclear missiles was set to (drum roll): all zeroes. Really. Yikes!

Help setting up Entourage 2004 with Exchange

Jeremy Reichman of the Rochester Institute of Technology has kindly collected a page of useful hints and FAQs related to using Entourage with RIT's Exchange environment. You should also definitely see the Entourage Help Page, which is chock full of useful info on Entourage 2004. If you don't read anything else, see the FAQ.

MSG381

Just landed in Cincinnati and checked my evals: 7.72. Comments were mostly favorable; a few "not technical enough" and one angry "Microsoft does too support our products" from a VERITAS product manager. However, that means that John humbled me decisively (his Word session racked up an 8.21!) In fact, I was just below the average score for messaging sessions this year. I've got to do better next time.

Update: with 108 evaluations out of a total of 522 attendees, my final score was 7.78. Since the overall for messaging sessions was 7.85, I'm still a little under the curve.

Random TechEd observations

• This year, the speaker shirts were color-coded so that MS employees and speakers had different colors. This is great, since it makes it much easier for attendees to find FTEs to bother question.
• A request from all those born and raised in the Southern tradition of good manners: please do not use, talk on, or answer your cell phone while you are in the bathroom. Thank you.
• The service at Dick's Last Resort is as bad as it's claimed. Unfortunately, the food is worse than reported.
• The speaker shirt is the first shirt I've ever owned with Spandex in it. It will, God willing, be the only shirt I ever own with Spandex.
• The San Diego airport has free WiFi service. I can get a signal sitting in my seat (6C) with the boarding door open, but it's intermittent and doesn't allow me to actually log on.

TechEd day 2 wrapup

First thing yesterday, John and I met for breakfast at Cafe 222, where I had some excellent pancakes. The food at the San Diego convention center is pretty good, but it's always nice to take a break from the HUGE CROWDS of people for which TechEd is justly famous, so we did.

I did a session and a half in the "Meet the Technologist" area yesterday, where I continued to be impressed with the level of questions we got. Lots of high-end, thoughtful technical questions, with very few of the howlers or RTFMs common in years past. The cabana idea has worked well, except when Navy SH-60s fly past outside.

Yesterday was my first spin through the exhibit hall. I got to meet with some folks from Quest/Aelita; they have an impressive line of management products that oddly doesn't seem to be well known. The Authentica folks have an interesting product that can do digital rights management protection at the email gateway and via a web service-- very cool stuff. I'll write more about that when I have time to dig into it more.

Interestingly, the two overwhelming giveaway items this year were Xboxes and iPods. Some group of companies was giving away a MINI Cooper, which is kind of neat (although not as cool as the Mercedes SLK that was given away at TechTarget's Enterprise Messaging Decisions show :)

Also on the show floor, I finally met John Osborn, executive editor at O'Reilly. We had a great discussion about Offfice development and books (which we extended later at the O'Reilly author party once JohnP got there). I'm hopeful that we'll be able to turn some of the cool content we did for the Fabrikam project into a book, or two, to help build up our Office dev branding.

In a few minutes, I'm heading back over to Cafe 222 for another stack of pancakes, then it's time to present MSG381 and fly to Cincinnati to rendezvous with my family. In the meantime, let it be known that JohnP's Word dev session yesterday is holding steady at an excellent 8.09/9.00 rating, which is going to be tough for me to beat. However, the folks I linked to last week are still ruling: Steve Riley's sessions have three of the top 10 slots, including an incredible 8.81! Go Steve!

Threat modeling tool released

Microsoft has released a nifty automated tool for building threat modeling documents for applications you develop.

It organizes relevant data points, such as entry points, assets, trust levels, data flow diagrams, threats, threat trees, and vulnerabilities into an easy-to-use tree-based view. The tool saves the document as XML, and will export to HTML and MHT using the included XSLTs, or a custom transform supplied by the user.

This might seem to have low relevance for Exchange, but if you take a look at what's in these documents, you'll get a good jump start on understanding how to build a threat model for your network and deployed messaging applications (yes, even if you're using something besides Exchange).

TechEd Day 1 wrapup

I flew out to San Diego yesterday and got to the convention center about 45 minutes before my first session, a troubleshooting panel with Chris Nelson (from Microsoft's IT group), Karl Robinson of HP, and the legendary Paul Bowden. It was fun to share the stage with three knowledgeable people, and we got some good audience questions.

Next, I had a book signing, at which I sold three whole copies of my book. It was fun nonetheless; I got to spend some time chatting with the legendary Charlie Russel, with whom I've worked but who I've never met, Paul Cayley of the MS UNIX migration team, and Eldon Nelson from Microsoft Press. After that, it was off to the "Meet the Technologist" area (aka "Ask the Experts"). The place was mobbed! Erik Ashby was drawing a steady line of folks asking 5.5 migration questions, and there were lots of miscellaneous troubleshooting questions.

John and I got together for a short visit (wherein I learned that his first session outscored mine by about 0.5-- significant on a 1.0-9.0 scale!) before I headed out to the MVP dinner organized by KC Lemson at the Zocalo Grill. I had the good fortune to sit with Andy and Kim Webb, Andy David, Scott Schnoll, David Sapery, and Sue Hill (all MVPs, save Sue, who works on the Exchange User Education team), and there were a ton of other MVPs (including Sue Mosher, Diane Poremsky [at least it looked like her from the back], Chris Scharff of MessageOne. The product team was well-represented: KC and David Lemson, Ed Wu, Nicole Bonilla, and a few others were there. As a bonus, I finally got to meet Brandon Hoff, the MVP lead for Exchange; he and I have missed each other several times in Redmond, so it was good to finally shake his hand. The food was quite good, and the company was great. (Thanks, KC, for setting it up!)

Today I'm back in the Ask the Experts area for a while, but I should be able to actually attend some sessions-- more on that later.

Exchange Intelligent Message Filter released

Very cool news: the Exchange Intelligent Message Filter is out, and it's available at no cost to all Exchange 2003 customers. Microsoft had previously said they would only offer it to SA customers, which generated a lot of discontent. I'm glad to see them reversing their stance. Get the IMF here, and be sure to read the deployment guide. (Oh yeah-- Exchange 2003 SP1 is out, too).

Evan Dodds blogs about Exchange clustering

Very cool: Evan Dodds of Microsoft has a blog about (drum roll) Exchange clustering. You should only go there if you want actual factual technical information, though; you'll have to go somewhere else for $spin.

So, Evan, here's a clustering question: can I force all outbound SMTP traffic on a cluster to originate from the IP address of the cluster instead of one of the physical nodes therein?

First review posted

Happily, there's finally a review of Secure Messaging online at the Windows IT Library. My thanks to David Sengupta. (Now, if only Amazon would start posting the reviews that I know are queued up there...)

More detailed Entourage 2004 review John Welch is posting a long review of the entire Office 2004 suite. It's not done yet, but the first part-- which, conveniently, covers Entourage in depth-- is ready now.

The gauntlet is down

At the 2002 MEC, John and I were both presenting multiple sessions, and we had a little friendly competition to see who did better. (I honestly don't remember the results; I just remember how psyched he was at successfully evading the wrath of the demo gods). This year, he has a crushing four sessions, all deeply technical (BPR310 is "Office Developer: Programming XML Solutions", BPR311 is "Office Developer: Programming Word XML Solutions", BPRC14 is "Building High Performance InfoPath Solutions", while I have but one (MSG381,"Designing a High Availability Exchange 2003 Solution") , so I have somewhat of an advantage. Both of us have some hard work to do to catch the top guns from last year's TechEd, though.

Architect Road Rally

This sounds cool: a get-together for developers at the San Diego Automotive Museum. The big draw: remote-control racing, with trophies. I won't be there, since it's before I arrive, but I definitely think John should go.

Sigh... Ed's at it again. Rather than waste my time with a long rebuttal, let me just say this: I generally prefer to spend my time explaining technical things that help people understand Exchange better rather than pointing out shortcomings in competing products. I could go on at length about what's wrong with Notes and Domino, but why bother? So, it bothers me when Ed takes an explanatory technical article and twists it around in an attempt to make his competitive point, but hey, he's preaching to a choir of Notes admins, so I shouldn't be surprised. Well, OK, just one rebuttal point: since the column was on geoclustering, I didn't mention the many software replication products [e.g. DoubleTake] that are being used to provide geographically distributed DR without geoclustering; I also didn't mention ballpark hot dogs, '57 Chevrolet Bel Air coupes, or lots of other things that don't relate to geoclustering. Ed's guilty of claiming that there's no other way to solve the problem, which isn't what I said. These replication products have their own limitations, as does Domino replication, but they're not germane to a column on geoclustering, so I didn't mention them. Update: edited to fix a typo and to turn comments back on. Ecto sometimes randomly changes the "allow comments" and "format line breaks" flags between posts, and I don't always catch it.

Office 2004 Test Drive available

I've been using Office 2004 for Mac OS X for the last six months or so. It's awesome. Don't take my word for it; go get the 30-day "test drive" version and see for yourself.

Closed comments on old entries

It's fun to see people asking for help cracking Yahoo passwords, but enough's enough. I've closed comments on that article. (Side note: I seemed to get more than my fair share of people with Indian names asking for cracking services... odd.)

Entourage 2004 and Exchange FAQ I'm starting a topic for Entourage 2004 troubleshooting issues and FAQs, since I'm getting several dozen hits a day from Google on "Entourage 2004" and "Entourage 2004 Exchange". First, remember that there's an active Microsoft presence in the Entourage newsgroup, where some of this material is drawn from.

• If you're using Exchange 5.5, you can't use Entourage 2004 in Exchange mode. Exchange mode requires WebDAV, which is only supported by Exchange 2000 and Exchange 2003. You can still use IMAP for mail, but you won't be able to sync calendar and contact data with the server.
• If you don't know what server name to put into the "Public folder server" field, try the name of your Outlook Web Access server with "/public/" on the end of it.
• If your OWA requires you to use https:// to get to it, you'll need to check the "DAV service requires secure connection (SSL)" checkbox on the Advanced tab of the Exchange account properties dialog.
• Entourage 2004 can act as a delegate, but you have to use Outlook for Windows to set up delegate access. I plan to write an article explaining how to do this (in my spare time... bwahahaha).
• If you send a meeting invitation from Outlook, and it arrives as an .ics file in Entourage, the "Accept" and "Decline" buttons may not appear. This is because of a bug in Outlook, and the Entourage team knows about it already.
• Only the basic Contacts and Calendar folders are supported-- Entourage doesn't allow you to create subfolders of those folders, or to put contacts and calendar items in other folders elsewhere.
• You can't adjust server-side settings (including the "out of office" state or server-based rules) from Entourage; you'll need to use Outlook or OWA.

If there's a specific question you want answered, feel free to leave a comment here and I'll try to help you.

20 tips for securing Outlook

The fine folks over at SearchExchange (in collaboration with MS Press) have excerpted chapter 13 from Secure Messaging with Microsoft Exchange Server 2003-- that just happens to be the Outlook security chapter. Their excerpt, "20 Tips on Securing Outlook in 20 Minutes", is well worth reading. It includes information on how to set up Outlook to use Windows Rights Management (including info on how to create your own RM templates), as well as information on controlling S/MIME through GPO templates, and how to set up and use RPC-over-HTTPs. f you like the chapter, buy the whole thing!

Remember the giblets

Long-time Exchange developer Larry Osterman had a great blog entry today titled "Remember the Giblets". An excerpt:

“Giblets” are the pieces of software that you include in your product that you don’t always remember.  Like zlib, or LHA, or MSXML, or the C runtime library. Whenever you ship code, you need to consider what your response strategy is when a security hole occurs in your giblets.  Do you even have a strategy?  Are you monitoring all the security mailing lists (bugtraq, ntbugtraq) daily?  Are you signed up for security announcements from the creator of your giblets?  Are you prepared to offer a security update for your product when a problem is found in one of your giblets?  How do your customers know what giblets your application includes?

As administrators, how much do you know about the giblets on your servers? Are you paying attention to them, or only to the big chunks (like Exchange or SQL Server)?

Off to EMD

I'm speaking today at Enterprise Messaging Decisions 2004. This is actually my first day trip in a while. When I lived in Huntsville, it was possible to fly out at 0530 or 0630, change planes in Atlanta, and make it to pretty much anywhere by noon-- enough time for a meeting or presentation-- and then get home again around 11pm. In Toledo, that's just not happening because of Delta's flight schedule ex Cincinnati. So, since EMD is in Chicago, I'm going to drive-- should be fun. Here's the slide deck.

Sasser on the loose

There's a new Windows worm: W32.sasser. It exploits a vulnerability in the Local Security Authority (LSASS.exe) service; the vuln was fixed by the MS04-011 patch. The original MS bulletin and patch were issued on 4/13, and the MS alert on Sasser was released on 5/1, so you can see the gap between patch and exploit is getting shorter. I'm sure all of you out there have already patched your systems, but tell a friend: install patches when they're released.

Anecdote: on Saturday, 5/1, Delta Airlines had a little dispatch problem that resulted in all their flights out of Atlanta being grounded for almost seven hours. The problem appears to have been with the airport computers used to calculate weight and balance according to FAA specs. One passenger on an affected flight reports that the flight crew attributed the delay to the "Mayday virus". I wonder what the real cause was?

Update: this WSJ article's last paragraph mentions Delta, Goldman Sachs, and JP Morgan Chase as companies affected; it also says that a Delta spokesman wouldn't say whether Sasser was to blame.

MSG381 TechEd deck posted

Well, it's only two weeks late, but hey, who's counting? (Besides the speaker manager at Microsoft, of course!) The first draft of my deck for MSG381, Designing High-Availability Exchange Solutions, is now available here. If you're coming to TechEd, the session is Thursday at 8:30-- stop by and say hello!

Update: Andy Webb was kind enough to point out a bad link, which is now fixed.

Fire suppression

It doesn't matter how secure your server is if it's on fire. The other Scoble has two good posts that describe the current state of the art in fire-suppression systems: here and here. This is actually something I talk about in Chapter 5 (physical &operational security), even though most of us are stuck with whatever physical plant is already in the building. Interestingly, one commenter mentioned pre-action sprinkler systems, which use water but which aren't activated without both heat and smoke alarms. (And hey, the inert suppression gas of choice is Inergen, not "Innergen".)

Entourage 2004 RTMs

Entourage 2004 has been released to manufacturing, so I can now talk about it. I've been working with it for the last several months, and it's a great piece of work. I'm working on a long article on it for Exchange & Outlook Administrator, but in the meantime, you might be able to try it for free. What? It's true. If you have valid Exchange CALs for your users, you're able to use Entourage as a client. See this "how to buy" page for more details (but don't ask me where you're supposed to get the bits, because I don't know!)

E2K3 Routing and Transport Guide

I needed to look up a piece of trivia on the Exchange routing engine for the cookbook, and after a little Googling I found this gem: the Exchange Server 2003 Transport and Routing Guide. I'm not sure how I missed it before, but it's quite comprehensive. Recommended reading if you want a better understanding of how the transport core works. In particular, its description of how the various connection filtering pieces work together is almost as good as what I wrote in Chapter 8 :)

Exchange 2003 support comes to Windows Storage Server

Microsoft's finally taken the lid off a very, very cool addition to their product line: the Feature Pack for Windows Storage Server allows you to put your Exchange 2003 databases on a Windows Storage Server NAS box. There are some limitations: this approach is designed to handle up to 1500 concurrent users, and it requires good network connectivity between the Exchange server and the Windows Storage Server. However, it's a real, live, supported-by-PSS solution that can potentially deliver SAN-scale performance to organizations that can't afford Fibre Channel SANs. Check it out.

TechEd BOF

If you've been around the Internet for a while, you've probably heard of BOF, or "birds of a feather" sessions. BOFs are informal meetings held in parallel with conferences like LISA and regularly scheduled meetings like the IETF conferences. The International .NET Association is coordinating the process of setting up a series of BOFs for TechEd 2004. The cool thing about these sessions is that the BOF topics are proposed by TechEd attendees. Their content isn't driven by MS, or anyone else besides the people in the room. They're not presentations-- they're an opportunity for people with related interests, whatever they are, to get together and hang out for an hour. The MS TechEd staff is encouraging speakers to encourage "their" communities to propose BOFs here. There are tons of potential topics for Exchange, including security, anti-spam, job hunting, mobility, Notes migration, Exchange 2003 SP1... the list goes on. Let the INETA folks know what you'd like to see.

TechEdBloggers.net goes live

TechEdBloggers.net is back again this year. I enjoyed last year's edition; it was cool to see TechEd through the perspective of other speakers and attendees, especially folks who got to go to some of the many sessions I missed out on. To keep things simple, I'm going to post all of my TechEd-related stuff here, not on my personal blog.

I'm currently scheduled for two sessions: a troubleshooting panel discussion and a session on building high-availability Exchange 2003 deployments. Should be fun!

ExchangeFAQ.org relaunches

In 2000, I built a site of Exchange FAQs, driven by a (primitive) set of PHP scripts and a MySQL database. It mostly languished, because I didn't take on the extra effort of keeping it up to date. Meanwhile, Andy Webb and a crew of Exchange MVPs had created a good set of Exchange 2000 and Exchange 2003 FAQs. So, I gave andy the ExchangeFAQ.org domain name, and his new rendition of the site is now live. It looks great.

Still more on iSCSI and Exchange

I just can't help myself sometimes: I am a serial columnist. (Groan. Hey, at least I didn't make a pun on serial-ATA…)

Last week's Exchange UPDATE column was an update to my previous column on iSCSI and Exchange; I'd already blogged about the change, but the column has some additional material, including a discussion of MS' KB article describing support boundaries for NAS/SAN devices with Exchange 2003.

Windows &.NET Magazine adds RSS feeds This is really cool: Windows &.NET Magazine now has a page of RSS feeds. The Exchange feed is my favorite. Update: the feeds occasionally time out, and they seem to only have five items in each category. They also don't include the Exchange UPDATE newsletter. Dang. Update again: the Exchange feed hasn't been updated since my original post, which I take as a bad sign. I've emailed my editors to see what's up.

More on iSCSI and Exchange

My column this week (which I can't link to right now, thanks to a bug at the Windows &.NET web site) was on iSCSI and Exchange. A helpful MS PR person wrote to point out an error: there's not actually a separate "certified for Exchange logo". If an iSCSI device has the "Designed for Windows" logo, it's supported for use with Exchange.

Update: it turns out that the Windows Catalog uses the "Designed for Windows XP" logo for iSCSI devices. Even though the column, and the press release which inspired it, talk about the "Designed for Windows" logo, those products listed in the catalog are certified for use with Exchange 2003.

From Microsoft to stand-up

Scott Oseychik, formerly of Microsoft's customer problem response team, has moved on to new things: he's now a stand-up comedian. No, really. I have no idea if he's funny or not, but he was very helpful in explaining the intricacies of the Exchange 2000 and 2003 transport engines when I was writing about them. I wish him luck (and I'll go see him if he's in Detroit, Toledo, or the surrounding area!)

Work for the Exchange team

Want a job working for the Exchange team in Redmond? They're having a hiring spree fair in late April in Seattle. See the jobsblog or send your resume here.

Banning social software in the workplace

I wrote about a security problem with Plaxo a couple of weeks ago. It's since been fixed, but now I'm starting to hear that companies are barring their employees from using Plaxo, LinkedIn, and other social software. Why? Several reasons. The biggest seems to be that these services enable wholesale exporting of your contact database, which makes it easy for you to find out which of your existing contacts already use the service. This has two problems, though. First, it runs afoul of European Union data privacy laws; many multinational companies in the US have already been working hard to make their internal operations conform to EU regulations because they have EU operations and employees who live and work in the EU. Microsoft, AT&T, General Motors, and American Express come to mind. The other reason, of course, is that companies don't like the idea of a third party getting unrestricted access to a significant portion of their internal contact data. Imagine the bonanza for a clever Sun salesman who managed to steal all of the contact data for an IBM sales rep, for example. This is precisely why very few companies expose even shadow copies of their master directories to the outside world: there's too much risk in doing so, and the reward is fairly limited.

Will these bans work? Beats me. Services like LinkedIn and Plaxo have to reach a certain degree of critical mass before they become useful, but it's difficult to see how such bans can be efficiently enforced. Interestingly, the one ban I've actually seen in written form doesn't say anything about "personal" social software like Orkut and Friendster.

It's shipping!

Secure Messaging with Exchange Server 2003 is now in stock at Amazon. It doesn't look like anyone's actually bought it yet, but hey, you can't have everything. Update: the book has now attained the stratospheric Amazon sales rank of 92,218, despite its being paired as a bundle with Jerry Cochran's excellent Mission-Critical Microsoft Exchange 2003 for only $70. Sigh.

MS announces NAS & iSCSI support for Exchange

In a press release today, Microsoft announced that they'll be supporting iSCSI and NAS devices for Exchange. The PR doesn't mention any specific devices or vendors, merely that devices that are logo-qualified for the Designed for Windows logo will be supported. We'll have to wait and see what "supported" means in this context.

Exchange Edge Services

Last week, my column was on the forthcoming Exchange Edge Services product. Microsoft hasn't said much about it publicly yet, but it's pretty clear that they have two goals: provide a hardened subset of Exchange functionality for use on the edge, and displace Sendmail/postfix/qmail in shops that have Exchange at the core but not at the edge. Whether they succeed or not will have a lot to do with how they position Edge's capabilities. Personally, I'm really excited about the prospect of being able to build my own services using managed .NET code-- that approach offers a lot of potential over the current event sink model.

DoJ computer forensics guide The US Department of Justice has an interesting guide to computer forensics, titled Electronic Crime Scene Investigation: A Guide for First Responders. From the abstract:

Computers and other electronic devices are being used increasingly to commit, enable, or support crimes against persons, organizations, or property. This NIJ Guide (NCJ 187736) is intended for use by law enforcement and other responders who have the responsibility for protecting an electronic crime scene and for the recognition, collection, and preservation of electronic evidence.

For experienced admins, there's not much new here, but it's a good overview of different classes of devices and some of the forensic concerns surrounding them. One question I'm often asked when I teach is whether forensic recovery is important. The answer is a little surprising. CERT, Microsoft, and SANS all recommend flattening a machine that you know or suspect has been compromised. Why? It's very difficult to be sure that it's clean even after you clean it. For a simple compromise like Blaster or Slammer, it's easy to remove the executable, but there are much more sophisticated tools that aren't easily removed (or detected, for that matter), thus the flattening recommendation. However, as soon as you erase the disk, guess what? You'll lose much of the forensic information that you might want to help identify the scope and source of the compromise. This is critical if you want to get help from law enforcement, since there are standards of evidence that must be maintained in order to successfully prosecute an attacker. That's why most forensic investigations begin by unplugging the suspect machine and cloning its data using a tool like Encase, which is approved as a method of gathering admissible evidence (Ghost, for example, works fine but its copies aren't generally accepted as "pure" evidence). However, if all you care about is quickly getting the compromised machine back in service, flattening it is obviously the way to go. Deb Shinder's excellent book Scene of the Cybercrimediscusses forensics in more detail, and I recommend it if you're interested in the field.

Exchange 2003 Security Operations Guide Microsoft's released the Exchange 2003 Security Hardening Guide, which is basically the Exchange 2003 remix of the well-received Exchange 2000 Security Operations Guide. Like its predecessor, it's meant to be used in conjunction with the Windows 2000 or Windows Server 2003 hardening guides. The Exchange guides provide a set of security templates that can be applied to automatically harden Exchange 2003 servers; it also provides prescriptive guidance on protecting against viruses, spam, and DoS attacks. Of course, it's no substitute for a good book on security :)

Exchange and Software Assurance

[meta-note: there's no real security tie-in, but I've decided to post links to the weekly column I write for Windows & .NET Magazine. That at least guarantees fresh content here every Monday!]

This week's column focuses on Microsoft's Software Assurance (SA) licensing, how it works, and why Microsoft is (currently) making the Exchange Intelligent Message Filter available only to SA subscribers.

Late last week, Microsoft made an announcement that has many Exchange Server administrators fuming. The new Exchange Intelligent Message Filter, expected to ship later this year, will be available only to customers enrolled in Microsoft's Software Assurance (SA) program. On the face of it, this decision might seem shortsighted on Microsoft's part; after all, wouldn't the company want to sell its products to anyone who wants to buy them? However, from a long-term strategic point, the decision makes good sense for customers and for Microsoft.

Sig Weber's blog Sigfried Weber (Exchange MVP, developer par excellence, and gracious host) finally has his own blog. For his most recent trick, he's made SharePoint emit properly formed RSS. Drop by his site and say hello!

A little housekeeping In honor of the March 17 release date for Secure Messaging with Exchange Server 2003, I've done a little housecleaning. The Exchange 2000 version is still available, so I've tried to update the links in the right column so that they correctly point to the appropriate book. I'll be posting sample chapters as soon as I can get MS Press to send them to me; ditto the TOC and index.

Moving sale: cheap books

This is really an "I'm tired of moving" sale. When I signed to do Secure Messaging with Exchange 2000, I asked MS Press for 50 author copies-- 10 is normal. I figured that I'd have lots of copies to send out for review, give to customers, etc. However, I just cleaned up my office and found two boxes of books-- and any day now, UPS is going to bring me my author copies of the Exchange 2003 version. That means that the E2K versions must gooooo!

So, here's the deal: $20 buys you your own brand-new, signed copy; that's $15 less than Amazon. For $25, I won't sign it :) Email paul AT robichaux DOT net if you're interested. Remember, these make great gifts for Valentine's Day.

A fun game

Thanks to my friends at Lotus, I've discovered a fun diversion to while away the afternoon. Anyone can play! Here's how:

1. Go to this page
   
2. Sign up for a trial Domino Web Access account
   
3. Try to send a message to an external SMTP user
   
4. Get an error message
   
5. Lather. Rinse. Repeat.
   

Update: This works properly now, and Domino Web Access is actually pretty impressive as a web client. I'd really like to see a neutral evaluation of DWA against OWA from the standpoint of an average user's ability to discover and use its features.

MS releases guide to using recovery storage groups

Microsoft's Exchange user documentation team has done it again. they just released a 101-page document convering the details of how recovery storage groups work, what you can do with them, and how to use them to speed up disaster recovery. It's available here. The abstract:

Using the recovery storage group feature in Exchange Server 2003, you can mount a second copy of an Exchange mailbox database on the same server as the original database, or on any other Exchange server in the same Exchange administrative group. You can do this while the original database is still running and serving clients. The recovery storage group can also be useful in disaster recovery scenarios. This book provides information on how to determine if a recovery storage group is useful in your deployment, how to set up a recovery storage group, and how to troubleshoot common problems.

Even though this doesn't have anything overt to do with security, it has a lot to do with availability, and that's actually a component of security: security is about preserving your access to your data, and if you can't get that data because of a failure, it doesn't matter how secure it is.

It's in pages!

Major milestone alert: the Exchange 2003 book is in pages. What that means is that the editors and page layout folks at MS Press have turned the original lightly-formatted Word files (and accompanying screen shots and napkin-drawn line art) into camera-ready pages. Barring any major mishaps, that means that the book's insides are ready to print. The cover's already been designed (see it on Amazon), so that means that with a little luck the book's ready to be printed!

And speaking of pages: I've set up Yet Another Blog, this one focused on the Exchange Cookbook I'm writing with Missy Koslosky and Devin Ganger. Check it out.

Alain Lissoir has a blog

Alain Lissoir, who probably knows more about Exchange scripting than anyone I know, has a blog of sorts. It's mostly a list of his publications, but it's still very useful if you want to know how to script Exchange or Windows using WMI, CDOEX, or CDOEXM.

It's done!

The book is done! (Cue sound of cheering... all coming from my family!) I'm still waiting on the chapter on legal issues to be completed, but since I'm not writing it, I don't count it against my total. Bio, dedication, acknowledgements, and all chapters are in MS Press' hands.

In related news, Amazon finally has a page so you can preorder the book (hint, hint). When time permits, I'll update the sidebar links here to point to both the E2K and E2K3 books.

ExIMF changes for the book

I'm facing a conundrum. The book must be finished by 12/31. Although I have early access to the Exchange Intelligent Message Filter, if I write about it now it's likely to change before the book hits the shelf; this is obviously bad. What I've decided to do is mention it in the book, limiting myself to talking about what's already been publicly disclosed by MS. Then I'll write some material that describes it in more detail. That material will appear here, either as a bonus chapter for folks who buy the 2003 book or as a separate e-book. That way I can provide fresh material without getting in trouble with the PMs for the IMF or slipping the book any further.

Book progress

There are twenty chapters and three appendices. The first fifteen chapters (plus two appendices) have been written and submitted; several have already come back for author review. Of the remaining material, there are two new chapters written by contributors (one on archiving by Joshua Konkle of KVS, one on legal issues by Jay Friedman of Piper Rudnick) on the way, one revised chapter, and two new chapters (including one on Outlook Mobile Access/Exchange ActiveSync security issues) that I still have to write. Deadline: 12/31. Wish me luck!

Quarantine! Get yer quarantine here!

I managed to miss this, but Microsoft Press has a book out on VPN deployment with Windows Server 2003: Deploying Virtual Private Networks with Microsoft Windows Server 2003 Technical Reference. I haven't read it yet, but it was written by two Microsoft PMs (including the guy who owns the network quarantine feature), so I expect it's pretty good. Network quarantine is an interesting feature, but no one seems to really understand how to make it work. I've asked my editors for a courtesy copy and will post a review once it arrives and I read it.

Integrate Apple's iCal and Exchange

Technically this has nothing to do with security, but it's cool: Snerdware's GroupCal lets you see and share calendar information between Exchange 2000/2003 servers and iCal users. This essentially makes iCal act just like Outlook's native calendar client. I haven't tried it yet, but I'm about to install it on my wife's iMac and we'll see how it works.

Using Gzip with Exchange 2003? Get this patch

From KB 831464:

n Microsoft Windows Server 2003 running Microsoft Internet Information Services (IIS) 6.0, static files that are compressed using gzip may become corrupted and may include content from other files on the Web server. If this behavior occurs, the page that is returned to the client is not rendered correctly. An access violation may also occur.

Translation: if you turn on Gzip compression for use with OWA 2003, your IIS server may get hosed. This patch fixes the problem.

Aelita releases CDO fix tool

I had a nice meeting with some technical folks from Aelita this morning. Among other things, I learned that they've released a free tool to help automate finding and fixing the CDO heap corruption problem (described in KB article 823343) that can occur when Outlook 2003 clients access mailboxes that are later used by CDO-based utilities or tools.

Mac OS X 10.3 and Exchange

Over on the other blog I discuss some pitfalls in getting Panther to synchronize contacts with Exchange 2000/2003 via WebDAV. It mostly works...

Book progress

I've just turned in the first 10 chapters of Secure Messaging with Exchange 2003. That means I'm halfway done. The current milestone date for 100% completion is 12/15, which would put the book on store shelves in late February, just about a year after the first book.

Retention policy? What retention policy?

This is what happens when you don't have an appropriate retention policy:

A little browsing and up pops a piece of e-mail from an Enron employee complaining about a mother-in-law: "the most selfish person on Earth." Another contains decades-old photos of former chief executive Jeffrey K. Skilling, sent him by his Beta Theta Pi fraternity brothers. A piece of e-mail written by a woman in Portland, Ore., asks an Enron energy trader, "So ... you were looking for a one night stand after all ...?"

The complete database is here. Don't let this happen to you!

New Blueprints edition

Evan Marcus and Hal Stern wrote the best introductory book on high availability, Blueprints for High Availability, back in 1999. It's an easy-to-read but detailed explanation of how to design and plan HA systems. I just found out today that they have a new second edition, just published. If you care about designing reliable, redundant, or resilient systems, get this book.

Excellent Exchange-related blog

While perusing the PVRBlog, I came across an excellent Exchange blog maintained by William Lefkovics, Neil Hobson, and Chris Meirick. It has a ton of good content and is more regularly maintained than my site. It now has pride of place in my RSS aggregator. Keep up the good work, guys!

Book update

I haven't been working on the book much lately. The first 9 chapters are done, leaving me with 13 more to either revise or write from scratch (plus one that's being written by a Real Live Attorney). However, I've been so busy with work (including a really cool Exchange planning guide for the MSA series) that I haven't had any spare time to work on it. If you doubt me, consider this: I haven't even turned on the Xbox in two weeks, so you know I must be busy. It now looks like the book will ship sometime after the first of the new year, or about a year after the first version.

InstantSSL for certs

I recently needed a new SSL server certificate, and I didn't want to pay the monopolists (wipe that smile off your face, I'm talking about these guys) an exorbitant fee. Instead, I found InstantSSL, where for a paltry $199 I got a three-year 128-bit certificate. Their administration site and ordering process are well-tuned, and I was able to get quick technical support immediately when I ran into a minor snag. If you need a cert (and you will, if you're enabling RPC-over-HTTP or Outlook Mobile Access), give these folks a try.

SPEWS/Osirusoft RBL goes away

According to this Slashdot article, the SPEWS real-time block list is no longer operational. A comment-free version of the same basic story is here. The article points to a lot of discussion on news.admin.net-abuse.email, too, which amkes for interesting reading. Osirusoft shut down SPEWS after being the target of an ongoing distributed-denial-of-service (DDos) attack. The manner in which it was shut down caused lots of bounces (including for my friend Bob Thompson and Kent State University, among others). The problem is that when Joe Jared, Osirusoft operator, shut down his service, he did so by telling the server to blacklist every IP address. Sites that rely solely on SPEWS thus dropped all their incoming mail on the floor.

What does this mean to you, the Exchange administrator? As Andy Lester points out, outsourcing your spam protection completely to a third party puts your mail service at the mercy of that third party. Exchange 2003 includes RBL support, and it's a useful adjunct to heuristic or keyword-based filters. However, RBLs themselves don't provide a complete solution, and you should choose your RBL provider carefully to make sure that a) they provide support for their service and b) they have the resources to stick out this kind of attack.

Exchange 2003 tools center

Microsoft maintains a download page with lots of nifty tools for Exchange 2003. For example, the Archive Sink (which I talk about in ch 9 of the new book) is there, as is ExMerge and a utility for programmatically setting the allow/deny IP list on SMTP virtual servers. Check it out-- most of the tools are for Exchange 2000 and 2003, but a few (like MDBVU32) are useful for any version of Exchange.

Now hiring?

We interrupt our regular security discussions to bring you this news bulletin: America's health insurance situation sucks. While I can't reform it on my own, I can ask you loyal readers to help find a full-time job for a smart, experienced programmer who just happens to need insurance for his ill son. Brad Choate, legendary MT plugin guy, is even offering a reward: a free Xbox, PS2, or Gamecube. Details here, or Brad's original post here.

Physical security on my mind

I've been thinking about physical security a lot, mostly because I happen to be revising chapter 5. Take a minute right now to look around and see whether your physical security procedures are adequate. Could someone easily walk off with a server? (If someone can steal a DC, they can 0wn you totally, basically forever). Do you have adequate environmental protections-- power conditioning? heating/cooling? fire warning & suppression? I could write on and on about this, but I bet that if you spend a few minutes thinking about your environment you'll see what you need to do to improve it, probably at very low cost. The US Army's Field Manual 3-19.30 has some interesting thoughts that may help you.

MS launches "trial size" Outlook Web Access

This is really cool: as part of the Exchange Server 2003 RTM, Microsoft is passing out 7-day trial OWA accounts. This is a great idea for two reasons: it gives MS a chance to further dogfood OWA in xSP-scale deployments, and it gives those who don't have immediate plans to migrate to Exchange 2003 a taste of what the new OWA looks like. Sign up here.

Exchange 2003 RTMs
RTM for Exchange Server 2003 is today, June 30th. That means that the product will be available very, very soon for most customers, depending on your license plan:

• Availability for Select licensing customers is August 1st
• Availability for Open licensing customers is also August 1st.
• Retail availability depends on the availability of Outlook Standard 2003. that means for English versions, you should see the CD in stores mid-September; other languages will follow, although I don't have exact dates.

Evaluation versions will be available for download or purchase on CD after noon Pacific time today.

The great spam-off, part 4: more SurfControl

So, SurfControl has been in place for the last five days. It has a fairly sophisticated set of tools, but with a much more approachable interface than Praetor. I've been using three rules: one screens out malformed MIME messages, one blocks messages with high dictionary scores (according to the spam dictionary that ships with the product), and one blocks messages that are on the collaborative filtering list that SurfControl maintains.

So far, the combination is working reasonably. There are still too many uncaught spams slipping through, largely of the variety that consist only of images (I added a rule for "Please wait while this email loads"; I bet that'll catch a bunch of them). More troubling is the rules service's tendency to abruptly stop processing inbound messages-- so far, I've gotten three or four messages from Microsoft that have choked the rules service. I have a call in to SurfControl tech support, so we'll see how competent they are at diagnosing and fixing the problem.

Update: the problem that caused MailMarshal SurfControl to choke on inbound messages was quickly identified. They fixed it in a patch, and their tech support was very helpful in answering some questions I had about the way the product worked. (Originally I'd typed "MailMarshal" in the above; to clarify, I haven't had to call MailMarshal support so far.)

The great spam-off, part 5: MailMarshal

SurfControl finally bit the dust; its eval period expired, so I knew it was time to try something else. SurfControl is a decent product; my big complaint was that its "Anti-Spam Agent" (a collaborative filtering tool that requires you to download updates from SurfControl) wasn't catching much. Turns out that was due to SurfControl's failure to allow eval customers to get the updates.

As I type this, MailMarshal SMTP is installing. It has a good reputation, so I'm eager to see how it stacks up against the others I've been testing. In the meantime, I have inbound SMTP queueing up for filtering, so MailMarshal should have a fertile set of messages to start with.

Update: Wow. MailMarshal has caught something like 99.2% of the inbound spam so far. I'm very impressed.

Update again: over a five-day test period, MailMarshal flagged 362 messages as spam. 49 (13.6%) of those were actually legitimate messages, most of which should have been allowed through by the "friendly listserver" and "friendly senders" features. None of these messages were critical, and frankly, many of them should probably be considered as spam. During the same time period, I only got *two* real spams. A number of legitimate messages (including some from our customers at MS and from the ntbugtraq mailing list) were flagged because they triggered the double-extension filter (like "document-1.0.5-pk.doc") or because they contained JavaScript. I appreciate the protection, but it's been a bit of a hassle.

I'm impressed with MailMarshal's efficacy, but its reporting tools don't seem to be as good as the ones in SurfControl (which tells you at a glance how long it's been up, how many messages were flagged as spam, and how many passed through.)

Update: Carrie Ward of NetIQ was kind enough to send me pricing info on MailMarshal:

NetIQ MailMarshal 5.5 SMTP is priced by the number of users in an organization and is available as a small business server license for up to
75 users for $1,295 or as an Enterprise version including a four-server license for $2,000 plus $750 per 100 users.

Did they do it?

Here's an interesting article: Foundstone is accused of piracy, being buttheads, and probably mopery on the high seas. Interestingly, the article also claims that Microsoft dropped Foundstone as a vendor shortly after the problems came to light.

New denial-of-service attacks

This is fascinating. Two folks at Rice's computer science department have written a paper about algorithmic complexity attacks. The basic idea is that an attacker who knows how a program processes input can overwhelm it by choosing patterns of data, or data with specific contents-- not the typical DoS caused by flooding. Here's the abstract:

We present a new class of low-bandwidth denial of service attacks that exploit algorithmic deficiencies in many common applications' data structures. Frequently used data structures have ``average-case'' expected running time that's far more efficient than the worst case. For example, both binary trees and hash tables can degenerate to linked lists with carefully chosen input. We show how an attacker can effectively compute such input, and we demonstrate attacks against the hash table implementations in two versions of Perl, the Squid web proxy, and the Bro intrusion detection system. Using bandwidth less than a typical dialup modem, we can bring a dedicated Bro server to its knees; after six minutes of carefully chosen packets, our Bro server was dropping as much as 71% of its traffic and consuming all of its CPU. We show how modern universal hashing techniques can yield performance comparable to commonplace hash functions while being provably secure against these attacks.

TechEd 2003 right around the corner TechEd 2003 is right around the corner. In addition to my session, there are a number of other useful sessions that security-minded folks should consider:

• Mortimore, SEC301, Best Practices for Security and Patch Management (Arena, Monday, 1330-1445)
• Attwell, MSG328, Reducing Spam with Exchange Server 2003 and Outlook 2003 (Ballroom C1/2, Tuesday, 1045-1200)
• Riley, SEC304, Enhancing Exchange, OWA, and IIS Security with ISA Server Feature Pack 1 (Arena, Tuesday, 1045-1200)
• Morris, MSG329, Controlling Viruses with Exchange Server and Outlook (D171/D173, Thursday, 1700-1815)
• Riley, SEC499, IPSec Internals and Implementation Examples (Arena, Friday, 1300-1415)
• Batthish, MSG345, Deploying OWA and FE/BE Topologies for Client Access (Ballroom C1/2, Thursday, 1330-1445)
• Riley, MSG308, Secure Access to Exchange From the Internet (Ballroom C1/2, Wednesday, 1700-1815)

I won't be able to attend all of these, but I always make it a point to hit Steve Riley's presentations, and if you're interested in baseline security and patch management, Mark Mortimore's session is a must-attend too.

TechEd's just around the corner...

TechEd is just around the corner, and I've been invited to give a security session.

SEC306 Secure Messaging and Communications with Exchange Server

This session delivers the critical information that Exchange administrators, security architects, and messaging designers need to understand to protect their Exchange systems. Protecting your organization from malicious content, and misuse of messaging communications is becoming ever more critical as we depend on our messaging systems to provide anytime, anywhere access from a wide variety of devices. If you are serious about secure messaging and communications, you must attend this session. This session will focus on security updates in Exchange 2003 including relay restrictions, OWA security improvements, authenticated and restricted DLs, improved AV & Anti-spam features, and RPC-over-HTTP. Key security concepts for Exchange 2000 and Exchange 5.5 will also be summarized. Come in, sit down, and hold on tight for this fast-paced and demo-packed presentation.

The great spam-off, part 3: Enter the Praetor

The next product on my evaluation list is CMS' Praetor. My initial impression is that this is a complex, full-featured product, and it's expensive, too. (The fact that CMS is offering a 30% discount if you're using a competing product helps reduce the sting somewhat.) It supports X- headers for filtering and has a range of quarantine options. However, I'm not crazy about three aspects of the product:

• it doesn't use the Windows Installer, and its custom installer doesn't bother to check for existing SMTP services on a machine
  
• it has its own separate administration program (which apparently can't be installed on any machine other than the one running Praetor-- so much for remote administration)
  
• it doesn't integrate directly with Exchange. Although CMS says you can run it on your Exchange server, they seem to recommend running it on a separate box, so that's what I'm doing. It didn't coexist well with ISA in my very limited testing, so for now it's on a separate machine.
  

I'm also not too impressed with the documentation; while it is complete, it's formatted using the old "ransom note" style template, and it's a reference. For a product this complex, a task-oriented doc would be much more useful.

The great spam-off, part 2

MailEssentials has been running for the last week or so. After a little experimentation, I discovered that it wasn't catching spam because I'm an idiot. I hadn't specified any SMTP domains as inbound, so ME was looking for spam sent to *@robichaux.local-- since robichaux.net and 3sharp.com are the domains I use, it wasn't catching anything. After I fixed that, it began behaving as expected. However, its lack of a way to add subject tags to indicate spam means that I have to route all suspected spam to a public folder-- where E2K turns it into an IPM.Post item, so it loses its original addressee information. Redirecting all the spam to a single mailbox works, but that raises the question of how to redirect it; the only way I can see to do it is with a script that adds a spam tag to the subject and redirects the message. That's more trouble than I'm willing to go to for this product. In GFI's favor, their product installs and uninstalls cleanly, it's stable, and it has good documentation. However, it's time to try something else.

UPDATE: GFI support confirms that their product doesn't allow subject rewriting, and they're not likely to add it.

The great spam-off, part 1

So, I finally decided that the volume of spam on my servers had grown past my ability to tolerate. I decided to hold a spam-off by testing several well-known products and reporting the results here. My critieria are simple if unscientific: whichever product gives the best price/performance/usability ratio wins.

I started with GFI MailEssentials, which has been widely praised in a variety of places. It downloaded and installed easily (great installer), but after three days, it hasn't caught any spam, at least according to its own logs! It doesn't offer a way to quarantine spam into a public folder, and there's no way to mark a message as suspected spam. Other than that, it's great :) I'll post an update after I check with their technical support; I can see that the event sink is working because some messages from hosts on the ORBS RBL have been NDR'd (at least according to the logs).

Run E2K admin tools on WinXP

Hallejulah! Microsoft has released a patch that allows the Exchange System Manager tool to run on Windows XP. As it turns out, getting this done took a lot of work from several product teams at Microsoft. Good for them-- this is a welcome, if overdue, release.

TechNet chat: Using ISA Server to Securely Publish Exchange Server

TechNet is sponsoring yet another Exchange security chat, this one with folks from the ISA Server product team. April 9, from 1200-1300 EST / 0900-1000 PST / 1600-1700 GMT.

TechNet chats: wireless & Exchange security

Two more security-related TechNet chats to announce this week:

• Wireless security (March 5, 1000 PST/1300 EST/1800 GMT). Are you thinking about setting up a wireless network at the office? At home? If so, you won't want to miss this chat. We can answer questions about how to control who accesses your network, WEP, and integration with Windows. (Attend the web cast immediately prior to this chat for additional information on wireless security.)


• Exchange security (March 5, 0700 PST/1000 EST/1500 GMT) Come and ask your questions relating to Exchange Security. Questions can range from email virus protection to encryption to OWA configurations. Come test your questions against skilled Microsoft Technology Specialists.

Securing Exchange with ISA Server

Sure, you could read my book; if you really wanted the straight scoop, you could buy Shinder's ISA book, which has a wealth of ISA-specific information. You could also read this free article from SecurityFocus to help you get started.

MEC? TechEd? MEC Ed?

The always-subtle Kim Cameron-Webb came up with "MEC Ed" as the new name for this year's TechEd conference; for the first time, its content is being combined with the MEC of yore. Dallas in June? I'll be there. Sign up now and get a $400 discount.

Early spring cleaning

I've made a couple of minor changes to the site. First, you'll notice that the dorky-looking Amazon blob is gone from the right side bar. No one was clicking on it anyway. Second, there's a new form for signing up for the goodies mailing list-- I've moved from pairlist to Topica's paid publishing service, which means that all y'all will finally have a real interface for subscribing and unsubscribing.

The new phone book is here

My wife's voice floated down the stairwell, jolting me away from my exciting task of filling out a matrix showing how OCS compares to Exchange. "Honey, the FedEx man left about a dozen packages on the front porch!"

Now, you have to understand that the arrival of the FedEx lady at our house is always a time of celebration. The best times are when she unexpectedly brings some kind of goodie, like a piece of review hardware. Next-best are when she brings something I've been anticipating, like salmon chowder or a copy of iLife. (I'll have to tell y'all about the 50 pounds of candy some other time). When I grabbed the boxes to bring them in, I was greeted by a curious sight on the address label: "AOL Time Warner Book Group".

This worried me; I was briefly afraid that I was the victim of a drive-by AOL CD dropoff. A glance at the side of the box, though, revealed that the boxes contained my author copies of the book! O joy! Sure enough, when I opened the first box, two copies were staring right out at me. That means that my contributing editors and reviewers will be getting copies over the next few days; the rest of you, alas, may have to actually buy it.

Two new Microsoft webcasts

Microsoft has two upcoming webcasts that may be of interest to all you Titanium-watchers out there.

The first one, on 2/12 at 1000 PST, covers Exchange 2003 deployment methodologies. The second, on 2/20 at 1000 PST, covers Exchange security. The TechNet chat summary page lets you get reminders, add the chats to your Outlook calendar, or spam your friends with reminders. See you there!

The seven seals

The US Navy has helpfully posted a guide to tamper-resistant seals. What does this have to do with Exchange? Basically nothing. However, it's still cool, and it offers some interesting insight into how high-value assets can be physically protected against tampering. In particular, chapter 2 ("The Theory of Effective Sealing") has a lot of good attitudinal information that's worth reading if you're a computer security person.

Sample chapters, TOC, and introduction

MS Press still doesn't have the book's page completely put together, but so what: now I have my own samples. You can see them in the nav bar on the right-hand side of this page, or you can get them here:

• Table of contents: this gives a very detailed look at what's in each chapter.


• Introduction: if you're not table-driven (sorry, programmer humor), check out this more readable and condensed explanation of what's in the book


• Chapter 3: Windows and Exchange Security Architecture: this chapter explains the fundamentals of Exchange's security architecture, including what it uses Windows services for.


• Chapter 4: Risk and Threat Assessment: read this chapter for a new perspective on risks and threats (oddly, it's the perspective that professional risk assessors use...)


• Chapter 8: SMTP Relaying and Spam Control
: read this chapter to learn how to control SMTP relaying and how to restrict spam on your servers (hint: buy a third-party product. just kidding, Microsoft.)

All of the files are PDFs. Please feel free to tell your friends about them; however, I'd appreciate it if you tell them to come here instead of just sending them copies. My children are rapidly approaching college age, y'know.

"Keep it secret, stupid"

Lots of people subscribe to the idea that keeping security vulnerabilities secret is the best way to deal with them. Dr. Matt Blaze, an eminent cryptography and security researcher, had a few thoughts on that the he shared with Dave Farber's Interesting-People list. I post it here as a cautionary tale.

Blaze wrote:

Last year, I started wondering whether cryptologic approaches might be
useful for the analysis of things that don't use computers.
Mechanical locks seemed like a natural place to start, since they
provided many of the metaphors we used to think about computer
security in the first place.

So I read everything I could get my hands on about locks, which
included most of the available open literature and at least some of
the "closed" literature of that field. Once I understood the basics,
I quickly discovered, or more accurately re-discovered, a simple and
practical rights amplification (or privilege escalation) attack to
which most master-keyed locks are vulnerable. The attack uses access
to a single lock and key to get the master key to the entire system,
and is very easy to perform. For details, see #.

I wrote up the attack, in a paper aimed more at convincing computer
scientists that locks are worth our attention than anything else (I
called it "Rights amplification in master-keyed mechanical locks").
As I pointed out in the paper, surely I could not have been the first
to discover this -- locksmiths, criminals, and college students must
have figured this out long ago. Indeed, several colleagues mentioned
that my paper reminded them of their college days. There is
considerable evidence that similar methods for master key decoding
have been discovered and rediscovered over the years, used illicitly
and passed along as folklore (several people have unearthed Internet
postings dating back as much as 15 years describing how to make master
keys). Curious college students -- and professional burglars -- have
long been able to get their hands on master keys to the places that
interest them.

But the method does not seem to appear in the literature of locks and
security, and certainly users of master keyed locks did not seem to
know about this risk. I submitted the paper to a journal and
circulated it to colleagues in the security community. Eventually,
the paper reached the attention of a reporter at the New York Times,
who wrote it up in a story on the front page of the business section
last week.

The response surprised me. For a few days, my e-mail inbox was full
of angry letters from locksmiths, the majority of which made both the
point that I'm a moron, because everyone knew about this already, as
well as the point that I'm irresponsible, because this method is much
too dangerous to publish. A few managed to also work in a third
point, which is that the method couldn't possible work because
obviously I'm just some egghead who doesn't know anything about locks.

Those letters, with their self-canceling inconsistency, are easy
enough to brush aside, but there seems to be a more serious problem
here, one that has led to a significant real-world vulnerability for
lock users but that is sadly all too familiar to contemporary
observers of computer security.

The existence of this method, and the reaction of the locksmithing
profession to it, strikes me as a classic instance of the complete
failure of the "keep vulnerabilities secret" security model. I'm told
that the industry has known about this vulnerability and chosen to do
nothing -- not even warn their customers -- for over a century.
Instead it was kept secret and passed along as folklore, sometimes
used as a shortcut for recovering lost master keys for paying
customers. If at some point in the last hundred years this method had
been documented properly, surely the threat could have been addressed
and lock customers allowed to make informed decisions about their own
security.

The tragic part is that there are alternatives. There are several
lock designs that turn out to resist this threat, including master
rings and bicentric locks. While these designs aren't perfect, they
resist completely the adaptive oracle attack described in my paper.
It's a pity that stronger alternative designs have been allowed to die
a quiet death in the marketplace while customers, ignorant of the
risks, have spent over a hundred years investing in inferior systems.

Although a few people have confused my reporting of the vulnerability
with causing the vulnerability itself, I can take comfort in a story
that Richard Feynman famously told about his days on the Manhattan
project. Some simple vulnerabilities (and user interface problems)
made it easy to open most of the safes in use at Los Alamos. He
eventually demonstrated the problem to the Army officials in charge.
Horrified, they promised to do something about it. The response? A
memo ordering the staff to keep Feynman away from their safes.

Matt Blaze
26 January 2003

Exchange 2003 webcast

Mark your calendars; on 10 January at 0830 PST (that's 1630 GMT), Microsoft's scheduled a webcast with Ed Wu, product manager for Exchange 2003, to discuss its new features and cool goodies. There will probably be other such events, especially as we get closer to TechEd 2003. (Note to Microsoft: if you're going to have TechEd in the summer, why hold it in sweltering places like New Orleans and Dallas? how about Minneapolis, San Diego, Toronto, or someplace with more moderate weather?)

Exchange 2003 public beta released

Microsoft's released the first public beta of Exchange Server 2003, formerly codenamed Titanium. Exchange 2003 has a ton of new features; my favorites include the ability (when running on Windows .NET Server) to do snapshot backups, and the ability to use signed and encrypted mail with OWA. You can download the Ti bits, or you can order an eval kit with Exchange 2003 beta 2, Windows .NET Server RC2, and Office 11 beta 1 for US$20. The "getting started" guide makes for interesting reading, too.

Outlook 11: butt-saver or security risk?

I had a network account, from a certain large software company, used for my work for them. Due to an administrative snafu, it was disabled and won't be re-enabled until the manager returns after the holidays. I needed a message that had been sent to that account? What to do?

In my case, it was simple: I fired up Outlook 11 and got the message out of my client-side cache. This really isn't a new feature; Outlook's had PST and OST files for a long while. However, Outlook 11's synchronization is seamless and automatic. As an end user, that's great. As an administrator, though, it makes me wonder: what can I do to prevent or restrict the use of cached content? I have a sneaking suspicion that Microsoft has some ideas in this direction, and that we'll be seeing them emerge in future betas of Outlook 11.

Security templates

If you apply the security templates from Microsoft's Exchange 2000 security operations guide, remember that these templates are additive. You must first apply the correct templates from the W2K security operations guide.

Out-of-office messages considered harmful

Apart from the twin facts that they're annoying to outsiders and that they can cause mail loops, the BBC reports on a third excellent reason not to use out-of-office messages to the Internet: people will rob your house while you're away.

Order now for the holidays!

Well, Valentine's Day, that is. According to Amazon, the book will ship 2/5/03. This is a bit later than I'd hoped, but I suppose I should have written it faster.

If you preorder it now, though, you're assured of getting it when they do.

Microsoft changes security bulletin policy

Microsoft is changing the way they distribute security bulletins. In the past, they've blasted out fairly technical bulletins to all subscribers, including the home users and other non-administrator types who took my advice and signed up for the bulletin service. It's a litte daunting when Mom gets a security bulletin for Exchange 2000!

To make it easier for everyone to find out what's what, their new process is a bit different:

• The existing technical bulletins stay around, but they're now targeted at administrators, not end users


• In the future, new bulletins for end-user issues (like patches for IE or Office) will be released. These will be less technical, with links to more info on the MS web site.


• The rating system for vulnerabilities has changed. Since someone else already has a monopoly on color codes, Microsoft's using a scale ranging from "critical" to "low".

I feel much better

I'm always a little leery of technical editors, because I know how most publishers choose them: they look for someone who a) is breathing and b) can spell the name of the product or technology covered in the book. I'm fortunate that MS Press chose Tony Northrup as their TE for this book; his comments have uniformly been useful (even when I didn't agree with them), and he's caught a bunch of my stupid mistakes before they got out into the wild.

There are a number of volunteer TEs, too, whom I'll be introducing over the coming weeks. In particular, a number of Microsoft PMs have volunteered to review material related to their domain expertise, which is really helping strengthen coverage of some key areas.

Book progress report

I basically have three weeks to finish the book. The first 10 chapters are all done and delivered to Microsoft; 9 of them have already been through author review. A total of six chapters have yet to be written, so I've got my work cut out for me. (Actually, one of those 6-- the one on POP/IMAP security-- is all done but for the chapter summary.)

Indexing, proofreading, and printing usually takes about 12 weeks for most publishers. This is my first MS Press book, so I don't know if they're faster or slower than average. As soon as I have more information on an ETA for the book, I'll post it here (although it's not showing up on Amazon.com yet).

Test

Is this thing on?