Alexander’s Blog

If you don’t see the Security tab on your Exchange organization’s Properties tab, obviously you won’t be able to modify the security.

Here’s how you can enable the Security tab by modifying the registry.

1. Start the registry editor (regedit.exe).
2. Locate the following subkey: HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin.
3. From the Edit menu, select New, and then select DWORD value.
4. Type ShowSecurityPage and press Enter.
5. Double-click the entry you just created and set the value to 1.

Close the registry editor. You should now have the Security tab in the Properties of your Exchange organization.

Common Criteria, which is a set of well-known standards of assurance for sharing classified information among government agencies, has blessed Microsoft with their Evaluation Assurance Level (EAL) 4+ for several of Microsoft products. Common Criteria is an international standard and achieving EAL levels (which range from the low of 1 to a high of 7) is important for organizations interested in winning federal contracts.

In the past the following Microsoft products received EAL 4+ certification.

1. Windows 2000 Server and Advanced Server
2. Windows 2000 Professional
3. Exchange Server 2003
4. Internet Security and Acceleration Server 2004

The following products received the EAL 4+ rating just recently.

1. Microsoft Windows Server 2003, Standard Edition (32-bit) with Service Pack 1.
2. Microsoft Windows Server 2003, Enterprise Edition (32-bit and 64-bit versions) with Service Pack 1.
3. Microsoft Windows Server 2003, Datacenter Edition (32-bit and 64-bit versions) with Service Pack 1.
4. Microsoft Windows Server 2003 Certificate Server, Certificate Issuing and Management Components (CIMC) (Security Level 3 Protection Profile, Version 1.0).
5. Microsoft Windows XP, Professional with Service Pack 2.
6. Microsoft Windows XP, Embedded with Service Pack 2.

We all know that it’s a bad idea to surf the Web on a network server. In fact, it’s not a good idea to surf the Web on any computer where you are logged on as Administrator. A lot of malware causes harm because the user browses the Web while he/she is logged on as an Administrator. Michael Howard has written a tool called “DropMyRights“, which should solve this problem. DropMyRights is a very simple application to help users who must run as an administrator run applications in a much-safer context than that of a non-administrator. It does this by taking the current user’s token, removing various privileges and SIDs from the token, and then using that token to start another process, such as Internet Explorer or Outlook. This tool works just as well with Mozilla’s Firefox, Eudora, or Lotus Notes e-mail.

Simply copy DropMyRights.exe to a folder. Then for each application you want to run in lower privilege, follow the steps described in this article.

More info…

If you use Exchange Server 2003 and would like to make the Change Password option available to your Outlook Web Access (OWA) users, you’ll need to modify the registry. Unlike Exchange 2000 OWA, the option is not visible by default in Exchange 2003 OWA. You can modify the registry on your Exchange Server 2003 to make the Password Change button available to your OWA users by using the following procedure.

1. Start the registry editor (regedit.exe) on your Exchange Server 2003.
2. Go to the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\OWA.
3. Double-click DisablePassword in the right-hand pane.
4. Change the value from the default 1 (which disables the password option) to 0 so that the password option is enabled.
5. Go to Administrative Tools, Services.
6. Restart the World Wide Web Publishing Service and the Microsoft Exchange Information Store service.

Now your users can go to the Options section in OWA and change their passwords using the newly visible Change Password button.

Here are some general guidelines to monitor Exchange Server 2003. Since each environment is different, you should consider these guidelines as a good starting point, monitor your Exchange Server 2003, and then configure the parameters accordingly. To configure Monitoring, locate the server, Properties, and go to the Monitoring tab.

Virtual Memory
Should not fall below 25% free.

CPU
Should not exceed 80% over 5 minutes.

Free disk space
Configure the monitor to issue a warning when you have less than 250MB available and issue a critical alert when the drive has less than 50MB of free space.

X.400 queue growth
Should be empty for any environment that uses SMTP to connect to other messaging systems.

Guidelines for Monitoring Cluster Resources
Use System Monitor to identify memory fragmentation for each node in the cluster by monitoring the following counters.

MSExchangeIS\VM Largest Block Size
Should not fall below 32MB. Exchange will log a warning in the event log (Event ID=9582) if this falls below 16MB.

MSExchangeIS\VM Total 16MB Free Blocks
Should not drop below 3. If it does, restart all the services on the node.

MSExchangeIS\VM Total Large Free Block Bytes
Should not fall below 32MB. If it does, restart all the services on the node (or restart the server) and then fail back the Exchange Virtual Servers.

Monitoring Exchange Store

Free disk space
Must be equal to or greater than 110% of the size of the largest database.

Baseline Counters
The following counters should be monitored over time. The required values are only realistic if they are observed over time. For example, you may notice that % Processor Time value peaks to over 80% temporarily on occasion. We are only interested if these values are sustained over a period of time. For example, if you are using Performance Logs and Alerts to collect data for the recommended counters, configure it to collect data at regular intervals, such as every 10-15 minutes.

You may also want to collect data every week during specific hours, such as Monday-Friday between 8:00am-10:00am for several weeks to obtain a baseline of network performance during peak hours. These are just some suggestions. Every network is different and your baseline may be very different than other networks. Use the following counters as a guideline.