Alexander’s Blog

I am working on securing the entire network for one of my clients. I ran into this article on TechNet that targets the specific area of extranet and how you can best secure it. The article is full of valuable information for securing your extranet environment and is called Plan security hardening for extranet environments.

Part of the article discusses this extranet hardening tool that’s offered by Microsoft. It’s called Extranet hardening planning tool: back-to-back perimeter (http://go.microsoft.com/fwlink/?LinkId=85533&clcid=0×409).

The tool will help you figure out which ports are required for our ISA Server, routers and firewalls. This tool is a Microsoft Office Visio file that you can edit to customize for your own environment. For example, here are some things that you can do with this tool:

• Add your custom port numbers, where applicable.
• Where a choice of protocols or ports is provided, indicate which ports you will use.
• Indicate the specific ports that are used for database communication in your environment.
• Add or remove requirements for ports based on:
  1. Whether you are configuring e-mail integration.
  2. Which layer you deploy the query role to.
  3. If you are configuring a domain trust relationship between the perimeter domain and the corporate domain.

If you are trying to get your external NIC on the ISA Server obtain an IP address from a DHCP server and can’t, check out this KB article 841141 from Microsoft. This solution applies to both ISA Server 2004/2006.

The external network adapter on your ISA Server 2006 or ISA Server 2004 computer cannot obtain an IP address from a DHCP server

SYMPTOMS
When you try to configure the external network adapter on your Microsoft Internet Security and Acceleration (ISA) Server 2006 computer or on your ISA Server 2004 computer to obtain its Internet Protocol (IP) address from a Dynamic Host Configuration Protocol (DHCP) server, the external network adapter does not receive a valid IP address.

CAUSE
This behavior occurs because the default ISA Server system policy does not permit DHCP replies from external DHCP servers to the ISA Server computer.

RESOLUTION
To resolve this behavior, follow these steps:
1.    Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2.    In the console tree, click Firewall Policy.
3.    In the right pane, click the Tasks tab, and then click Show System Policy Rules.
4.    Click Allow DHCP replies from DHCP servers to ISA Server.
5.    In the details pane, click Edit System Policy.
6.    Click the From tab.
7.    Click Add.
8.    If you know the IP address of the external DHCP server, follow these steps:
a.     In the New list, click Computer.
b.     In the New Computer Rule Element dialog box, type a name for the DHCP computer rule element in the Name box, type the IP address of the DHCP server in the Computer IP Address box, and then click OK.
c.     Expand Computers, click the DHCP computer rule element that you just created, click Add, and then click Close.
To add the external network instead of the specific DHCP server, expand Networks, click External, click Add, and then click Close.

Note Microsoft recommends that you add the specific DHCP server instead of the external network to make the ISA Server computer less susceptible to external attacks.
9.    Click OK, and then click Apply to save the changes and update the configuration.
Note This procedure is for renewals only. If you do not have an IP address, you may want to allow DHCP traffic from any network until an address is leased. If you do not already have a lease, the “specific DHCP server” setting in step 8 will not work because Windows will be forced into DHCP Discover mode. This mode is strictly for broadcast traffic.

I had a client who asked me the other day if it is possbile to prevent out-of-office messages in Exchange 2007 from being sent to anyone not on the users’ contacts list. Luckily, in Outlook 2007 Microsoft allows us to set two different out-of-office messages.

Sending out-of-office messages to anyone could be a security risk and can also help spammers who are ableto verify your e-mail address. Bad guys can benefit from information about you that they shouldn’t have. For example, there are known cases of people getting robbed when out-of-office message informed the would-be robbers that people will be out of town on certain dates. Out-of-office messages also pose additional social engineering threats.

In Outlook 2007, you have much better control over out-of-office replies. Not only can you send out-of-office replies during specific dates, which is very helpful, you can configure one auto-reply for people that are inside your organization and another for people who are outside your organization. For example, you can configure the dates for when you are out-of-office ahead of time and Outlook 2007 will automatically turn on the feature during the dates that you are out of office. To configure out-of-office auto replies in Outlook 2007 you go to Tools, Out of Office Assistant. Notice that when you enable the feature by clicking “Send Out of Office auto-replies” you have two tabs: one for “Inside My Organization” and another for “Outside My Organization: When you type a message for users “Outside My Organization”, you can choose to either select “My contacts only” or “Anyone outside my organization” (which is the default setting).

The ability to limit out-of-office replies only to users that are on your contacts list is a major improvement in Outlook 2007.

Have you run into a situation where your users are getting an unexpected login prompt? If your Outlook 2007 users are configured to use NTLM authentication yet they are receiving a login prompt, which they shouldn’t, you need to modify Outlook Anywhere settings for the Autodiscover service. More specifically, you need to use the Exchange Management Shell and modify a server-side setting for Outlook Anywhere. This should be done on the server that is running the Client Access server role. For the Autodiscover service, you should set the value for the Server attribute for the EXPR OutlookProvider object to $null for the Outlook Anywhere configuration settings. Here’s how.

Make sure you have the proper permissions to modify the settings on the Exchange 2007 Server. For example logon as an account that has the Exchange Organization Administrator role. Start the Exchange Management Shell and run the following command:

Set-OutlookProvider EXPR -Server $null

In order for the changes to take effect, you should either restart Internet Information Services (IIS) or recycle MSExchangeAutodiscoverAppPool on the Exchange server that’s running the Client Access server role.

Restarting IIS is simple but if you decide to recycle MSExchangeAutodiscoverAppPool, you need to go to Application Pools container in the IIS console. Right-click MSExchangeAutodiscoverAppPool and select Recycle. You will not expect any messages confirming your action but the application pool will get recycled. If you have any doubts whether the recycling of the application pool took place then you can restart IIS instead, which will also accomplish the same thing.

TechRepublic’s blog has a nice posting by author Rick Vanover called 10 cool things you can do with Windows PowerShell. The article lists the following cool things to do with Windows PowerShell.

#1: Report all of the USB devices installed
#2: Perform your favorite CMD tasks in PowerShell
#3: Kill a process in PowerShell instead of Task Manager
#4: Use PSDrive to view more than just drives
#5: Export NTFS folder permissions — recursive or not
#6: Play with PowerShell 2.0
#7: Work from the keyboard in Graphical PowerShell
#8: Background a time-consuming task
#9: Insert timestamps into PowerShell outputs
#10: Stop and smell the roses

Check out this link for more details on how you can benefit from these cool tips. Considering the fact that Windows PowerShell is now a core part of Exchange 2007, Windows Server 2008, and SQL Server 2008, you will find these tips handy while you work with Windows PowerShell.