Site Sections
Posts
254
Comments
120
Trackbacks
120
February 2008 Entries
New form of spam

I came across an interesting article yesterday on a new form of spam: using webmail providers' Out-of-Office features to do a new type of backscatter spam. This is an excellent example of how unsecured messaging does not mix well with automated message generation capabilities. Any good Web developer can tell you that it's a bad decision to blindly accept and process untrusted input, and yet SMTP bots (that's what OOF functionality is at its core) do precisely that, thanks to the lack of a standard for verifying the authenticity of the sending identity and the integrity of the end-to-end message route. This is nothing new; this is the same variety of vulnerability that backscatter spam has been exploiting for years: target the NDR/bounce generation mechanism to do the dirty work for the spammers and send the paylod to the victim.

This new form of attack just underscores my growing conviction that our current system of email is going to be gradually supplanted by a variety of mechanisms for communicating with people outside of our organizations. There's too big of a disconnect between “enterprise” features that business want from email and the inherent limitations of the current store-and-forward mechanism SMTP is built upon. And no, I'm not one of those people who thinks that pay-per-email schemes are the answer; what works well for physical, tangible products becomes quickly unworkable for virtual communications.

I don't think there's going to be One True Successor for SMTP, nor do I see SMTP going completely away any time soon (just as Usenet, despite all predictions, still manages to hang on for certain applications and communities). Dependable synchronous communications modes such as instant messaging, voice, and video will, I think, begin taking up a lot more of the message trafrfic currently carried by email. By avoiding store-and-forward asynchronous mechanisms, you reduce the opportunities that attackers and spammers have to forge and inject illegitimate communications into your users' workspaces. Allowing users to decide which communications mode is best for them helps alleviate the pressure on email systems.

posted @ Friday, February 29, 2008 7:29 PM | Feedback (1)
Sweet PowerShell lovin'...for free!

And yes, that's "free as in beer," not "free as in what some people think all information wants to be."[1]

Frank Koch and Marcel Trümpy of Microsoft (in Switzerland) have created not one, but two Windows PowerShell ebooks, and you can get them both for free:

  • A Windows PowerShell course book with associated demo files and examples.
  • A Windows PowerShell server administration book with associated demo files and examples.

Get them both in one easy download either in English or German. The downloads are from Microsoft and no registration is required, according to the blog posting.

[1] If you believe all information wants to be free, I challenge you to put your money where your mouth is and post your Social Security number (if you live in the USA; equivalent if you don't), birthdate, address, personal phone number, and bank account information here in my comments. After all, that's all information -- and it wants to be free!

posted @ Thursday, February 28, 2008 11:04 AM | Feedback (0)
DPM book hot off the presses

Early this week, Ryan and I received our authors' copies of Mastering System Center Data Protection Manager 2007, the book we co-wrote about, well, mastering DPM 2007. Amazon says it's in stock, so if the topic is at all of interest to you, please consider buying a copy or ten and making our publisher happy!

Two more interesting tidbits around the book:

  • I'l be giving a session on Exchange and DPM for the Spring 2008 Exchange Connections conference in Orlando; I'm hoping to be able to make other arrangements as well.
  • The book will have its own website, http://www.masteringdpm.com/ (it's not live yet!), in just another couple of days, by the weekend at the latest; the DNS zone is already registered, I just need to get the website software up and running.
posted @ Wednesday, February 27, 2008 4:27 PM | Feedback (0)
Passwords in the 21st century

I am sick and tired of the shoddy programming practices most companies still have in place today with their websites.

I can understand the desire to not provide certain types of downloads to users unless they have an account that can be tracked, especially (yes, Parallels, I'm looking right at you!) when they distribute updates as a completely new installer instead of an updater or service pack. I can understand why they justify the need to use a completely separate account management system instead of one of the many standards that are available, such as Windows Live (formerly known as Passport). I cannot understand, then, why they spend the development (and, one would hope, testing) effort to write a sloppy, poor authentication system that makes assumptions about the habits of the users. If you're going to spend that internal time and effort poorly, just pay the fee to Microsoft for Windows Live already and at least give your users one fewer set of credentials to remember!

I use passphrases everywhere I can these days, even for "throwaway" accounts on websites. I know the arguments for weaker security on them and agree with them as a personal choice for the user; the website should not be free to make the same assumptions. I'm tired of getting error messages because I've entered "too many characters" (turned out that 12 was too many for that particular website) or dared to use symbols instead of just numbers and letters. How dare I try to keep myself in the habit of using cryptographically strong (and easy to remember) passphrases everywhere!

These may seem like little things, but if developers aren't even getting these usability issues right because they favor "decreased complexity" (what, properly handling symbols in a text string is too hard to figure out how to do properly?), what assurance do we, the consumer, have of them getting bigger security issues right?

posted @ Sunday, February 24, 2008 10:08 PM | Feedback (0)
Webcast on Unified Communications
Tomorrow I'm going to be giving two webcasts for Quest on What You Need to Know about Microsoft Unified Communications -- one at 9am EDT, the other at 2pm EDT. (Yes, that's 6am and 11am here, so my morning tomorrow is going to start earlier than normal.) This is going to be a fun, high-level overview of the UC initiative -- it won't be a deep technical dive. Instead, we're going to look at the implications of deploying the Microsoft UC platform for the IT professional. If you have time to join one of the sessions, I'd love to see you!
posted @ Wednesday, February 13, 2008 3:02 PM | Feedback (0)
Received in the mail: Exchange Server 2007 training from TrainSignal
A couple weeks back, I received an offer for a review copy of the Exchange Server 2007 video training from TrainSignal. I, of course, gleefully accepted. Over the next few days, I'll be checking it out and will let you all know what I think. I'm prepared for goodness, though; fellow MVP David Shackelford is the instructor. Hey, David, I didn't realize that you sound a lot like David Spade!
posted @ Tuesday, February 12, 2008 2:58 PM | Feedback (1)
Liveblogging the Unified Communications Voice Ignite conference, day 5

Last day. It's been a blast, but my brain is getting full. (You can see my day 4 notes here.)

9:45: When you're deploying a multi-site Edge server deployment, be aware that you can't have multiple sites with the Access Edge role -- they have to be in a central location. You can, however, deploy site-local A/V Edge and Web Conferencing Edge server roles. Remember the discussion from 15:35 on Day 3 -- you can have all three roles on one box or break out to A/V Edge on one, Web Conferencing Edge and Access Edge on the other -- this is for your central “data center“ site. Remote sites with their own Edge deployment don't get the Access Edge role at all, so they at most have A/V Edge on one server and Web Conferencing Edge on another, plus any additional boxes for scalability/redundancy. (source http://technet.microsoft.com/en-us/library/bb663789.aspx)

12:09: A nice gift from the OCS team blog -- they're announcing the availability of COS 2007 Visio stencils.

12:17: Always use the documentation! You can find the OCS 2007 docs in both online and downloadable form here, and the same for Exchange 2007.

13:25: Some links to a few nice OCS blogs out there. http://comunicationsserverteam.com and http://communicatorteam.com are product team blogs, while http://blogs.msdn.com/byrons/, https://blogs.technet.com/jenstr/, http://blogs.technet.com/toml/, http://blogs.technet.com/chlacy/, and http://cacorner.blogspot.com/ are maintained by some of the presenters.

If you've made it this far, thanks for sticking it through. Hopefully, you've learned some valuable material along the way -- I know I have. If you're looking at an OCS voice deployment, I highly recommend making it to another one of the events in this tour or an equivalent tour.

posted @ Thursday, February 07, 2008 5:25 PM | Feedback (1)
Liveblogging the Unified Communications Voice Ignite conference, day 4

Just 2 days left -- on with Thursday! (You can see my day 3 notes here.)

09:57: The RTAudio codec suite is pretty cool. Finally found out why there's all those new devices (like USB headsets) that are marked as Microsoft UC-compatible. Regular low-end devices are used to dealing with the G711 codecs which sample at 8KHz; many of them can't support sampling at the 16KHz rate that the RTAudio wideband codec variants (there are 6) support. The updated equipment specifically is tested to give the full fidelity when using the wideband RTAudio variants. (source http://www.microsoft.com/downloads/details.aspx?familyid=05625AF1-3444-4E67-9557-3FD5AF9AE8D1&displaylang=en and http://www.microsoft.com/downloads/details.aspx?FamilyID=5D79B584-79C9-42A8-90C4-4AB3F03D19C4&displaylang=en)

10:12: Ooh! Microsoft has a freely downloadable Deployment Validation Tool for OCS.

12:31: Going back to the reverse proxy issue I talked about in 15:44 on Day 3, you can get detailed guidance on configuring ISA Server 2006. (source http://technet.microsoft.com/en-us/library/bb663639.aspx)

12:35: Yes, Virginia, the A/V Edge server external IP address must be a publicly routable address. It can't be behind NAT (not even 1:1 NAT, also known as Static NAT, bi-directional NAT mapping, or any of a number of othre terms). Is this just another stupid “Microsoft doesn't get security” stunt of years gone by? Nope -- this requirement is there because you absolutely have to have a publicly routable address somewhere in the equation in order to allow NAT traversal for all the other clients. OCS's A/V Edge NAT traversal functionality is based on the STUN standard, which was developed under IETF guidance through a multi-vendor working group including Microsoft and Cisco. (source http://tools.ietf.org/html/rfc3489, especially the last paragraph of section 6, http://www.voip-info.org/wiki-ICE, and http://technet.microsoft.com/en-us/library/bb870364.aspx)

16:05: Had a nice series of crunchy labs. Yum! Before that, though, a couple of key Exchange Unified Messaging/OCS interoperability points. You should have one Exchange UM SIP URI dial plan for each OCS location profile -- they have a 1:1 correspondence. You may also have additional Exchange UM TEL URI dial plans if you're in PBX co-existence mode; those dial plans are for the PBXs, not for OCS. (source http://technet.microsoft.com/en-us/library/bb803653.aspx)

Continue on to my Day 5 notes.

posted @ Wednesday, February 06, 2008 3:06 PM | Feedback (3)
Fighting PKI inertia

I've noticed something for a while now -- people are really reluctant to install a proper PKI system. If you're a Windows-based organization, I have three words for you:

Get over it.

The Windows Certificate Service (WCS) is powerful and fairly easy to manage -- and it's included in Windows Server Standard or Enterprise versions.

For years, people have been complaining about the lack of security in various products. Well, Microsoft and other vendors have listened, and standards like TLS and Mutual TLS are now getting put into most of the new products and versions rolling out the door. However, in order to USE these standards and get the security, you must have certificates. You can spend a lot of money buying and installing and managing these certificates from third-party vendors or you can install WCS.

The most common objection I hear is, “But I can just use commercial certificates!“ True, you can. But now you're paying for every certificate and adding to the complexity of your deployment tasks. Rolling out Exchange 2007 or OCS 2007 with all the proper certificates is a lot easier when your servers have an internal WCS infrastructure to talk to -- requests are fulfilled almost immediately. You don't have to spend money on all those internal server certificates -- just the external-facing certs for machines that are talking to external clients or mobile devices.

Either way you choose to go, there are a few facts of life:

  • You WILL need to take time to learn how certificates and requests actually work. Knowing why you want to keep secure exported copies of certificates with their private keys associated is a good thing.
  • You WILL have to allocate time managing your certificates and infrastructure. Commercial certificates expire -- we at 3Sharp had a certificate expiration sneak up on us and disable OWA and EAS until we got it sorted out.
  • You WILL have to worry about certificate backups and processes. See the point about exported certificates.

Okay, here's a question -- would there be any interest in having me do a series of blog posts on the basics of certificate handling? I know there's good material out there, so I'd focus my stuff on common tasks and gotchas I've run across when deploying certificates for Exchange and OCS. If that sounds like something you'd want to see, drop me a comment.

posted @ Tuesday, February 05, 2008 4:35 PM | Feedback (1)
Liveblogging the Unified Communications Voice Ignite conference, day 3

Good morning! Back for day 3. (You can see my day 2 notes here.)

09:13: Back when I first started doing OCS, the vision included “hybrid“ gateway devices which included the Mediation Server role functionality in the gateway. Well, they exist now -- partners have been busy! (source http://technet.microsoft.com/en-us/office/bb735838.aspx)

10:25: User provisioning can be fun. When provisioning users, you need to populate the msRTCSIP-line attribute with their phone number in E.164 format. OCS doesn't look at the regular Active Directory phone attributes. You can populate the msRTCSIP-line attribute from the AD attribute, but you need to make sure that you normalize the numbers to E.164 format first. Best case: normalize your AD phone numbers! (source http://technet.microsoft.com/en-us/library/bb870372.aspx)

10:47: WMI is the preferred interface for writing user provisioning scripts -- this allows you to do it in the language of your choice, including (yay!) PowerShell (via PowerShell's WMI provider). The Resource Kit gives you lots of useful scripts (yes, including PowerShell) and samples as a starting point. (source http://www.microsoft.com/downloads/details.aspx?FamilyID=b9bf4f71-fb0b-4de9-962f-c56b70a8aecd&displaylang=en and http://blogs.technet.com/jamesone/archive/2007/08/19/powershell-and-paradigms-of-vb.aspx)

10:51: Mmm. These brownie-walnut-tart thingies are TASTY.

11:04: Kevin's all hooked up for pictures, so you can see the brownie-walnut-tart thingies for yourself.

12:22: About to jump into more tasty crunchy labs, but before I do, one word of advice -- bone up on regular expressions. (source http://technet.microsoft.com/en-us/library/bb803637.aspx, http://www.microsoft.com/downloads/details.aspx?FamilyID=b9bf4f71-fb0b-4de9-962f-c56b70a8aecd&displaylang=en, and http://www.microsoft.com/technet/technetmag/issues/2008/02/OCSTelephony/default.aspx)

14:28: RTP (Realtime Transport Protocol, not RealTime Protocol as many people think) is cool! There's some clever engineering going on here, although the comparitive size of the header and the payload is pretty skewed, especially once you get all the UDP, IP, and physical link overhead in there - remember the overhead from 09:38 in the day 2 notes? That's where it comes from. (source http://tools.ietf.org/html/rfc3550, http://forums.microsoft.com/unifiedcommunications/ShowPost.aspx?PostID=2697675&SiteID=57)

15:35: Even though a lot of the OCS conceptual diagrams show the three Edge server roles on separate machines, it is not supported to install these three roles on separate machines. You can deploy all three roles on a single machine OR you can have A/V Edge on one server and Access Edge + Web Conferencing Edge on another server. Each of these servers can also be load balanced server configurations. You can't load balance a consolidated single server (all three Edge roles) configuration. I'm guilty of getting this one wrong, so if you saw me speak at one of the UC roadshows last fall, make note! (source http://technet.microsoft.com/en-us/library/bb663789.aspx)

15:44: Note that while a reverse proxy (such as ISA) is not a required part of the whole remote access deployment, by not using it you will lose functionality from external clients that aren't using a VPN connection: you won't be able to expand AD groups and get their memberships, you won't be able to download the address book information (which contains all of that lovely normalized phone number information you went to such pains to configure), and you won't be able to download meeting content in Live Meeting conferences. By reverse proxy, think something like ISA 2006 (which is recommended) or other equivalent applications or appliances. (source http://technet.microsoft.com/en-us/library/bb803627.aspx)

15:51: Contrary to popular belief, the Access Edge server does not perform authentication of incoming remote connections. They do provide validation of incoming SIP requests (filtering out requests to invalid SIP URIs, etc.), but they don't authenticate. Authenticaton happens either by the OCS Standard Edition server, the OCS Enterprise Edition Front-End pool, or the optional (but highly recommended) Director role. Director roles can be load balanced for greater reliability. (source http://technet.microsoft.com/en-us/library/bb663752.aspx)

17:36: Byron Spurlock has a fantastic blog on OCS at http://blogs.msdn.com/byrons/default.aspx -- the only flaw is that Byron needs to update more frequently! Great stuff!

17:42: Want to find the latest and greatest list of UC-compatible certificates? Look no further than KB 929395. However, be aware that this KB doesn't seem to have been updated recently, and it doesn't help you figure out which certificates will automatically be trusted by Windows Mobile devices or Office Communicator Phone Edition devices. The key sentence is If the OCS 2007 servers use public certificates they will most like be automatically trusted by the device, since it contains the same list of trusted CA's as Windows CE.

Continue on to my Day 4 notes.

posted @ Tuesday, February 05, 2008 2:09 PM | Feedback (6)
Liveblogging the Unified Communications Voice Ignite conference, day 2

Good morning! Back for day 2. (You can see my day 1 notes here.)

09:13: Talking about dialing requirements. Just heard the best explanation of E.164 I've heard -- very simply, it's a format for writing phone numbers that makes them globally unique. A lot of the configuration energy for OCS and PBX systems is focused around translating dialed numbers (and fragments of numbers) into E.164 so that the call can be routed appropriately. Exchange 2007 RTM didn't support E.164 dial plans, but SP1 does. (source http://technet.microsoft.com/en-us/library/bb803637.aspx and http://technet.microsoft.com/en-us/library/bb676323.aspx)

09:38: In the UC roadshow sessions we did last fall, we were telling people that the RTAudio-WB codec used on average 45Kbps bandwidth per channel. This is true (can use lower or higher, but that's a good average), but that doesn't take into account the various network overhead components. Turns out, you should use 57Kbps as your average planning number for each one-way channel -- 57Kbps send and 57Kbps receive for each endpoint While this may seem like a lot, remember, that most conversations have only one user speaking at a time for the majority of the time. However, be sure to plan for this if you have different upstream/downstream capabilities! (source http://forums.microsoft.com/unifiedcommunications/ShowPost.aspx?PostID=2697675&SiteID=57 -- not an “official“ guide, but the calculations are there and check out; the official planning guide still has the numbers that don't account for overhead, and the overhead can change based on network conditions)

10:54: E.164 is an ITU standard for normalizing phone number, as I mentioned before. However, RFC 3966 defines the tel: URI scheme, which is basically a superset of E.164. E.164 applies only to public numbers; RFC 3966 applies to private numbers as well. Anytime you see a tel: prefix on a number in OCS, you're dealing with RFC 3966. (source http://www.ietf.org/rfc/rfc3966.txt, http://en.wikipedia.org/wiki/Telephone_number, and http://en.wikipedia.org/wiki/URI_scheme)

11:06: OCS 2007 normalization rules use .NET regular expressions, which can be pretty confusing to grasp. However, the OCS 2007 Resource Kit can help -- it includes the Enterprise Voice Route Helper, which includes a normalization tool that helps you build your regular expressions. (source http://www.microsoft.com/downloads/details.aspx?FamilyID=b9bf4f71-fb0b-4de9-962f-c56b70a8aecd&displaylang=en)

11:20: PSTN breakout is a cool process -- use VoIP across your network, then break out the call to the PSTN at your location closest to the destination so you reduce or eliminate long-distance costs. OCS allows this pretty easily. However, you may not always be allowed to -- in India, for example, you must be registered as an ISP in order to switch calls back onto the PSTN from VoIP; point to point Communicator calls are just fine. (source http://www.microsoft.com/downloads/details.aspx?FamilyId=24E72DAC-2B26-4F43-BBA2-60488F2ACA8D&displaylang=en and http://www.ilocus.com/2008/01/bsnls_voip_will_kill_the_grey.html)

11:44: Lectures are done for the day -- on to death by labs! We've got a series of really crunchy voice interop labs to work our way through. Woohoo!!!

Continue on to my day 3 notes.

posted @ Monday, February 04, 2008 2:19 PM | Feedback (3)
Liveblogging the Unified Communications Voice Ignite conference, day 1

Greetings from Sydney, Australia, where I'll be spending the next week (along with Kevin) at the UC Voice Ignite event. (If you're one of my readers and you're here too, look me up.) I want to capture some neat bits and info that you should know but may not. I can't put everything down, of course, and I won't post anything that I can't verify from publicly available material from Microsoft -- yes, Virginia, I take my NDAs seriously.

12:06: Exchange 2007 UM RTM didn't directly detct fax tone on incoming calls -- I didn't know that. Your IP gateway had to do it, then UM would renegotiate the media as T.38. SP1 changes that -- UM will detect fax tone, but the detection is off by default, you must manually enable. (source http://technet.microsoft.com/en-us/library/bb691398(EXCHG.80).aspx)

12:08: If you're planning on doing both Exchange 2007 UM and OCS 2007 using the same VoIP gateway, be careful it's certified for both! There is currently only one gateway (from Dialogic) that is certified for both applications. In theory, you shouldn't need two separate gateway products. (source http://www.microsoft.com/technet/prodtechnol/exchange/telephony-advisor.mspx and http://technet.microsoft.com/en-us/office/bb735838.aspx#qualified)

12:10: How do I know if Exchange 2007 UM works with my PBX/VoIP PBX? See the Microsoft Telephony Advisor and the IP PBX and PBX Configuration Notes.

12:12: Which IP PBXes connect to Exchange 2007 UM? At this point, Cisco Call Manager 6.x gives full interop (voice and fax), 5.x gives full interop for call answering, 4.x is not tested, and CallManager Express is not supported. The Mitel 3300 (v7.1 UR2) also supports direct interop (this is what we're using), but look at Interactive Intelligence CIC (v 2.4 SU13 at least). Avaya and Nortel CS1000 v5.0 require SIP proxies. Note that this is talking solely about Exchange 2007 UM interop, not OCS interop! (source http://www.microsoft.com/technet/prodtechnol/exchange/telephony-advisor.mspx)

12:19: During Q&A, it's already been noted that the 12:12 information is out of date. Moral of the story: many vendors are working hard on this, so keep a good watch on the previously mentioned websites and talk to your vendor!

13:35: Lunch was tasty! Added source links to previous points so it's clear I'm not posting any information under NDA. (Thanks, Kevin!)

14:47: Remember how you had to pick whether a UM Auto Attendant was DTMF-enabled or voice-enabled, but not both? Fixed in SP1. (source http://technet.microsoft.com/en-us/library/bb124501(EXCHG.80).aspx)

15:35: Lots of labs -- crunchy but not too deep for this first day.

Continue on to my day 2 notes.

posted @ Sunday, February 03, 2008 5:17 PM | Feedback (2)
News

Devin has moved on
to new adventures.
This blog is preserved
for historical purposes.

Please follow his
personal blog at:
Devin on Earth

Virtual Devin
Article Categories
Archives
Post Categories
Data Protection
DCAR
Exchange
Other
Security
Unified Communications
Windows