Site Sections
Posts
254
Comments
120
Trackbacks
120
June 2008 Entries
Hyper-V in the hizzouse!

Everyone's being so coy in the Windows blogosphere today. "As you may have heard..." Heck with that; this is wicked cool. Hyper-V has Released To Manufacturing ... and is already available for download. As the link explains, it'll start coming down the Windows Update pipe July 8th. If you don't want your Windows Server 2008 machine to be updated yet, don't be blindly accepting updates.

Why wouldn't you want to get it first thing?

  • You're running a previous version of Hyper-V. If so, be aware that upgrading your VMs is not automatic. It's not a horrible process, but it will take some time. You have to manually export each VM, remove the VMs from the server, upgrade the server, re-import the VMs, then update the Integration Services. The more VMs you have, the more time this will take.
  • You're running some software that is not yet compatible with Hyper-V RTM but works with an earlier build. In this case, you want to wait until that software has a patch available.

I fit into both categories. I think I'm going to wait until I'm back from vacation to do it.

Oh, yes, just because Hyper-V is now RTM doesn't mean that you can go run to install Exchange 2007 on it in production. See Scott Schnoll's post for more info.

posted @ Thursday, June 26, 2008 8:28 PM | Feedback (0)
These are not the solutions you're looking for

As IT professionals, we are more than often prone to fall to the perils of magical thinking. (I'm sure this is a side-effect of being human, which is a pesky and bothersome condition I will have to do something about one of these days.) Magical thinking in this context is when we have not internalized the intricacies of a problem and instead rely on formulas rather than true understanding to come up with solutions.

At one ISP I used to work at, we had a glorious reclaimed piece of technology, an Auspex NS-5500 file server. Every now and then on reboot, this old beast of a machine would fail to boot up; the cure was to open the cover over the drive cage and give it a good swift whack. We all assumed that this was because one of the drive connectors was a bit loose, but when our "magic" fix failed to work one night I discovered that it was in fact because one of the screws holding things in place was missing, allowing the drive bay to sag just a tiny bit. It was this tiny bit of sag that put just enough stress on the connector for drive 0. Had we actually opened the case up earlier, we'd have been able to solve the problem -- and prevent a year of whacking the server.

All too often, I see magical thinking in the field of security. Case in point: I recently heard about a gentleman who has a client that is requesting ETRN support be added back to Exchange 2007, either natively or through an add-on. They want to deploy the Edge role in their DMZ, have it queue up mail for the internal organization, and then have their Hub Transports (in the internal protected network) initiate a connection out to de-queue the messages using the ETRN SMTP extension. The reason they want this is that they've done due diligence and read some very thorough documents about computer network zones and have come to the conclusion that all network connections must be initiated from the most secure network. This, they say, removes the threat of malware taking over the Edge server in the DMZ and allowing an attacker to use it as a launching point to the protected network.

Now, the recommendation for connections to be initiated from a more secure network to a less secure network is a good general baseline to follow when it makes sense. However, it is not realistic in all cases (if we followed this to the letter, nobody would be able to receive e-mail from external senders except through random polling of Internet SMTP hosts, which is not at all scalable). This is doubly true if you don't understand how the underlying protocols work. Case in point: ETRN, defined by RFC 1985, "SMTP Service Extension for Remote Message Queue Starting". Quoting from section 3, "The Remote Queue Processing Declaration service extension" (emphasis added):

To save money, many small companies want to only maintain transient connections to their service providers.  In addition, there are some situations where the client sites depend on their mail arriving quickly, so forcing the queues on the server belonging to their service provider may be more desirable than waiting for the retry timeout to occur.

Both of these situations could currently be fixed using the TURN command defined in [1], if it were not for a large security loophole in the TURN command.  As it stands, the TURN command will reverse the direction of the SMTP connection and assume that the remote host is being honest about what its name is.  The security loophole is that there is no documented stipulation for checking the authenticity of the remote host name, as given in the HELO or EHLO command.  As such, most SMTP and ESMTP implementations do not implement the TURN command to avoid this security loophole.

This has been addressed in the design of the ETRN command.  This extended turn command was written with the points in the first paragraph in mind, yet paying attention to the problems that currently exist with the TURN command.  The security loophole is avoided by asking the server to start a new connection aimed at the specified client.

See the problem? ETRN was not designed to solve a security problem; it was designed to solve a financial problem back in days when always-on bandwidth was a lot more expensive and most ISPs metered traffic. It masquerades as solving a security problem only because it's designed to avoid a loophole in an insecure and exploitable feature. As a result, ETRN won't solve the problem these people want it to solve; all it does is tell the system in the DMZ to initiate a new connection to the Hub Transport servers. It doesn't reuse the existing connection initiated by the Hub Transport servers. They can't use a firewall rule to block outgoing access from the Edge to the Hub Transport and be safe, because they'll cut off all incoming traffic.

However, let us for a moment assume that it did work the way they wanted it to: my Hub Transport initiates an outbound SMTP session to the Edge. In this session, HT is the SMTP client, ET is the SMTP server. As soon as HT issues the ETRN command, they still have to swap roles -- HT is now using the SMTP server code paths, while the ET is using the SMTP client code paths. Any theoretical vulnerabilities that are in the HT SMTP implementation are still going to be there, still exposed to the message traffic about to be sent down the connection, still open to exploitation.

This is the magical thinking: firewalls and a DMZ will protect my traffic. This is not true; firewalls and networks zones are two components of a complete security plan. Neither firewalls nor network zones can protect legitimate traffic, nor are they designed to; they are designed to allow you to designate which traffic is legitimate. If you want to secure that traffic, you need to turn to other measures.

posted @ Thursday, June 26, 2008 8:18 PM | Feedback (1)
masteringdpm.com back online

Things got hairy enough last week that I forgot to post, but my hosting provider got the problem sorted out and the website is back online.

posted @ Monday, June 23, 2008 8:26 AM | Feedback (0)
masteringdpm.com temporarily down

If you've tried to get to masteringdpm.com in the past couple of days, you may have gotten a cryptic error message instead of a site with DPM goodness. I'm working with my hosting provider to get it put back up ASAP and will post again once it's back up.

posted @ Wednesday, June 18, 2008 11:43 AM | Feedback (0)
Tech-Talk: Making Backups Cool with DPM

While I was at the Tech-Ed NA IT Pro conference last week, Jason Buffington and I took the chance to invade the Tech-Ed Online fishbowl studio and record a quick Tech-Talk on using DPM. You can now view it online on the Tech-Ed IT Pro page and the Library page, or stream it directly. Now that Tech-Ed's over, maybe we'll both find the time to be on Xbox Live at the same time so we can continue our discussion in Call of Duty 4...

posted @ Wednesday, June 18, 2008 10:55 AM | Feedback (1)
Welcome, Mike Rand!

Just a quick shout-out to fellow 3Sharpie Mike Rand, who just posted his first post to the 3Sharp blog site last week. Mike's a super-smart developer here with mad SharePoint skills; I can't imagine why he hasn't blogged sooner than this, but I hope to see him posting more frequently! He's also pretty good at foosball.

posted @ Tuesday, June 17, 2008 12:46 PM | Feedback (1)
Updated Exchange Developer Roadmap

To reinforce yesterday's post about Exchange Web Services (EWS), I wanted to draw your attention to the Exchange Developer Roadmap posted on May 22 2008 on the Exchange API-spotting blog.

There shouldn't really be any surprises here, but there were a couple of items I wanted to highlight. First:

Given this commitment to Web services and our goal of making Exchange Web Services the richest developer interface for Exchange... (emphasis added)

Next:

Here's a preview of some of the functionality that we plan to add to the next release of Exchange Web Services:

  • Access to Folder Associated Items (FAI) and read/write access to user settings (Devin: this page in the MAPI reference indicates that FAIs are things like views and forms. I believe that this also fixes a known quirk of EWS that keeps you from creating Outlook-visible search folders that use certain property paths. I believe this also gives access to server-side rules, if they're not already accessible through a separate part of the API.)
  • Management of Personal Distribution Lists (Devin: very cool.)
  • Throttling capabilities that give Exchange administrators control over system resource consumption (Devin: this will be very nice for helping keep poorly written applications from taking down the Exchange servers.)
  • A powerful and easy-to-use server-to-server authentication model to enable building portals and enterprise mash-ups (Devin: let's hope this can ease some of the pain of building Exchange-aware SharePoint sites, at least those that don't require direct access to private mailbox content.)
  • An easy-to-use Microsoft .NET API that fully wraps the Web service calls, which makes Web service development even easier (Devin: I'll be interested in seeing how this stacks up against third-party offerings like the Independentsoft EWS client offering.)

Then they go on to list the APIs that will get removed (Exchange WebDAV, Store Events, CDO 3.0/CDOEx, and ExOLEDB) and moved to "extended support" (Exchange Server MAPI Client, CDO 1.2.1). Don't get too excited by the MAPI client -- it's not what you think:

Provides server applications a MAPI runtime for accessing Exchange. 

Note: This is not the Outlook MAPI Client library that is included with Outlook.

and

Outlook's Exchange MAPI Store provider, available in the Outlook MAPI Client library can also be used to access an Exchange mailbox or public folder.

If you're going to start writing Exchange-aware applications, you should probably start looking at EWS first for future compatibility. If you're trying to support Exchange 2003 at the same time...good luck.

posted @ Tuesday, June 17, 2008 12:43 PM | Feedback (0)
A .NET add-on for working with Exchange Web Services

I just got word that Independentsoft has come out with a beta version of an EWS client API for the .NET Framework and .NET Compact Framework. I've not looked at it yet, but I'm particularly hopeful about having a good way to work with EWS from Windows Mobile devices.

Exchange Web Services (EWS), introduced in Exchange 2007 and enhanced in Exchange 2007 SP1, is Microsoft preferred interface for all future programmatic reach into the Exchange store. While EWS is a Web service, it can be pretty complicated to work with. Luckily, we've done some work with EWS here at 3Sharp; Paul's been presenting some developer training sessions on EWS in partnership with Microsoft. We've found that Inside Microsoft Exchange Server 2007 Web Services has been a valuable reference on EWS.

One of the challenges for EWS development is that the schema and object model is pretty complex when compared with the typical Web service, enough so that you need to use special Visual Studio proxy classes when you use .NET to work with EWS. This, by the way, is very likely the cause of the compatibility issue I found between EWS and SharePoint Designer -- Designer's proxy classes aren't the EWS-aware ones.

posted @ Monday, June 16, 2008 11:10 AM | Feedback (0)
3Sharp, Podcasting, and You

The talented people at 3Sharp are one of the best reasons to work here. Our Platforms Group is just one piece of the pie here; we've got some top-tier development talent who can make SharePoint stand up and dance. Those guys down the hall have been working hard on a little surprise they like to call the Podcasting Kit for SharePoint, which Microsoft has just released on Codeplex as indicated in their press release. 3Sharpies John Peltonen, David Gerhardt, and Paul Robichaux are also blogging about it, so if you’re interested, check them out.

I've been hearing bits and pieces, but last week I got to sit down and take a good look at what they're doing. Wow. This is some cool stuff that is going to make sharing podcasts, video talks, and other knowledge sharing content a lot easier. I can't wait until I can start using it; I've already lined up some content that I can put up and I'm already thinking of some more I can do.

posted @ Monday, June 09, 2008 11:25 AM | Feedback (0)
All purchases should be this easy

If you haven't seen me in person recently, you may not realize I'm a heretic. Yes, that's right -- I use an Apple 15" MacBook Pro with Vista as my laptop. It took some jiggling to get it all working -- an upgrade to Leopard (OS X 10.5) for the final release of BootCamp, an upgrade to Vista SP1, and finding a stable version of the Atheros wireless drivers -- but it's now reliable and fast.

There are some downsides to this particular laptop. It's only gives me 2GB of RAM, which means that I can't run a typical VM configuration (DC, DPM, Exchange) and still have enough power to run PowerPoint like I could under XP. The battery life is okay but not great; I run out on long flights.

I'm off to Tech-Ed this week, so I stopped by the Apple store in Bellevue Square Sunday to pick up a spare battery for the flight. I've had bad experiences at this store in the past; I don't give off the right vibe(or maybe I just look light a tightwad) and can't get seem to get the attention of the staff. I took a chance, though, and walked in the store.

This time, my customer service experience was great. I caught the eye of Associate 1; although he was busy with another customer, he called for help; I didn't even see him do it. A minute later, Associate 2 walks up to me. "I understand you're looking for a 15" MacBook Pro battery." Pleasantly shocked, I followed him over to the appropriate shelf and soon had the battery in hand. "Is there anything else I can help you with, or are you ready to check out?"

If you've not been into an Apple store recently, they're doing something absolutely sweet. Each customer service associate has a hip-mounted scanner/cardreader. They scan your merchandise on the spot, take and run your credit card, and ask you for an email address to send the receipt to. Boom -- it's all done, your card is charged, and you don't have to stand in line at the counter unless you're doing cash or check. This is a great concept I'd love to see other stores use. My receipt hit my Exchange account (and thus my Windows Mobile phone) as I was walking out of the store.

I love living in the future.

posted @ Monday, June 09, 2008 10:45 AM | Feedback (1)
Revised guidance on protecting Exchange with DPM 2007

Just a quick note to let you  all know that the Protecting Exchange Server with DPM 2007 white paper is available for download from Microsoft. This is the same white paper I worked on for them last year, but freshly revised to include more guidance around mailbox-level recovery.

I'll be giving a talk around this topic next week at Tech-Ed (IT Pro) in Orlando, session number MGT369. Hope to see you there! (Yes, this is the same talk I did at Exchange Connections in Orlando and in MMS in Vegas a month ago; it seems to be a popular session!)

posted @ Wednesday, June 04, 2008 12:36 PM | Feedback (0)
Hyper-V RC1 available

This is pretty cool -- I didn't even notice this at first! Hyper-V RC1 is now available for download through the Microsoft Download center or through Windows Update as an optional update. One of the nice changes here is that you now install the Hyper-V Integration Services on Windows 2008 guest machines  the same way as any other operating system (before, you'd have to install the Hyper-V patch itself as a separate action).

That would be why my Windows Server 2008 machine wanted an extra reboot this afternoon...

posted @ Monday, June 02, 2008 7:01 PM | Feedback (0)
Three random links make a post

...so I'll throw in a fourth for good measure. Rather than try to write a full-length post about each of these, I'm just going to give you a quick bullet list:

posted @ Monday, June 02, 2008 2:28 PM | Feedback (0)
News

Devin has moved on
to new adventures.
This blog is preserved
for historical purposes.

Please follow his
personal blog at:
Devin on Earth

Virtual Devin
Article Categories
Archives
Post Categories
Data Protection
DCAR
Exchange
Other
Security
Unified Communications
Windows