IT Technology: 2013

Sunday, August 11, 2013

Exchange 2010 / 2007 - Setup and Deploy Outlook Anywhere

Problem

What used to be a fiddly job, is now very simple to do, setting up Outlook Anywhere (formally known at RPC over HTTP) takes about 10 minutes.

What is Outlook Anywhere?

This is a system that lets you connect Microsoft Outlook to to your Exchange server over the web, this means you can connect to to your email, calendaring and tasks etc, without the need for a VPN connection.

Solution

Outlook Anywhere with Exchange 2007 (Exchange 2010 Skip to Step1)

If you plan to deploy Outlook Anywhere with Exchange 2007 there is an additional step you need to carry out before you start. From server manager > Feature > Add Features > Add in the 'RPC over HTTP Proxy' feature before you start. (Note: you DONT need to do this if you are running SBS 2008).

Step 1 Configure Exchange

1. First we need to turn it on: from within the Exchange Management, expand Server configuration > Client Access > Select the server in the central pane > Select "Enable Outlook anywhere" in the action pane.

2. Enter the publicly addressable name of your Exchange server, for this example I'm using NTLM authentication > Enable.

Note: The external host name is the address that you would type into a browser to contact the Exchange server i.e. for Outlook Web Access http://mail.domaina.com/owa. This would mean the public name is mail.domaina.com. This name must be the Common Name (CN) on the Exchange server's digital certificate.

Exchange 2010 - Working with Certificates

3. Take heed of the information, nothing's going to work for 15 minutes (Even Exchange is telling you to apply the cup of coffee rule) > Go and have a hot milky beverage.

4. Look at the timestamps and the clocks, this one took 14 minutes (for once the dialog had it spot on!) You should see Event ID 3007, 3003, 3004,(all these are normal) and finally,

5. Event ID 3006 > Outlook Anywhere is up and running on the server. (Note: you will NOT see this on an Exchange 2007 Server, see the second screenshot).

Note: To Access from Outside your network the public name of the Exchange server (in this case mail.domain.com), needs TCP port 443 (HTTPS) open to it, or "Port Forwarded" to the Exchange server.

Note2: To work internally make sure that mail.domaina.com resolves to the INTERNAL IP address of the Exchange server.

6. You may also want to execute the following command. Particularly if you use SBS, which has a habit of setting remote.publicdomain.com as the default outside name.

Set-WebServicesVirtualDirectory –Identity ‘EXCHANGE-MAIL\EWS (Default Web Site)’ –ExternalUrl https://mail.domain.co.uk/ews/exchange.asmx

Step 2 Configure Outlook for Outlook Anywhere

1. In this example I'm using Outlook 2010 and the mail profile/account has NOT been setup, if you already have an account edit it, select "More Settings" and jump to number 4.

Note: To support Outlook Anywhere you need a minimum of Outlook 2003 SP2

2. If you are setting up your Outlook client internally, the autodiscover service should fill in the details for you.

3. If it auto configures the settings for you, tick the box to manually configure server settings.

4. More Settings.

5. Connection Tab > Tick "Connect to Microsoft Exchange Server using HTTP" > Click "Exchange Proxy Settings".

6. Put on the URL (Public name of Exchange - see step 1 number 2) > I'm using NTLM authentication you may be using basic, if you don't know, check with your IT department, or try each one.

7. Security Tab > Ensure "Encrypt data between Microsoft Outlook and Microsoft Exchange" is selected.

8. Restart Outlook - you may be asked for your username and password again this is normal.

Saturday, April 27, 2013

windows server 2003 set wallpaper for all users through GPO

I have tested the procedures below on my side. In order to set the uniform wallpaper for users, you can refer to the steps below:

1. Create an OU and put all users that you want to set the wallpaper into it on domain.

2. Create a share folder and grant everyone has full control permission on it and put the wallpaper picture into this share.

3. Create a GPO, navigate to

User Configuration\Administrative Templates\Desktop\Active Desktop \Active Desktop Wallpaper

Set this item enable and in the wallpaper name column, input the share path that we created in step 2, for example \\servername\share\picture.jpg

After finishing, please click OK to confirm.

4. On the client pc, logon to PC using the user account included in the OU defined in first one step to test the result.

How to use Group Policy to disable USB drives on Windows XP

there is also a registry key in Windows XP that allows you to block the use of USB storage devices. Now there are two ways to prevent USB storage devices so you may want to implement either or both methods in your organisation. First method prevents computers that have already had USB devices installed and the second prevents any new USB devices from installing.

How to block existing USB Storage Devices

To implement this edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Preferences >Windows Settings > Registry. Then click on Action > New > Registry Item type SYSTEM\CurrentControlSet\Services\UsbStor into the Key Path field then type Start into the Value Name field and 4 in the Value Data field and click OK.

If you want to prevent the installation of USB storage device then we use Group Policy to set the security on the driver files to prevent then from installing.
Key: HKLM\SYSTEM\CurrentControlSet\Services\UsbStor
Value: Start
Data: 4 (hex) = Disabled
Data: 3 (hex) = Enabled

How to block new USB Storage Devices

This time edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Policies > Windows Settings > Security Settings > File System. Then click on “Action” menu and then “Add File”. Navigate to C:\Windows\Inf and select “Usbstor.inf” and press “OK”. Now click on “Users” in the security tab and then click in the “Deny” “Full Control” tick box then click OK.

Note: Alternatively you could just add the name of the user or group you want to prevent from using USB storage devices.
Click “Yes” to the security warning.

Then click OK.
Note: Remember that deny permission take precedence so inherited permission will not have any affect and that we are applying the permission directly to a file so we don’t need to worry about inheritance from this object.

Now repeat the steps above and this time select “C:\Windows\Inf\Usbstor.pnf”
You should see something like the images below in your group policy.

Now either way when users plug in a USB Storage devices into a computer it will prevent OS from seeing the device thus preventing the users from reading and writing to removable media.

See the Microsoft article about this option at http://support.microsoft.com/kb/823732

Monday, April 22, 2013

Unexpected Error 0x8ffe2740 when starting FTP or IIS

Another one of Microsoft’s descriptive errors is 0x8ffe2740 when trying to start an FTP or Web Server from the IIS Administration module. The error itself means that there is a port conflict with another service. This is a relatively easy diagnosis, as you should already know what ports your ftp or web servers use.

Use the netstat command in the command console to find out what program is using a particular TCP port. Replace the ## with the port you wish to test. This works on Windows Server 2003 and 2008.

netstat -anop TCP|find “:##”

The above command will return a PID (process ID). You will need to match that to a running program or service. Type the following command:

tasklist /SVC /FI “PID eq ####”

Here is an example using port 21. In this example you can see the “ftpsvc” service is using port 21 through svchost.exe – which is normal. In a client’s machine, it was MSUpdate2.exe that was using port 21 – a piece of malware using an FTP server to serve pirated movies!

Migrating websites from IIS6 to IIS7

Below are the steps required to move a website hosted on IIS6 to IIS7 (Internet Information Services 6 to 7). IIS7 replaces the aging metabase with a more convenient applicationHost.config which stores the configuration in XML.

There are two versions of MS Deploy, the program needed to migrate. Download the 32bit version here, and the x64 version here.

Installing MS Deploy on the Source IIS6 Server

1. You must have .NET Framework 2.0 SP1 or 3.5 installed on the server.

2. Download the file and open it. Choose Setup Type: Typical. Be sure to use the x64 version if you have Windows 2003 x64. There is no entry in the Start Menu; you need to start the program through the command prompt. C:\Program Files\Microsoft Web Deploy\msdeploy followed by the command.

Installing MS Deploy on the Destination IIS7 Server

1. Same as above. Be sure to use the x64 version if you have Windows 2008 x64.

Create a Backup of the IIS7 configuration

It is important to create a backup of the IIS7 configuration before you start. You never know when you’ll make a mistake, and restoring IIS to the default configuration without a backup isn’t fun.

IIS7 comes with the appcmd.exe command line tool, which is new for IIS7, and simplifies configuration backups immensely. It is located in the %windir%\system32\inetsrv\ folder, which isn’t in the path variables, so you’ll need to navigate to that path with the command prompt first.

1. Click Start -> Run -> type “cmd” and press OK.

2. At the command prompt, navigate to the %windir%\system32\inetsrv\ folder. (type “cd \” and then “cd C:\Windows\system32\inetsrv” if windows is in the default path)

3. Once in the target directory, type: appcmd add backup “BackupPreMigrate”

4. Press Enter. All done.

5. To display a list of previous backups type: appcmd list backup

6. To restore a backup, type: appcmd restore backup “BackupPreMigrate”

Verify Dependencies on Source IIS6 Server

Below is a screenshot of all the variables supported by the migrate tool. All instructions below assume you are in the C:\Program Files\Microsoft Web Deploy\directory at the command prompt.

1. At the command prompt (In the C:\Program Files\Microsoft Web Deploy\ directory), type:

msdeploy –verb:getDependencies –source:metakey=lm/w3svc/#siteidentifier

The list that is returned is fairly comprehensive as to what components are installed and available for use on the particular website. It does not, however, distinguish which components are actually in use.

Installing Required Components on Destination IIS7 Server

From the dependency list you can determine which roles need to be installed on the destination IIS7 Server. Any dependencies listed in the XML file that is saved during the migration will need to be installed on the destination server or else the migration will not complete. You can remove dependencies beforehand or from within the XML file found in the backup directory after the sync command.

Migrate Website

On the source IIS6 Server type:

msdeploy -verb:sync -source:metakey=lm/w3svc/# siteidentifier -dest:archivedir=c:\backup_name

Move the backup folder (c:\backup_name) to the destination server, or if on a network simply backup to the final destination on the IIS7 server or SAN.

On the destination IIS7 Server type:

msdeploy -verb:migrate -source:archivedir=c:\backup_name -dest:metakey=lm/w3svc/# siteidentifier

After Migration

After the migration is complete, some elements will need to be re-configured. PHP, ASP.NET Ajax and others will need to be configured independently of the IIS migration to match the source server’s settings.

Hacking the Trend Micro Security Dashboard for SMB: Reset the Password

Trend Micro’s Client Server Security for SMB is a well-designed security solution for small businesses. One of its greatest features is the ability to be deployed, updated, and controlled via the local network. With the push of a button you can scan all networked computers, increase security, send messages or print reports.

I’ve recently taken over the role of administrator for a company and unfortunately the Trend Micro passwords were lost.

Fear not, there is a simple method to resetting the password (too easy?)

1. Navigate to: \Program Files\Trend Micro\security server(officescan)\private

2. Open ofcserver.ini in Notepad

3. Press CTRL-F to search for: master_pwd

4. Once found, the string should look similar to: master_pwd=!CRYPT!xxxxx

5. xxxxx is representative of a long string of hex characters making up an encrypted password

6. In place of !CRYPT!xxxxx put “70″ so it will look like: master_pwd=70

7. 70 is the hexadecimal value for “1″

8. Save the file

9. Press Start -> Run -> Type: services.msc and press enter

10. Find “Trend Micro Security Server Master Service” and restart the service

11. Login to the Trend Micro Security Dashboard with the password as “1″ without the quotations

12. The default URL for the dashboard is: https://IPADDRESS:4343/officescan/default_SMB.htm

Hacking the Trend Micro Security Dashboard for SMB: Reset the Password

I’ve recently taken over the role of administrator for a company and unfortunately the Trend Micro passwords were lost.

Fear not, there is a simple method to resetting the password (too easy?)

1. Navigate to: \Program Files\Trend Micro\security server(officescan)\private

2. Open ofcserver.ini in Notepad

3. Press CTRL-F to search for: master_pwd

4. Once found, the string should look similar to: master_pwd=!CRYPT!xxxxx

5. xxxxx is representative of a long string of hex characters making up an encrypted password

6. In place of !CRYPT!xxxxx put “70″ so it will look like: master_pwd=70

7. 70 is the hexadecimal value for “1″

8. Save the file

9. Press Start -> Run -> Type: services.msc and press enter

10. Find “Trend Micro Security Server Master Service” and restart the service

11. Login to the Trend Micro Security Dashboard with the password as “1″ without the quotations

12. The default URL for the dashboard is: https://IPADDRESS:4343/officescan/default_SMB.htm

Free way to block Facebook or other Websites?

Not all companies have programs or licences for content filtering on their networks. It is arguably worth the $10-$60 per employee/year to licence a content filtering package in terms of increased productivity. What is difficult is selling the idea of spending a large chunk of money to management, especially in this economy. I would imagine a large number of companies can pinpoint their bandwidth and productivity problems to 10 or fewer websites. Facebook, Myspace, Youtube, etc…

Below is a logon script for Windows that will analyze the user’s hosts file and modify it accordingly to block Facebook or any other website you wish. It simply redirects to 127.0.0.1 (home).

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject("WScript.Shell")
Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8
hostsFile = objShell.ExpandEnvironmentStrings("%SystemRoot%") & "\system32\drivers\etc\hosts"
strIP = "127.0.0.1"
strValue = "facebook.com"

If objFSO.FileExists(hostsFile) Then
Set objTextFile = objFSO.OpenTextFile(hostsFile, ForReading)
Else
Set myFile = objFSO.CreateTextFile(hostsFile, True)
myFile.WriteLine "127.0.0.1       localhost"
myFile.WriteLine strIP & " " & strValue
Wscript.Quit
End If

strFlag = 0
Do Until objTextFile.AtEndOfStream
strLine = Trim(objTextFile.ReadLine)
If InStr(strLine, strIP) > 0 Then
  If InStr(strLine, strValue) > 0 Then
   strFlag = "1"
  End If
End If
Loop
objTextFile.Close

If strFlag = 0 Then
Set objTextFile = objFSO.OpenTextFile(hostsFile, ForAppending)
objTextFile.WriteLine vbCrLf & strIP & " " & strValue
End If

Another alternative is to block the IP address of the website using rules on your gateway firewall (Windows or router). The problem with this method is many of the larger sites have multiple IP addresses and adding block lines for each is tedious work. You can block entire ranges of IP addresses. Example: Adding 69.63.0.0/16 would block 69.63.0.0 – 69.63.255.255 (65,536 total addresses – 16bit block). Be careful though, some “good” websites may be in the ranges you block, but in a pinch, it does the job.

Finally, Untangle is an open source gateway that can be run on Windows or on its own dedicated server. It includes content filtering in addition to a multitude of other features. Try it out.

Block IP Addresses using IP Security Policy in Windows Server 2003

Most System Administrators use a hardware firewall to block IP addresses from accessing their network. Co-located servers do not always have the advantage of utilizing a hardware firewall. Software firewalls can often be expensive.

As you may already know, Windows 2003 lets administrators control IP access from the configuration panels in SMTP and IIS, among others. But what if you want to block an IP address from all services with only one motion? This is where the IP Security Policy Management snap-in comes in handy.

Configure the IP Security Policy to block your first IP address

1. Click “Start” and “Run” – type “MMC” and press OK.

2. In the MMC, click “File” and “Add/Remove Snap In.”

3. In the “Standalone” tab, click “Add.”

4. Select “IP Security Policy Management” and click “Add.”

5. Select “Local Computer” and click “Finish.”

6. Close the “Add standalone Snap-in” window and click “OK” on the “Add/Remove Snap-in” window.

7. Now that you are back in the MMC console, right-click on “IP Security Policies on Local Computer” in the left-hand pane and select “Create IP Security Policy.”

8. Click “Next.”

9. Enter a name (ex. IP Block List) and description into the boxes and click “Next.”

10. Leave “Activate the default response rule” checked. Click “Next.”

11. Leave “Active Directory default (Kerberos)” checked. Click “Next.”

12. Leave “Edit properties” checked. Click “Finish.”

13. The Properties box should be open.

14. To add your first IP address, click “Add.” Make sure “Use Add Wizard” is checked beside the button.

15. Click “Next” when the “Create IP Security Rule” wizard opens.

16. Leave “This rule does not specify a tunnel” checked. Click “Next.”

17. Select “All network connections” under Network Type (unless you want to specify by adapter). Click “Next.”

18. You are now at the “IP Filter List.” The “All ICMP Traffic” and “All IP Traffic” options will not meet our needs; we will need to add another. Click “Add.”

19. Name the IP Filter List (ex. Blocked IP List) and enter a description. Click “Add” to enter the first IP address to block.

20. The “IP Filter Wizard” will pop up. Click “Next.”

21. This will be the first IP address or IP range we enter to block. Enter a description (I usually enter the IP itself) and make sure “Mirrored” is selected below. This will ensure packets to/from are blocked, allowing you to create one rule instead of two. Click “Next.”

22. Keep “Source Address” as “My IP Address” and click “Next.”

23. Under “Destination Address” select “A specific IP Address” or “A specific IP Subnet.” If you select “Any IP address” it will block all IPs!

24. Enter in the IP address in the fields below and click “Next.”

25. Under “select protocol type” choose “Any” (means “All”) unless you specifically want to block from RDP (Remote Desktop), TCP or UDP, etc. Click “Next.”

26. Click “Finish.”

27. Now that you are back to the “IP Filter List” click “OK.”

28. You will be back in the “IP Filter List” list in the Security Rule Wizard – make sure you select your new “Blocked IP List” and not “All IP Traffic” or “All ICMP Traffic.” Click “Next.”

29. You will be taken to “Filter Action.” The lists: Permit, Request Security (Optional), and Require Security will not meet our needs. Click “Add.”

30. In the “IP Security Filter Action” wizard, click “Next.”

31. Select a name (ex. Block all Packets) and click “Next.”

32. Select “Block” for the filter action behavior. Click “Next.”

33. Click “Finish.”

34. You are back to the “Filter Action” list. Select your new list (Block All Packets) and click “Next.”

35. Click “Finish.”

36. You are back to your IP Security Policy list (Blocked IP List) Properties. Click “OK.”

37. Back in the “IP Security Policies on Local Computer” snap-in, you’ll need to assign the new policy. In the right-hand pane, right-click on your new list (IP Block List) and select “assign.”

To make it easier the next time you wish to block an IP address, save the MMC Snap-in configuration as a shortcut. Go to “File” and “Save As” and save it on your Desktop or Start Menu.

To Block Additional IP Addresses

1. Enter the IP Block List snap-in you saved.

2. In the right-hand pane double-click your IP Block List.

3. Under “IP Filter List” select the newly created “Blocked IP List” and click “Edit.” Make sure “Use Add Wizard” is checked.

4. Under “IP Filter Lists” select your “Blocked IP List” (not All ICMP or IP Traffic) and click “Edit.”

5. You are now in the “Add IP wizard” area. You will see the first IP address you blocked in a listing under “IP Filters.” Click “Add.”

6. Follow all previous steps to add the IP address you wish to block. Once finished, exit all dialog boxes.

You may need to restart the server for the settings to take effect.

Windows XP shuts down after login – PC-OFF.BAT

The PC-OFF.BAT virus loads a shutdown script when logging onto Windows XP. A few seconds after logging in, Windows will shut down. This also affects safe mode. The countdown timer is set to only a few seconds, not allowing the user to enter “shutdown – a” in the run box. You may not even see the emergency shutdown dialog before you are automatically shut down.

In order to remove the files, you’ll need the Windows XP CD. Other options include putting the hard drive into another computer, or using a LiveCD (BartPE or Linux) to remove the files.

Remove the files from your hard drive using the Windows XP CD

1. Insert the Windows XP disc into the CDROM. You may need to adjust your BIOS settings to boot the CDROM first.

2. When the “Welcome to Setup” screen appears, press “R.”

3. Select the installation you wish to access (there should be only one option for most systems).

4. Enter the administrator password when asked.

5. Once at the Recovery Prompt, press ENTER after typing the following command: chdir c:\windows

6. Press ENTER after typing the following command: del bar311.exe

7. Press ENTER after typing the following command: del password_viewer.exe

8. Press ENTER after typing the following command: del photo.zip.exe

9. Press ENTER after typing the following command: del pc-off.bat

10. Press ENTER after typing the following command: exit

11. Remove the Windows XP disc and restart your computer.

Once pc-off.bat is removed from the Windows directory, you’ll be able to logon to Windows without it shutting down immediately. There are still remnants left over in the registry though – best to clean those up.

1. Go to Start -> Run and type “regedit” and press ENTER.

2. Go to HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon and find the key: “Userinit=C:\WINDOWS\system32\userinit.exe,xxxxxx.exe” where xxxxxx.exe is bar311.exe, photo.zip.exe or password_viewer.exe.

3. Delete bar311.exe, photo.zip.exe or password_viewer.exe from the key, but be sure to leave userinit.exe! If you delete that, you will be unable to logon to Windows.

4. Go to HKEY_CURRENT_USER \software\microsoft\windows\currentversion\explorer\advancedand set the following key values: “Hidden=dword:00000001 (1)” “HideFileExt=Dword:00000000 (0)” “ShowSupperHidden=Dword:00000001 (1)”

5. Go to HKEY_CURRENT_USER \software\microsoft\Command Processor and find the key: “autorun=c:\windows\pc-off.bat” and remove “c:\windows\pc-off.bat”