Day Two at the Microsoft IT Forum

So, day two of the MSFT IT Forum here in Copenhagen is almost at an end. I’ve had a very enjoyable and intuitive day today, the highlights of which were an excellent (and very popular) “Guerilla Security: Securing Exchange 2000 and 2003 Infrastructures” session, superbly presented by Fred Baumhardt and Rab Thynne (Micrsoft UK Consultants) which I attended this afternoon, and the 3 hour(!) upgrade from Exchange 5.5 to Exchange 2003 lab that I completed during the morning. It went really well for such a long lab, and was well worth the time.

Points of note from the Guerilla Security session…

There were a few comparisons made between IT security, DMZs and so on, and real-life threats and situations…. The DMZ or ‘no mans land’ between North and South Korea, and what would happen to folks who happened to find themselves in that specific area should the two countries come to blows being one example! I think we understood!

The first fifteen minutes or so were spent ripping RPC apart…. Swiss cheese, and more Swiss cheese was the message, which I don’t need to tell you of course, is due to the number of ports that need to be opened to allow RPC comms to work. This then led on to the different options that are available when it comes to implementing a Front End (FE) Back End (BE) solution, and more especially where the FE server is located. Don’t just put the FE server in a DMZ and ‘write it off’ i.e. expect it to be compromised at some point in its life, there are other alternatives. There is no perfect or preferred solution however, as each comes with a potential trade-off. The use of an application firewall such as ISA was recommended (doesn’t just have to be ISA though) using which can then enable the FE server to be placed on the internal network, with the ISA performing the authentication and proxying. (there's some more info about this, in this ppt) The use of VLANS for the BE, GC etc was also pushed.

The number of VPNs being implemented by companies who have adopted Windows and Exchange 2003 and are using RPC over HTTP has reduced by ‘90%’

Segmenting the FE and BE servers in different OUs is recommended.

With Exchange 2003 on a FE server it is straightforward to disable the Information Store service, even when running an anti-virus application, as the dependency which exists with VSAPI v2 has been removed with VSAPI v2.5.

Version 1.2 of the Microsoft Baseline Security Analyser scans both Windows and Exchange.

The need to disable unnecessary services and protocols was also made very clear. Of course Windows 2003 comes with over 20 of the potentially not required services turned-off ‘out of the box.’

Clients must be properly maintained and protected. There is a serious virus threat with clients connecting via VPN or RPC publishing… their anti-virus IDEs should be fully updated, and OSes patched.

Active Directory and group policies should be used to assist with the hardening of your servers

Make sure that the domain controllers are hardened too… Exchange will not be happy if the DCs aren't around!

(right I need to sit down… I’ve been standing here for an hour… whinge… I guess I should have brought the laptop, or ordered the tablet, as chairs have been provided for those folks in the wireless work areas!)

Chris Meirick on November 12, 2003 at 10:16 AM in News
« Exchange 2003 Move Mailbox | Main | Microsoft Outlook 2003 Spam Filter: Under the hood »

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a00d8345191a569e200e5503455628834

Listed below are links to weblogs that reference Day Two at the Microsoft IT Forum:

Comments

I have three locations called A(a.t.com),B(b.t.com),C(c.t.com) and i have exchange server2003 installed on my DC and DC(T.com) is in the same subnet as domain A ,

A is connected to B through ISDN and to C through DialUP(demand dial). i am able to send emails from A to B and C, but A is not routing emails between C and B i.e am not able to send emails from C to B. all the connectors and default and no routing group is present. all configuration is default.
please reply to this question...

Posted by: Mudasir at Jan 31, 2005 9:33:03 PM

I am using exchange 2003 and I try defrag the exchange database using
eseutil /d /p /t but it doesn't work and
the error is

"Unable to find the callback library jcb.dll (or one of its dependencies).
Copy in the file and hit OK to retry, or hit Cancel to abort".

Is there anyone khow why it happen ? please help

Posted by: tatok at Jun 21, 2005 4:10:06 PM

Problems with Exmerge on new system!

Scenario:
Installed Windows 2003 Server, Microsoft Exchange 2003 correctly and everything is working perfectly.

Problem:
I'm trying to backup the settings and everything with Exmerge to make sure i'll be able to do the same to my Exchange 5.5 Server computer so that I may import the information to my new pdc. When entering the name of my domain I receive this error:
The specified server 'CONTOSO.COM' is inaccessible. It is not an Exchange Server or a domain controller is unavailable or you do not have the necessary rights to access this server or the LDAP port specified in incorrect.

I used the LDP tool to find out my port information and it's correct. My server is to an Exchange Server and the domain controller is available because I could log in and out of user accounts from computers over the network.

I also changed the permissions entitled in an article for exmerge permission errors. Which I haven't received because
I can't connect to the domain.

What could be the situation?

Posted by: Blue at Nov 24, 2005 11:07:15 AM

I want to configure ms exchage 2003, now we having a mail server in US we have to access mails through our ms exchage , Now we are installed Server and installed windows 2003 SBS
now it works as domain controlleri think we have to use POPBEAMER like additional software give em solution
POP# puller is required plz help me how to configure


pramod
india

Posted by: pramod at Oct 17, 2006 12:37:32 AM

how i will configure exchange 2003 to route mails through a dialup connection.

Posted by: Satyajeet at Dec 21, 2006 4:32:56 AM