I started looking for server side applications that I could install and just have the admin pull the data from there, however, the costs I was finding were a bit too much.  I setup a pfSense in a quick lab to demo this up.  After installing pfSense on some old hardware, did a basic configuration of the box, and then installed the Squid proxy package.  I configured this to be a traditional proxy where I had to send traffic on a specific port, and the user was required to login.  That was really the trick to get the terminal server users broken apart.  I know it could probably use a little masaging with NTLM authentication or some other clean mechanism but for the lab and the purposes of this client, this hit the mark for a great price.

I did mention that they did not want to install new hardware during this process, but the knew they needed to upgrade their Linksys “router” that was currently firewalling their network.  I am once again impressed with the flexibility and ease of use that pfSense gives you.  I truly only have 1 complaint about the system at all but it has nothing to do with this and as I understand it, that feature has been added in pfSense 2.0.  The management of OpenVPN clients/certificates is somewhat of a nightmare for large installs unless you use a single certificate for all users (not recommended).

Desktop Antivirus / AntiSpyware

At work my company has standardized on NOD32 from ESET.  I had never herd of the company until I started at my current position about a year and a half ago and now, I rarely use anything but NOD32.  They have a couple of editions but I’m only familiar with ESET NOD32 AV v2.6 and v3.0.  So far I have not had a single problem with virii or spyware (except for a few hacking/cracking tools that I use on occasion).

If I’m not using or recommending NOD32 for home / client computers I go with AVG.  AVG AntiVirus 8.0, the newest version from AVG covers pretty much everything you would need from an AntiVirus / AntiSpyware software suite.  They even have a free edition that can be found here for home computers that only need basic protection.  If your on a budget, AVG Free Edition is for you.  Again, so far, with my use of AVG Antivirus, I have not had a single problem.

Safe Internet Browsing

This is a huge deal when it comes to keeping your computer safe.  Sometimes it doesn’t involve any software at all.  Just some intelligence and PG13 level surfing (no porn or online gambling allowed!!).  However, because of my ADHD and endless appetite for information, even I run across some potentially bad websites.

To combat this I use OpenDNS.  I’ve done a blog post on them a while back.  Search at the right if you are interested but I’ll cover a few points to OpenDNS here.  First of all, OpenDNS is cool.  Second, OpenDNS is free.  Now that I got those two things out of the way, I’ll explain it a bit.  OpenDNS is a free DNS service that you point your network DNS servers, clients, etc towards and you instantly get a bit better service.  If you go to the website and create an account and then register your IP address there, you can have settings specified that would prevent people from surfing websites that fall within a specific category.  Below is what I have mine set to.

The moderate setting includes blocking of Adaware, Alochol, Dating, Drugs, Gambling, Hate/Discrimination, Weapons, Tasteless, Lingerie/Bikini, Proxy/Anonymizer, Sexuality, Nudity, Pornography, and Phishing.  The last one is especially cool because it uses the phishing database PhishTank, which is THE defacto standard in phishing databases…well at least I believe so.

Desktop and Network Firewalls

As much as I should use a desktop firewall, I don’t.  It hinders my ability to do network scans, attach to different networks, open up shares on my computer remotely, test software, etc.  But, do what I say and not what I do.  If you have no reason not to use one…then do so.  The built in Windows Firewall is fine but if you need to feel a little safer at night, I recommend ZoneAlarm.  It has both high reviewes in the major computer magazines and is recommended by the security research group Gibson Research Corp.

My home network firewall is pfSense, a free open source, fully featured firewall that I have installed on an old workstation with two network interfaces.  Visit the website for a full list of features.  Other firewall’s that I would recommend would be the Cisco PIX or ASA, m0n0wall, and any Linux distribution running iptables.  It’s not that these are the only secure options out there but rather I only have extensive experience in this small list.

SPAM Protection

This cannot be stressed enough…  Never use an email address without a **GREAT** SPAM filter.  For personal use, grab a free GMail account.  For corporate use get a Barracuda SPAM firewall, use Postini or build your own SPAM filter based on SpamAssassin.  For the DIY I recommend Maia Mailguard.  The reason for this is quite simple, spyware and virii can be transmitted quite easily through email.  If you are not protected, you are asking for trouble.

Defense in Depth

Although all of my recomendations, in my option, are good ones..not a single one of them guarantees that you will not get infected.  Things like zero day attacks, trojans, virii, spyware, adaware, malware, etc are not always easily detected and therefore may hit a large number of computers over a short period of time without the security companies knowledge.  However, with the use of all of them together, you now have the tools for a fighting chance and with any luck, you’ll be virus free.

Hopefully you’ll take my advice on one or more of the above topics and have a safer more enjoyable time on the internet.

Extras!!

Here are a few extra tools that I did not fit in.

ESET Online Scanner | TrendMicro House Call | TrendMicro HijackThis | Symantec Removal Tools

I’m looking at one of the higher end HP or Dell’s running Vista Ultimate with a dual monitor setup for home.  I have dual monitors at work and it gets pretty hard to get all the work I want to get done at home when I only have a single 17″ flat panel.  Pretty low tech if you ask me.

For those of you who do donate, thank you very much.  I appreciate it.  For those of you who don’t, I won’t hold any grudges.

Well, this computer took up more than a few hours of my time as well as another associate of mine.  The computer no matter what we did would not syncronize files during the logon process even thought the little checkbox was checked to do so.  As it turns out, Dell has some sort of security suite that they are deploying with all the laptops now with the name of WavXDocMgr.  This was the culprit of the syncronization issue.  We took this out of MSCONFIG as a startup process and the problem was solved.  As this was not the answer but rather a workaround, we have started talking with Dell but as of yet have not found a fix for the issue so I thought I would share.

So lets use the command to find more about our Exchange queues (Exchange 2007 Server).

Get-Command *queue*

Which will return a list of commands that you can run from PowerShell like Get-Queue, Retry-Queue, and Suspend-Queue.

Now lets try something to do with Active Directory.  Try this command.

Get-Command *User*

It’ll return a boatload of commands but you can see a few that might be useful like New-ADUser and New-ADGroup.

Hopefully this will shine some light on the still fairly new (feeling) command line power of Microsoft’s Operating Systems.

Open regedit and find the key

HKLM\SYSTEM|CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

Now for SSL 2.0 you will want to create a new DWORD value named Enabled with a data value of 0 in Hex in both the client and server subkeys.  This will disable the ability for the server to use or allow the use of SSLv2 during the use of SSL.  You can also create a registry import like the following.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
“Enabled”=dword:00000000

Again with this one, Nessus will find the vulnerability fairly easy so their is almost no reason to have it running. Nessus’ vulnerability will be displayed as “Synopsis : The remote service encrypts traffic using a protocol with known weaknesses.”

NOTE: This change may break clients/servers/applications so I take no responsibility for YOUR actions.

This piece is on restricting weak ciphers within your SSL certificates.  Nessus and some other security auditing tools will detect this one with ease so there’s really no good excuse not to lock it down.  Basically what we are going to do is remove the ability for web clients (IE, Firefox, Safari, Opera, etc) connect to the web server with anything but 128 bit or greater SSL encryption.  This just sounds like a good deal anyway if you as me.

An example of a weak cipher is like I mentioned above, anything less that 128 bit encryption.  There are about a dozen methods of encryption from SSL_RSA_EXPORT1024_WITH_RC4_56_SHA to SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5.  Yes I know that sounds cryptic and it really is (pun intended).  So what we need to do is scan the host first.  You can use Tenable Nessus or your choice of scanning utility but we want to see what it comes up with.  Chances are if you were diligent during the setup of the server, you may not have to do this but if your the other 95% out there, then you will need to do the following.

Open "regedit" and find the key
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers.

This will have a number of other subkeys below it.  Next we will want to disable anything that has a number less than 128 in it.  I.E. RC2 40/128 we will disable but RC2 128/128 we will not.  Clear as mud?  To disable the cipher click on the subkey that you want to disable and create a new DWORD value named Enabled.  In the value data keep it 0 in Hex.  This will disable the cipher from being able to run.  You could also create a registry import like the following.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
“Enabled”=dword:00000000

I would do this for RC2 40/128.  RC4 40/128 and RC4 56/128.  I feel better already.  Hopefully you will too after you get this done on your website.

NOTE: This may break some clients/servers/applications so I take no responsibility for YOUR actions.

Exchange 2003 has 6 total virtual directories. They are as follows:

Exchange | Exchweb | Exadmin | OMA | Public | Microsoft-Server-ActiveSync

For more information on the function of each virtual directory please visit this Daniel Petri’s website which is where I normally go to get the how-to for this function.

Now that we have identified the virtual directories associated with OWA, we need to backup the configuration and then delete them. I know, this seems like a really huge step, it was for me the first time I did it but now I do it on a regular basis. You will need to backup the configuration from IIS Manager by right clicking on the Default Web Site and going to “Save Configuration to a File”. I don’t think I need to walk you through the rest of the dialog boxes, you’ll figure it out.

Now that the configuration is backed up, delete the 6 virtual directories mentioned above. You may also, depending on OS version, have a virtual directory “exchange-oma”. Leave it alone for right now, we will get to it in a bit. Before we recreate the virtual directories, we need to delete a key out of the IIS Metabase. For this you will need to download the IIS 6.0 Resource Kit from here. Go ahead and install the package and navigate to “Metabase Explorer” which is part of the resource kit you just installed. In Metabase Explorer you will have some keys on the left hand side, LM being one of them. Expand the LM key and you will find the first one (ususally) to be DS2MB. Delete it the key DS2MB. DS2MB stands for Directory Service to Metabase. It’s purpose is to transfer configuration information from AD to IIS. It’ll get recreated during the next process.

Now that the virtual directories and the DS2MB keys are deleted, you can restart the “Microsoft Exchange System Attendant” service. That will recreate what we have deleted.

For some reason when the virtual directories are recreated you still have to fix a permissions issue to get it to function. Do this by going into IIS Manager and right clicking on the virtual directory “Exchweb” and select properties. Then go to the Directory Security tab and click Edit under Authentication and Access control. Ensure that Anonymous and Integrated Authentication are checked. An Inheritance Override dialog box will appear, make sure you click Select All. Click OK to finish. After you have completed that, go back into Authentication and Access control and uncheck Integrated Windows Authentication. (Yes I know, seems odd). Ok out and you are finished.

That pretty much sum’s the fix up. You will need to redo your SSL stuff but other than that you should have a fully functional OWA configuration.

Now, this is where the support code stuff and the exchange-oma virtual directory I mentioned earlier comes in. There are a number of mobile devices that are capable of connecting to Exchange to get email, contacts, calendar and tasks from their account. Some of them work with SSL / Forms Based Authentication and some don’t. To fix the ones that don’t support it, follow the steps below to get your non SSL Windows Mobile devices to connect to Exchange.

First delete the virtual directory (if you have it) exchange-oma. Now to finish this we will need to create a second virtual directory for OMA access. First, open IIS Manager and right click on the Exchange virtual directory and select “Save Configuration to File”.  Name is something like exchange-oma. Now, right click on “Default Website” and select new virtual directory from file.  Find the file you just saved (i.e. exchange-oma).  You will get a dialog box saying the virtual directory already exists.  In the alias box, type exchange-oma (or similar).

Lets, make it non SSL bound now.  Right click on the virtual directory you just created and go to the Directory Security Tab and then Authentication and Access control.  Make sure that Integrated and Basic authentications are enabled. Ok out and then under Secure communications click edit and uncheck “require SSL”.  Ok out and close IIS Manager.

To get IIS and Exchange to use the new virtual directory correctly we need to make a slight registry change.  Open the Registry Editor and find “HKLM\SYSTEM\CurrentControlSet\Services\MasSync\Parameters” If it does not exist, in the right pane right click and create a new String Value.  Name it ExchangeVDir and press Enter.  Modify the value of the key and put /exchange-oma in that field.

You are almost done now, quit the registry editor and restart the IIS Admin Service.  You can also use iisrestart from the run line or command prompt.

Here are some of the links I used to put this post together and have used in the past successfully.

Petri IT Knowledgebase | Dev IT Weblog | Microsoft

psexec \\* sc config browser start= disabled

PSexec is the app that we are using to send the command “sc config browser start= disabled”. \\* is stating we want to run this command on all computers in the domain. You could specify a single server/computer with \\computername or replace \\ with @browser.txt and have file with that name in the same directory you are in via command prompt. The sc is Service Control followed by config which modify the configuration of a specific service. You could use start or stop there to start or stop a service which is the second command that I used. Browser in the command is the service in which we are working with and “start=” is a fixed line in which you need to specify an argument. In this case I used “disabled”. You have the option to do auto, manual or disabled.

Next we need to actually stop the service. This can be done with the following command:

psexec \\* sc stop browser

Pretty simple huh. Afterwards I did a few spot checks to verify that it actually worked and then setup a Group Policy for an machines that I was unable to touch with psexec as well as new computers added in the future.

More information on options with SC can be found here. PSexec is part of the PStools suite. I recommend that everyone check this out if you have not in the past. PSinfo can be used for network documentation and PSshutdown can poke a stubborn computer in the eye.

1. Download and install the IIS6 Resource Kit from Microsoft here.
2. Make a backup of the web site configuration with IIS Manager.
3. Delete the Exchange Virtual Directories (Exadmin, Exchange, Exchweb,  Microsoft-Server-ActiveSync, OMA, and Public) There are 6 total.
4. Open “Metabase Explorer” from the IIS6 Resource Kit and delete the DS2MB key.
5. Restart Microsoft Echange System Attendant to recreate the virtual directories.
6. Reset permissions on the ExchWeb virtual directory in IIS Manager.  Ensure that Anonymous and Integrated authentication are checked.  Click OK to accept, and Ok on any dialog boxes that pop up.
7. Remote anonymous authentication from the ExchWeb virtual directory (I know that sounds funny to do after you just check it but trust me)

Everything at this point is 100% default as if you just installed Exchange 2003 for the first time.  This took care of the Mobile Access issues that were happening before and somehow sped up Outlook Web Access.  ??  Well, I hope this helps in some fashion, I know for me, It’ll help me remember how to find Daniel Petri’s website for this particular issue which brings me to another issue.  I use Daniel Petri’s website 2-3 times a month or more because the content on his pages are awesome.  I’ve been going to there for a few years now and it never fails to somehow point me in the right direction.  Thank you Daniel Petri.  Here’s a link to his website.