1. EDITORS CORNER
   • More Phone Cracking Going On
2. TECH BRIEFING
   • Exchange 2000, Part Deux
3. NT/2000 RELATED NEWS
   • So, What Are The Key Configuration Aspects Of That Box?
4. NT/2000 THIRD PARTY NEWS
   • New Product: Office To Go!
   • Witch Hunt For Remote Control Tool In U.S. Military
5. W2Knews 'FAVE' LINKS
   • This Week's Links We Like. Tips, Hints And Fun Stuff
6. PRODUCT OF THE WEEK
   • Hack Proofing Your Network (2nd Edition)

More Phone Cracking Going On

Read this and you will understand why I'm again making you aware of this issue.

"Hello,

"After reading your article on having your phone system hacked, I forwarded it to my boss. We both thought it was interesting, and that's as far as it went. This past Monday, someone called our front desk on our 800 number posing as an SBC Ameritech technician. He claimed he was running tests and asked to be transferred to a certain extension. Our receptionist obliged.

"Apparently there is some extension on our phone system that when transferred to, gives you control of a trunk line. It's an older ROLM system, maintained by Siemens. AT&T called about a half hour later asking why we had been making calls to Yemen, and if we had authorized it. Completely caught us off guard. The thing that bothers me is that we are powerless to do ANYTHING to our phone system.

"Everything (even voicemail boxes) needs to be done by Siemens, at a premium price off course. What other back doors are there into our phone system??? And how did AT&T know to call us? Like I said, they called a half hour after it happened. No phone company I've ever dealt with is that quick.. it can take a month just to get a line installed! Is Big Brother really watching that close? Anyway, just thought I'd share our experience. Thankfully, we are very close to purchasing a new phone system."

Lesson Learned: Textbook example of social engineering. All personnel need to be trained in security, procedures and what to do in cases like this. Next time it's the password of her machine instead, and your network is compromised.

This week's XBOX Winner: William Nipper from Matthews, North Carolina! Don't forget to update your profile and recommend your friends to subscribe today!
http://www.w2knews.com/lookup.cfm

Exchange 2000, Part Deux

Alright, now that the AD was populated with the Exchange 5.5 directory information we moved on to the next step.

Fourth step, run ForestPrep and DomainPrep. It is recommended that you run ForestPrep and DomainPrep individually prior to installing E2K although in some cases you can get away with having them run during the setup. ForestPrep's purpose is to extend the scheme of 2K's directory to contain all of the E2K information. We chose to just run them first so that we wouldn't run into any problems, we just built our AD and didn't want to destroy it.

ForestPrep is executed by running the E2K setup.exe with the "/ForestPrep" flag. In our organization it took roughly 30 minutes to run. Since our AD is relatively small and all involved servers local we didn't have to wait long for replication of the changes to complete. Rooting around a bit using ADSI Edit, part of the support tools located on the Windows 2000 Server CD, we saw the entries for E2K existed. More information on this can be found in Microsoft's Q274737 article.

After we were satisfied with ForestPrep having been run we ran DomainPrep, same as running ForestPrep except that you use "/DomainPrep". This runs in a matter of seconds, both in our test and production environments. However, we did encounter a problem with this step. In testing, all was fine and DomainPrep had run correctly. In production it seemed to run fine until after we had E2K installed and had nothing but weird errors in the event log and problems with information stores not mounting correctly and mailboxes not being accessible.

After several hours of trying to find anything anywhere as to what we did wrong we started going back and checking our prior steps. At this point we found out about a tool called "policytest.exe", located in \support\utils\i386 of E2K SP2. Its purpose is to see if DomainPrep finished its job on all the domain controllers in the local domain.

To our surprise none of the DC's had been updated by DomainPrep... We still don't know why that was. We ran the DomainPrep a second time and ran policytest to see if it had completed, no problems this time around. (The problems that we had with the E2K box went away but we still uninstalled and re-installed E2K just to make sure). The moral of this: run policytest after running DomainPrep.

Here is a good article that goes into more detail of the ForestPrep and DomainPrep functions:
http://www.w2knews.com/rd/rd.cfm?id=020325TB-Prep_Article

Fifth step, actually install E2K. Funny enough, this is probably one of the quickest and simplest parts of the processes. Standard type of install, just pick a few options, agree to a license agreement, say where you want it to go and hit the finish button. SP2 and various hotfixes were also pretty typical. As long as all the prior steps were done correctly in our production and test environments we had no problems. In test we just kept forgetting that we had to have SMTP and NNTP installed prior to the E2K install, simple enough to add them in.

Sixth step, moving the mailboxes and public folders. This part was pretty easy as well, just open up AD Users and Computers on a machine that has the E2K management tools loaded, right-click on the mailbox enabled user, select "Exchange Tasks". You can select multiple users for this step if you like, we didn't at first as we wanted to benchmark the moving procedure.

In our testing it would take about 30 minutes per 400 megs of email, depending upon the number of messages and other loads present on the source 5.5 server. During the mailbox move the user will not be able to use Outlook and it took about 5-10 minutes after the mailbox was moved for the user to be able to get back into their email.

The nice thing was that no one had to touch the user's profile, it automatically updated with the new server name. We did find that if you immediately made a permission change to the user's mailbox after moving it the 5-10 minute wait was no longer needed, they could hop right in seconds after the mailbox was moved. We moved all of our mailboxes over the course of about 3 days.

The public folders aren't really moved, they are replicated. You'll find the public folders located in E2K System Manager under "Administrative Groups", "SITE", "Folders", "Public Folders". Right-click the various folders and select "Properties" and go to the "Replication" tab. From there you can specify the servers that you want to replicate the public folders to. There are also some that do not show up by default. You need to right-click on the "Public Folders" and select the "View System Folders" option. From here you need to set "OFFLINE ADDRESS BOOK" and "SCHEDULE+ FREE BUSY" to replicate. This last bit of data is something that I gleaned from Microsoft's Q284148 article which I'll go into later in this write-up.

Seventh step, setup a connector on the new server for inbound/outbound email. Up to this point all of our email was still going in and out of the 5.5 server's IMC. Since E2K is based on SMTP it was a fairly simple task to get a connector setup on the new server using the E2K System Manager. First make sure that you right-click the Exchange organization at the very top of the System Manager, go into properties, and check of the "Show Routing Groups" option.

Once this was done we jumped into the "Routing Groups" and setup the new SMTP connector. Now all inbound email was still going to the 5.5 server and all outbound email was going out on the E2K server. Prior to allowing email to come into the server we made sure that we installed Antigen on the new server, a really effective and reliable anti-virus software package by http://www.Sybari.com (we don't sell it, but we like it :). Now that we're safe from the hordes of incoming viruses (over 500 per day) we started at looking to how to get inbound mail to the new server. Instead of changing MX records and modifying firewall configurations we decided to give the 5.5 a different I.P. address, take its old I.P. address away, and add that I.P. address to the new server. This took about 2 minutes and worked like a charm.... except for any domain that didn't end with "sunbelt-software.com". A quick poking around and we realized that we needed to put in a Recipient Policy to allow email for the other domains, this is in the Exchange System Manager under Recipients. Now everything really worked.

Eighth step, clean-up. At this point the old 5.5 server was doing nothing but contribute to our electric bill. However, it was listed in several places still. Microsoft has a very important article that I mentioned earlier, Q284148, that goes into the process of removing this server. However, we encountered problems removing Site Replication Services listing from the Exchange System Manager. The old 5.5 server was still listed in ESM under Servers and nothing seemed to remove this. A bit of poking around in Sunbelt's Exchange Admin list uncovered a way to remove this from the AD using ADSI Edit tool. This is where we found and deleted the 5.5 server: Configuration Containers > Services > Microsoft Exchange > CN=XXXXXX > Administrative Groups > CN = XXXXXX > Servers

Also, we had to delete the old connectors that were still showing up in the ESM. The were located here: Configuration Containers > Services > Microsoft Exchange > CN=XXXXXX > Administrative Groups > CN = XXXXXX > Routing Groups > CN = XXXXXX > CN = Connections

After deleting these items from the AD we were able to remove the Site Replication Service listing from the ESM and life was once again good. Now we had the option of going E2K Native Mode, this will not show up if there is even a hint of a 5.5 server in the AD.

Ninth step, rinse and repeat. Since the swing server we had used for this procedure was an older server that had been put out to pasture we beefed up the old 5.5 server and are currently in the process of moving all the mailboxes back. Since it's E2K to E2K, and I feel like this is all I've been doing for 3 weeks, it's pretty simple and a familiar process.

Overall, I've become a bit more impressed with E2K than I was when we started the processes. Using IIS's SMTP engine allows for a much higher volume of Internet email without bogging. Over the next few weeks we'll probably get to play with some of the fun stuff :)

So, What Are The Key Configuration Aspects Of That Box?

How many times have you walked up to a system in your office and needed to click through several diagnostic windows to remind yourself of important aspects of its configuration, such as its name, IP address, or operating system version? If you manage multiple computers you probably need BGInfo. It automatically displays relevant information about a Windows computer on the desktop's background, such as the computer name, IP address, service pack version, and more. You can edit any field as well as the font and background colors, and can place it in your startup folder so that it runs every boot, or even configure it to display as the background for the logon screen.

New Product: Office To Go!

"Beyond Blackberry". Need a full-fledged wireless solution (that doesn't cost thousands of dollars just to install) and not only allows you to control your servers, handle your email, but also gives you web browsing, email attachments, faxes, paging and instant messaging as well? Read on! [offer valid for USA & Canada only]

Product Features
Now, this is a great tool for system admins that are on the move a lot. (Especially when you have a remote MMC tool like StarAdmin or SonicAdmin running on it too.) We have them in 5-, 10- and 20-packs. It's called the Airespring "Office-To-Go"[tm] Mobile Wireless Productivity Suite. It uses the same always on, nationwide wireless packet switched data network that UPS runs their package tracking off. But it's not really for just the IT department. You should also think of your roadwarrior colleagues that will save bundles of time and be so much more productive.

"Always-On" Access To Your Desktop E-mail
You get a copy on your wireless device of every e-mail that goes to your desktop. After you read it, you can reply, forward, delete or do anything you would normally do with your e-mail. There is no change in your e-mail address. When you send a message from your wireless device, it comes from your regular e-mail address so the recipient would have no way of knowing if it came from your desk or your wireless device.

You can also compose and send new e-mail directly from your device. This allows you to stay in touch all day, no matter whether you are in or out of the office. Integrates with the standard mail servers based on POP3, IMAP4, MAPI etc... (Supports MS Exchange, Lotus Domino Notes, Novell Groupwise too).

No Effort Required
Since your wireless device and the network are always on, you do not need to do anything special to get your e-mail. You will be automatically alerted every time you have incoming e-mail. Best of all, if you turn off your device, your e-mail will be stored and will be sent to you as soon as you turn your device back on.

Nation's Largest Wireless Data Network
The network works all over the continental United States, Alaska, Puerto Rico and the US Virgin Islands and covers 98% of the US population. So no matter where you go, your service will go with you. Best of all, since it's all one seamless network, there are no roaming or additional charges for leaving your home area. Make sure you come back to Sunbelt after you have checked if your area is OK!

The Office To Go 8 in 1 solution ? puts your office in your pocket!

Airespring's Office-To-Go Mobile Wireless Productivity Suite takes you far beyond just e-mail. Check out the following features:

1. E-mail. (see description above)
2. Attachments. View and respond to any e-mail attachment you receive, including Microsoft Word, Excel, Powerpoint and Adobe PDF files.
3. Wireless IM (Instant Messaging). Use the Corporate IM solution to send instant messages to other employees directly from your wireless handheld. This service bypasses your e-mail service and the internet for instant, direct two-way communication between individuals or groups of employees.
4. Web Browser. With the integrated full HTML compatible web-browser, you can go to any site on the internet. Trade stocks, get news, entertainment, financial info, etc It gives you TOTAL access to the internet using an "Open URL" web browser for full access to the Internet.
5. Off Line Form Storage and Fill Out
6. Fax Machine. A fax machine in the palm of your hand - send and receive faxes, to and from anywhere in the world. Printer. You can use the print feature to print any e-mail or document on the nearest fax machine. Now, wherever you have a fax machine, you have a printer!
7. Mobile Organizer. A complete organizer and Personal Information Manager Synchronize with your desktop and most popular PIM's like Outlook and many others. See the webpage.
8. Pager. You can receive numeric or text pages from anyone, anywhere with a telephone via a toll-free number and your unique PIN code.
9. Remote Access to your desktop via a browser-based tool very much like GoToMyPC.

Witch Hunt For Remote Control Tool In U.S. Military

The Security Wire Digest sent out this blurb and I thought that it was strange, as the product in question is not a Trojan at all.

"U.S. Army and Navy computer administrators are scanning Windows systems to find and remove an unauthorized, commercial remote-control program called RemotelyAnywhere, according to a Newsbytes report. Both branches of the military have distributed high-priority memos warning that the tool, if launched, could expose Department of Defense systems to security breaches. The $99 program allows remote users to access files through a Web browser. Evidence of program installation includes the presence of RAMIRR.DLL, RAHOOK.DLL, RA_SSH1.DLL and RA_SSH2.DLL files."

I asked the CEO of the company that sells the product to comment. He said: And I quote:

"I take great offense at the sensationalistic characterization of RemotelyAnywhere as a "trojan". RemotelyAnywhere is a commercially-available piece of software, used by Fortune 100 companies, major financial institutions and numerous branches of local, state and federal government, that allows secure remote administration of a computer. It is no more a trojan than RAdmin or VNC or PCAnywhere.

"The fact is that the hackers did not use RemotelyAnywhere to gain access to these computers. They installed illegal copies of RemotelyAnywhere only after the machines had been compromised. So to portray RemotelyAnywhere as a trojan is extremely misleading. Our list of satisfied customers is very extensive, but due to concern for their privacy, we do not divulge their identities. Suffice it to say it is an impressive list". - end quote -

This Week's Links We Like. Tips, Hints And Fun Stuff

Hack Proofing Your Network (2nd Edition)

By Ryan Russell (and a bunch of other security gurus). Ryan Permeh from eEye has written the chapter on buffer overflows for this new edition. Ryan's information alone is well worth checking out however the rest of the book also has a lot of really great information. Definitely check this book out if your interested in the topic of security. "The only way to stop a hacker is to think like one". This bestseller is now updated. This is one of these "Stu's Warmly Recommended" ones.