Just released from the team at Train Signal and certified instructor Ben “Coach” Culbertson (MCITP) is their new Hyper-V Training. If you want to develop hands-on experience with Hyper-V and potentially revolutionize how you think about system administration, then this 7 hour video training course is exactly what you’re looking for.

You’ll learn about Hyper-V virtualization in depth as you discover the tools and techniques that allow you to quickly provision servers, create test environments, configure virtualized physical servers, and much more.  Plus, this is the only course available that will show you the new features of Hyper-V in Windows Server 2008 R2.

Check out the demo below, then go here to learn more about Train Signal’s Hyper-V Training:

The course includes video and audio training on iPod, Mp3, AVI and WAV (great for learning on-the-go).

[NOTES FROM THE FIELD] – Microsoft has now released their Release Candidate for Windows 7; I wrote a brief article Windows 7 Release Candidate (Build 7100) - Early Details on this already and indications are that Microsoft will have Windows 7 available for the 2009 holiday shopping season. Stay tuned…

This article series is an overview of BitLocker and Encrypting File System (EFS) in Windows 7. My first article in this series covered a high level review of the Encrypting File System and in this article, I'll review some of the information with respect to Bitlocker on Windows 7.

A Must for Mastering Windows Vista - Watch These Videos!

I just finished watching the Windows Vista Training videos by Train Signal and I highly recommend this course, as you will learn much more than you will from books (which never seem to have enough detail!). Their learn by doing approach is excellent because it shows you the "ins and outs" of Vista instead of reading pages and pages of theory.

Daniel Petri, Petri IT Knowledge Base

Click Here to Watch the Windows Vista Videos!

What is BitLocker?

BitLocker Drive Encryption is available on some versions of Windows Vista, Windows Server 2008 R2 and in some editions of Windows 7.

Using BitLocker Drive Encryption is one of the best ways to protect portable systems such as laptops from loss of data and information when the laptops themselves are lost or stolen. Additionally, the use of BitLocker on desktop systems is also a good consideration when you consider how much information can be lost from recycled desktop systems that have not undergone a proper hard drive wipe routine before being sold off.

BitLocker leverages the Trusted Platform Module (TPM) version 1.2 hardware component installed in many of the newer laptop systems sold today. Additionally, many motherboard hardware vendors are now incorporating the Trusted Platform Module as part of their releases.

It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.

[NOTES FROM THE FIELD] – BitLocker can still be used on some systems to encrypt the Windows operating system drive even when the Trusted Platform Module (TPM) version 1.2 is not present. In that situation the end user needs to insert a USB startup key to boot the computer or to bring a system out of hibernation.

Additionally, systems that do not have TPM available cannot leverage the pre-startup system integrity verification offered by BitLocker with a TPM.

System requirements for BitLocker Drive Encryption

There are system requirements in order to leverage BitLocker. The quick rundown on these requirements are:

• In order for BitLocker to use the system integrity check provided by the Trusted Platform Module it must have a TPM running version 1.2 otherwise BitLocker will require you to save a startup key on a removable device such as a USB flash drive.
• Systems with a TPM must also have the Trusted Computing Group compliant BIOS which allows for the required chain of trust for the initialization process before the operating system loads. Systems without a TPM do not require a TCG-compliant BIOS.
• The system BIOS for TPM and non-TPM systems must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
• You need to have a primary partition that is at least 1.5 gigabytes (GBs) in size and it needs to be marked as the active partition. This is used by bootmgr to boot the system. The boot files are also found on this partition as well.
• You’ll need at least one other primary partition to be used for the operating system and for data storage.

BitLocker System Integrity Check

BitLocker uses TPM to validate the integrity of a system by performing a check of the boot components and boot configuration data. This security measure is done to verify that the system is still in the checked state it is expected to be in.

If the system appears to have been changed in some manner BitLocker leaves the system locked before the operating system is loaded to prevent access to the information that is encrypted.

The potential changes could be anything from installed Trojans or root kits that have made their way onto an affected system to a malicious user attempting to boot to the computer or laptop from an alternate operating system with the intention of gaining unauthorized access to the data on the system.

According to the information supplied by Microsoft and other resources, there are a number of scenarios where the user or an administrator would need to recover the system / unlock a hard drive because the security has denied access; these include (but are not limited to):

• Attempting to access a hard drive with BitLocker enabled in a different system
• This would include attaching it via external Firewire / USB ports to another system
• Changing / replacing motherboard with a new TPM.
• Changing the status of the TPM (turning it off, temporarily disabling, and / or clearing the TPM
• Updating the system BIOS and or any of the other ROM on the motherboard.
• Intentional or unintentional changes to the initialization routine / boot components that cause system integrity validation to fail.
• Entering the wrong PIN information when PIN authentication has been enabled.
• Loss of (or damage to) the USB flash drive that has the information for the startup key when startup key authentication has been enabled.

Temporarily Disabling BitLocker

There are a few situations where you might need to temporarily disable BitLocker Drive Encryption to perform changes or maintenance to a system. Doing this will allow you to incorporate the changes to the system as part of an authorized change and that would keep the system from going into a state at start up that might require it to be recovered.

Some examples of these scenarios where you may need to temporarily disable BitLocker:

• Updating the BIOS on the motherboard or other ROM that might be present.
• This includes installing a hardware component that has its own ROM available.
• Making other major system changes on the hardware side (replacing motherboard, adding devices that affect system initialization, etc)
• Making intentional changes to the initialization routine / boot components
• Installing a different version of the operating system
• Changing the system startup to allow for dual booting
• Making desired / required changes to the master boot record (MBR).
• Changing the disk partitions when these changes affect the partition table.
• Moving a BitLocker-protected drive to another computer

That’s a wrap for my overview of of BitLocker for Windows 7 – I hope you found it a good investment of your time.

Next up, I'll be reviewing some of the high level information on the BitLocker To Go functionality which extends BitLocker data protection to USB storage devices allowing them to be secured.

I am always looking forward to any feedback you have on this or any of the articles I have written so feel free to drop in some comments or contact me directly.

Additionally, I would welcome any suggestions topics of interest that you would like to see and based on demand and column space I’ll do what I can to deliver them to you.

Best of luck in your studies.

Daniel Petri's Exchange Server Recommendations

There are several new features included within Exchange Server 2007, which some of my articles touch on briefly. However, if you are looking for training that takes you from installation to integration with Outlook and management of Exchange Server 2007 then you need Train Signal's training videos. The Exchange Server 2007 training videos are taught by Microsoft MVP and MCSE, David Shackelford, who teaches with a "Hands-on" approach.

Daniel Petri

You can see the Exchange Server 2007 training with video instruction here.

Windows Server 2003 includes support for a startup switch (entered in the Boot.ini file) that lets you tune the allocation of use of memory and memory address space. In Windows Server 2003, and regardless of the amount of physical memory that is installed on your system, the operating system uses a virtual address space of 4 GB. Out of that amount, 2 GB is allocated to user-mode processes (for example, applications and services) and 2 GB is allocated to kernel-mode processes (for example, the operating system and kernel-mode drivers). On systems that have more than 1 GB of physical memory, this startup switch can be used to allocate more memory to applications (3 GB) and less memory to the operating system (1 GB).

The most significant product that benefits from this switch is Exchange Server. This additional virtual address space helps reduce the amount of memory fragmentation in the virtual address space of the Exchange Information Store process.

The /3GB switch is used to effect this allocation change. The switch is entered in the system’s Boot.ini file and takes effect after a restart.

The /3GB switch is supported only on the following operating systems (note that the /3GB switch was first added to Windows NT 4.0 Server Enterprise Edition):

• Windows 2000 Advanced Server
• Windows 2000 Datacenter Server
• Windows Server 2003 Standard Edition
• Windows Server 2003 Enterprise Edition
• Windows Server 2003 Datacenter Edition

Note: On Windows Vista and later versions of Windows, use the IncreaseUserVA element in BCDEdit.

When talking about /3GB in Exchange Server, it's also worth reminding you of the /USERVA=3030 switch. The /USERVA switch's purpose is to provide a finer level of control over the division of virtual address space between user-mode processes and kernel-mode processes. When used on Exchange Server 2003 systems, /USERVA should always equal 3030. This value causes an additional 40 MB to be allocated to the operating system, and enables you to add more users without consuming all available system resources. See links below for a full description of this switch.

With the /USERVA switch, you can customize how the memory is allocated when you use the /3GB switch. The number following /USERVA= is the amount of memory in MB that will be allocated to each process. If you set /3GB /USERVA=3030, this reserves 3,030 MB of memory to the process space, as compared to 3,072 MB when you use the /3GB switch alone. The extra 42 MB that are saved is used to increase the kernel memory space, free system page table entries (PTEs). The PTE memory pool is increased by the difference between 3 GB (specified by the /3GB switch) and the value that is assigned to the /USERVA switch.

See links below for a full description of this switch.

Do I need to edit the Boot.ini? Is my Exchange system optimized for memory usage?

To quickly answer these questions you can run the Exchange Best Practice Analyzer, a must have free tool from Microsoft, that will not only scan your system for memory issues, but also recommend other various "best practice" procedures you should perform in order to tune your Exchange server. It will programmatically collects settings and values from data repositories such as Active Directory, registry, metabase and performance monitor. Once collected, a set of comprehensive "best practice" rules are applied to the topology.

Download details: Exchange Best Practices Analyzer:
http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-4BEE-4943-AC22-E2DDBD258DF3&displaylang=en

Do I need to add more than 4GB of RAM to my Exchange 2003 server?

Exchange Server uses the /3GB switch as it scales up, the Exchange Server computer cannot efficiently use more than 4 GB of RAM. Because eExchange Server does not support instancing, Physical Address Extension (PAE), or Address Windowing Extensions (AWE), 4 GB of RAM is the maximum amount of memory that an Exchange Server computer can efficiently use.

So, going back to the original question - Do I need to use the /3GB switch on a 64-bit Windows Server 2003 machine?

The answer is no.

64-bit versions of Windows do not support the use of the /3GB switch in the boot options. Therefore, a 64-bit pointer could address up to 16 exabytes. 64-bit versions of Windows have currently implemented up to 16 terabytes of address space. (Needless to say, but I'll say it anyway, in any case, Exchange Server 2003 cannot be run on a Windows Server 2003 64-bit operating system, and Exchange Server 2007 is not supported on 32-bit versions of Windows Server 2003/2008).

Here is a table that summarizes these differences:

Links

Use of the /3GB switch in Exchange Server 2003 on a Windows Server 2003-based system:
http://support.microsoft.com/?kbid=823440

Using the /Userva switch on Windows Server 2003-based computers that are running Exchange Server:
http://support.microsoft.com/?kbID=810371

Ask the Performance Team : Memory Management 101:
http://blogs.technet.com/askperf/archive/2007/02/23/memory-management-101.aspx

Ask the Performance Team : Memory Management - Demystifying /3GB:
http://blogs.technet.com/askperf/archive/2007/03/23/memory-management-demystifying-3gb.aspx

How to Set the /3GB Startup Switch in Windows:
http://technet.microsoft.com/en-us/library/bb124810.aspx

How to Set the /USERVA Startup Switch in Windows:
http://technet.microsoft.com/en-us/library/aa996274(EXCHG.65).aspx

How to optimize memory usage in Exchange Server 2003:
http://support.microsoft.com/?kbid=815372

How to troubleshoot virtual memory fragmentation in Exchange Server 2003 and Exchange 2000 Server:
http://support.microsoft.com/?kbid=325044

Comparison of 32-bit and 64-bit memory architecture for 64-bit editions of Windows XP and Windows Server 2003:
http://support.microsoft.com/default.aspx/kb/294418

There used to be a saying in the IT industry that "you wouldn't get sacked for buying IBM"; whilst that may be somewhat dated the same could be said for Cisco equipment nowadays. There are plenty of alternative vendors providing firewall solutions with many similar features and at a lower price but the industry standard is still Cisco. The Cisco PIX range of firewall/NAT devices was originally launched in 1995 but the models most readers are likely to encounter are the 501, 506 and 515 which were launched in 2002. They were finally discontinued in 2008, their longevity was mainly down to their use of the PIX OS which enabled new features to be provided via firmware upgrade without the need for major hardware updates. Although the Cisco ASA range was launched in 2005 and aligned as a replacement for the PIX range Cisco users tend to resist change and so ASAs have only started to become widespread in the last couple of years.

Preparing for Cisco CCNP Exams?

These are the videos you need to get certified... Whether you are studying for the BCSI, BCMSN, ONT, ISCW or all four, Train Signal's Cisco CCNP Training Series is the best out there. The instructor uses a "hands-on" method for teaching complex technologies. Each video covers all the bases and gives you more than enough test prep to pass any of your CCNP exams!

Daniel Petri

Click Here to Watch the Cisco CCNP Training Videos!

The original release versions of the ASA officially combined the separate firewall, VPN and IPS (Intrusion Prevention Systems) functionality of several Cisco devices, although the current PIX OS at the time (version 7.x) supported all these features. In fact the ASA range started life running PIX7.0 and only diversified with the release of version ASA8.0 which moved back in line with the main Cisco IOS by using their customized Linux based kernel.

For users from a Unix background this makes Cisco devices' use of text files for all configuration settings reassuringly familiar but for those from a Windows background it can seem impossibly complex. Cisco attempted to address this first with the PIX by introducing the PIX Device Manager, a Java based GUI front-end for the PIX OS, however a frustrating number of bugs tended to drive admins back to the command line for any advanced configuration. Fortunately they started from scratch with the ASA and designed the ASDM (Adaptive Security Device Manager), again a Java based management console but this time one that allows you to do virtually all the configuration without having to resort to a text editor. The latest ASA version is now 8.2 and ASDM is on version 6.1:

Cisco ASDM dashboard view

ASA Models

There are six main models in the ASA range, from the basic 5505 branch office model up to the 5580 datacenter versions; a full comparison is available on the Cisco website here. Although this article will concentrate on the 5505 and 5510 models the basic feature set is in fact fairly consistent across the range, the main differences being in the maximum traffic throughput handled by each model and the number/type of interfaces.

At the most basic level the ASA is a transparent or routed firewall/NAT device, this means it is designed to sit between your LAN and the Internet; one interface (normally known as "outside") will be connected to your Internet access device and one or more interfaces (e.g. "inside" and "DMZ") will connect to your internal networks. This enables the ASA to inspect and control all traffic passing between your network and the Internet, exactly what it does with that traffic is the clever bit.

ASA 5510

The ASA5510 is intended to be a single device solution to your Internet security requirements and with its 300Mbps throughput and 9,000 firewall connections per second capacity will be suitable for most office deployments. The key features will be covered in more detail later but in brief these are; firewall/NAT, SSL/IPsec VPN, content security and intrusion prevention. It has five 10/100Mbps ports, by default these provide one outside (Internet) interface, one management and three internal network interfaces but they are fully reconfigurable and also support vLANing for further network subdivision if required. Functionality can be upgraded via a Security Services Module port which provides support for additional Content Security and Intrusion Prevention features.

ASA 5505

The ASA5505 is intended for small or branch office and teleworker deployments, often in conjunction with a 5510 or higher model at the head office to which it will establish a secure VPN, whilst providing full security for other Internet traffic. The device has 8 10/100Mbps Ethernet ports, including 2 with Power over Ethernet support suitable for PoE devices such as IP phones or cameras, so it can be used as single unit solution for the smaller office. Key differences compared to the 5510 are the reduced support for VPN connections (only 10 but upgradeable to 25 with license), only 3 vLANs (25 with Security Plus license)  and only a slot for the optional Security Services Card so there is no option for the advanced Content Security services.

Key Features

Firewall

All ASA models include a fully featured policy based firewall and routing engine which allows you complete control of which traffic you allow in and out of your network. Layer 2/3 firewalling allows you to specify which hosts are allowed access through the ASA and also to perform Network Address Translation to map internal hosts to public IP addresses. Layer 7 firewall goes several steps further and also allows you to define access policies based on application and protocol type, providing extremely granular control over Internet access and protection against advanced types of network attack. Unlike many competitor's firewalls the ASA's policy and interface based approach to access control gives you complete control over traffic leaving your network as well as incoming, for example allowing you to restrict Instant Messaging use to only your approved client application. Deep packet inspection goes beyond simply analysing the protocol and port of the attempted connection to discover the application behind it making it virtually impossible for users to circumvent company IT policies.

SSL & IPsec VPN

Even the ASA 5505 includes full support for IPsec and SSL VPN endpoints, providing highly encrypted tunnels for office to office and remote user to office connections. The basic license for all ASAs allows IPsec VPN connections up to the maximum supported on each model but only includes two SSL VPN licenses, to allow for testing before deployment. The 5505 will support up to 25 simultaneous VPN connections, whilst the 5510 supports a maximum of 250 - these can be any combination of IPsec or SSL, and site to site or remote client types.

IPsec VPNs are commonly deployed between Cisco VPN devices for site to site connections, or initiated by client software on the remote worker's computer. Included with all ASA license bundles is the Cisco AnyConnect VPN client, with versions available for all major operating systems; Windows 2000 up to Windows 7, Mac OS X (10.4/5), Linux Intel kernel 2.6.x and even Windows Mobile 5.0/6.0/6.1 . Cisco AnyConnect provides several improvements over the basic IPsec functionality built into those operating systems, key features are:

• DTLS protocol support to help minimize latency for applications such as VoIP
• Support for SSL tunneling to ensure connectivity even through restrictive proxies and firewalls (if web browsing is possible then so is a VPN connection)
• Advanced encryption and wide range of authentication protocols, including two factor smartcard/token based
• Flexible IP tunneling for consistent user experience with features such as connection retention, ensuring the mobile user retains connectivity through disconnections, reboots and standby/hibernation.

Cisco's SSL VPN makes supporting mobile and remote users even simpler, by using the same protocol as that used for secure web sites a VPN connection is available anywhere the user can browse the web. The SSL VPN can be initiated via an ActiveX or Java control so no client has to be pre-installed on the user's system, all they have to do is browse to the website and provide the necessary credentials.

Intrusion Prevention

Cisco's Intrusion Prevention System goes beyond the standard firewall functions to analyse data packets for known and potential threats, including malware, network intrusion and application exploitation. This ensures maximum network security by intercepting undesirable traffic before it reaches the internal network whilst regular automatic signature updates maintain protection against new threats. IPS support is an optional feature that can be added via the purchase  of an AIP SSC (upgrade card) for the ASA5505 or an AIP SSM (upgrade module) for the ASA5510. The AIP SSM has all the standard features of the AIP SSC but with increased throughput capacity (150Mbps/9k connections per second vs 75Mbps/4k cps) and support for Global Correlation and Day Zero attack anomaly prevention. Global Correlation involves much more than regular signature updates, using a real time connection with the Cisco Security Intelligence Operations infrastructure to monitor the current threat status Internet wide, identifying and preventing fast spreading threats as they happen. Day Zero Attack Prevention analyzes your normal network behaviors so it can detect anomalous behavior representing potential threats and block it, even before official detection signatures have been released.

Content Security

Content Security is not available on the ASA5505 but can be added to the ASA5510 with the purchase of the CSC-SSM module. This provides a comprehensive range of network security and control features including:

• Malware scanning using Trendlabs protection to scan both Internet and email traffic and eliminate viruses, worms and other threats such as spyware.
• Anti-spam to remove unsolicited commercial emails
• Anti-phishing protects against spoofed identity attacks and prevents users disclosing confidential information inappropriately
• Comprehensive web access protection; all traffic is scanned so protection cannot be bypassed, e.g. through employees using personal webmail services which would not usually be protected by corporate email protection
• URL filtering and content protection - gives you full control over which employees can access what, definable by categories and content, again applying to all web access so undesirable content can be blocked whether on a website, in an email or in a file download.

CSC-SSM licenses are available in several different options according to the number of users supported and the feature set; basic licenses support Anti-virus and Anti-spyware while the advanced licensed add URL & Content filtering, Anti-spam and Anti-phishing. Security updates are provided by Trendlabs and licensed on a yearly subscription basis.

Conclusion

Cisco's ASA range greatly extends the usual definition of a firewall to provide a complete network perimeter security solution, and with the 5505 and 5510 models what used to be "enterprise only" features are now available to the SME network. Having said that several of these features are not included with the basic device package; they have to be purchased as separate licenses, which is important to bear in mind when comparing costs. However this does allow you to tailor the device to your requirements, so you only pay for features as and when you need them.

With the ASDM GUI Cisco have gone a long way to reduce the complexities of configuration and management that used to be the hallmark of their appliances so deployment should be within the capabilities of most network admins too. The next article in this series will cover the basics of ASA setup and administration using the ASDM interface.

Daniel Petri's Exchange Server Recommendations

There are several new features included within Exchange Server 2007, which some of my articles touch on briefly. However, if you are looking for training that takes you from installation to integration with Outlook and management of Exchange Server 2007 then you need Train Signal's training videos. The Exchange Server 2007 training videos are taught by Microsoft MVP and MCSE, David Shackelford, who teaches with a "Hands-on" approach.

Daniel Petri

You can see the Exchange Server 2007 training with video instruction here.

SMTP used to be anonymous in its origins, with authentication implemented during its evolution. Originally, SMTP servers were typically internal to an organization, receiving mail that was destined for the organization from the outside. These servers were also responsible for relaying messages from the organization to the outside. But, with time, SMTP servers evolved to become message submission agents for e-mail user agents, some of which were now relaying mail from the outside of an organization, such as when a company mobile worker that wants to send e-mail while on a trip using the corporate SMTP server. This meant that the SMTP protocol had to include specific rules and methods for relaying mail and authenticating users to prevent abuses such as spam relaying.

Note: An open mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users.

While SMTP-AUTH is generally a security improvement over unauthenticated SMTP, it can also introduce a weakness. If authenticated users are allowed to submit messages from IP addresses and unauthenticated users are not, then an attacker who manages to get the credentials of one user's account is then able to use the authenticated server as an open mail relay. Therefore, every user's password now becomes a key to the mail system's security. A good password policy can effectively prevent such an attack.

For more information about SMTP, refer to RFC 821, RFC 2821, RF 2554, RFC 4954 and RFC 5321.

You can use the TELNET command to test and perform SMTP connections and send e-mail.

You can read more about SMTP in my articles on  testing SMTP service in IIS and Exchange and SMTP, POP3 and Telnet in Exchange.

Generally, in order to connect to an SMTP server and send a test email, you need to perform the following tasks:

telnet mail.kuku.co.il 25

Note: I've used my own incoming mail server. However, you can do the same for ANY mail server - for more information about MX records, check out a previous article I wrote on  configuring MX Records for incoming SMTP email.

Next, you issue a set of textual commands that perform the actual mail sending process:

220 mail.kuku.co.il hello ESMTP Sat, 6 Jun 2009 07:11:14 -0400
ehlo
250-mail.kuku.co.il Hello [xxx.xxx.xxx.xxx]
250-TURN
250-SIZE 104857600
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-TLS
250-STARTTLS
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
mail from: me@mydomain.com
250 2.1.0 me@mydomain.com....Sender OK
rcpt to: you@kuku.co.il
250 2.1.5 you@kuku.co.il
data
354 Start mail input; end with <CRLF>.<CRLF>
This is a test.

.
250 2.6.0 <SMTP0146bXmdMJOtd3r00028154@mail.kuku.co.il> Queued mail for
delivery
quit
221 2.0.0 mail.kuku.co.il Service closing transmission channel

Connection to host lost.

Note: I've removed my IP address, sending e-mail address, and receiving e-mail address from the above sample.

Next, I wanted to be able to send an e-mail through the mail server to an external recipient, that would be considered as relaying. However, since most modern mail servers will not allow for unauthenticated SMTP connections to relay mail through them, we must now add the SMTP-AUTH command to the test procedure. The SMTP-AUTH extension is defined in RFC 4954.

For example, again using my own server:

220 mail.kuku.co.il hello ESMTP Sat, 6 Jun 2009 07:11:14 -0400
ehlo
250-mail.kuku.co.il Hello [xxx.xxx.xxx.xxx]
250-TURN
250-SIZE 104857600
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-TLS
250-STARTTLS
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
mail from: me@mydomain.com
250 2.1.0 me@mydomain.com....Sender OK
rcpt to: you@externaldomain.com
550 5.1.1 Bad destination mailbox address (you@externaldomain.com).

Connection to host lost

Relaying to you@externaldomain.com is blocked.

So in order to be able to do so, I would have to authenticate to the server prior to attempting to send the e-mail.

Since do I have a valid user name and password, I can use these to authenticate. However, there is one major obstacle in front of us. The encoding of the SMTP-AUTH command. What we need to do is get a base64 encoding of our user name and password.

There are some base64 encoders available, but I personally like using Eb64 and Db64, available here for free:

Small Utils:
http://www.dlcsistemas.com/html/other_utils.html

So, assuming my user name and passwords for my account are:

myusername@kuku.co.il

myPASSWORD

I run this command:

EB64.EXE /t myusername@kuku.co.il

and get this output:

bXl1c2VybmFtZUBrdWt1LmNvLmls

And for this command:

EB64.EXE /t myPASSWORD

I get this output:

bXlQQVNTV09SRA==

The process of authentication is simple. You issue an AUTH LOGIN command prior to providing the source and destination e-mail addresses. From that point onwards, the server and the client "speak" in base64 encoding.

The server should return a 334 VXNlcm5hbWU6 message. This is a base64 encoded string asking you for your username.

After providing it in,the server should have returned 334 UGFzc3dvcmQ6. Again this is a base64 encoded string now asking for your password.

Once you provide that, the server performs the authentication, and if successful, will respond with a 235 2.7.0 Authentication successful message.

So now I go back to my TELNET window and incorporate this information in my connection the the SMTP server:

220 mail.kuku.co.il hello ESMTP Sat, 6 Jun 2009 07:11:14 -0400
ehlo
250-mail.kuku.co.il Hello [xxx.xxx.xxx.xxx]
250-TURN
250-SIZE 104857600
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-TLS
250-STARTTLS
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
auth login
334 VXNlcm5hbWU6
bXl1c2VybmFtZUBrdWt1LmNvLmls
334 UGFzc3dvcmQ6
bXlQQVNTV09SRA==
235 2.7.0 Authentication successful.
mail from: me@mydomain.com
250 2.1.0 me@mydomain.com....Sender OK
rcpt to: you@externaldomain.com
250 2.1.5 you@externaldomain.com
data
354 Start mail input; end with <CRLF>.<CRLF>
This is a test.

.
250 2.6.0 <SMTP010guA8M6XQQez100040b0d@mail.kuku.co.il> Queued mail for
delivery
quit
221 2.0.0 mail.kuku.co.il Service closing transmission channel

Connection to host lost.

This concludes the action, and the e-mail was successfully sent.

A Must for Mastering Windows Vista - Watch These Videos!

I just finished watching the Windows Vista Training videos by Train Signal and I highly recommend this course, as you will learn much more than you will from books (which never seem to have enough detail!). Their learn by doing approach is excellent because it shows you the "ins and outs" of Vista instead of reading pages and pages of theory.

Daniel Petri, Petri IT Knowledge Base

Click Here to Watch the Windows Vista Videos!

In my Working with System Image Backups in Windows 7 article I described the steps needed to be taken in order to successfully create a System Image backup of your Windows 7 computer.

Note: Remember, Windows 7 is still under development. The version used for these screenshots is beta build 7000, and things might (and probably will) change with RTM.

So first thing first – you must make be 100% sure that this is the only means to repair your system. Why? Well that’s because when you restore your computer from a system image, it's always a complete restoration. You cannot choose individual items to restore, and all of your programs, system settings, and files are replaced with those on the system image.

If you’re perfectly sure that a restore is the only way to get your computer back to business, you now have 3 options to start the restore operation:

Option 1: Restore using Recovery

This only works if your computer is still working and you can access Control Panel > Backup and Restore, or if you want to restore your system image backup onto a different computer.

Option 2: Restore Using a Windows Installation or System Repair Disk

If you cannot access Control Panel > Backup and Restore, you can restore your computer using a Windows installation DVD or a system repair disk (if you have previously created one).

To use this option, insert the installation disk or system repair disk into your computer’s CD/DVD drive.

Next, restart your computer using the computer's power button.

If prompted, press any key to start Windows from the installation disk or system repair disk. If your computer is not configured to start from a CD or DVD, check the information that came with your computer. You may need to change your computer's BIOS settings.

Choose your language settings, and then click Next.

Click Repair your computer.

Momentarily, a Windows installation is located.

Note: This seems a bit strange, but the drive letter attached to the found installation is not C: but E: instead.

If you need to add disk drivers, press the “Add Drivers” button.

Looking at the disk drive list you can clearly see that for the recovery, Windows has assigned a different drive letter for the original C: drive.

Going back to the recovery, select the Windows installation you want to repair, and then click Next. You will be prompted to choose a recovery tool. Select “System Image Recovery”.

Option 3: Restore Using the Advanced Boot Option

Use this option if you do not have the installation disk or system repair disk.

To use this option, restart your computer using the computer's power button.

Next, repeatedly press F8 to gain access to the Advanced Boot options of Windows 7. If you see the Windows logo you will need to reboot and retry.

Select a keyboard language and press Next.

Enter an administrator’s username and password to begin the recovery process.

When inside the Advanced Boot options, click the arrow keys to select “Repair Your Computer” and press Enter.

Continuing the restore operation

No matter how you started the System Recovery, when inside, click on System Image Recovery.

Windows will search for the backup media.

You will be prompted to select your backup media. The default is to select the last backup. You can change this setting and manually select a different backup media.

Next, you can choose additional options such as to format and repartition the computer’s hard disk, or to automatically scan and repair disk errors.

Press Finish and Yes when ready to commence with the restore.

The recovery begins, and a progress bar will indicate how long you need to wait.

When finished, the computer will automatically reboot, and you will be able to use it.

Done!

However, if you need to increase this number, you must make a registry modification. The path is not the same as it was in IE 6.0 and IE 7.0, so please take care before making any change to the registry.

A Must for Mastering Windows Vista - Watch These Videos!

I just finished watching the Windows Vista Training videos by Train Signal and I highly recommend this course, as you will learn much more than you will from books (which never seem to have enough detail!). Their learn by doing approach is excellent because it shows you the "ins and outs" of Vista instead of reading pages and pages of theory.

Daniel Petri, Petri IT Knowledge Base

Click Here to Watch the Windows Vista Videos!

Please carefully read the following warning:

Warning!

This document contains instructions for editing the registry. If you make any error while editing the registry, you can potentially cause Windows to fail or be unable to boot, requiring you to reinstall Windows. Edit the registry at your own risk. Always back up the registry before making any changes. If you do not feel comfortable editing the registry, do not attempt these instructions. Instead, seek the help of a trained computer specialist.

To do so, follow the next steps:

1. Start Registry Editor.

2. Locate the following key in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER

3. If it doesn't exist, on the Edit menu, point to New, click DWORD Value, and then add the following registry values:

Value name: iexplore.exe

Value data: 10

Base: Decimal

Note: By setting the value to 10, you increase the connection limit to 10.

4. Locate the following key in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER

5. If it doesn't exist, on the Edit menu, point to New, click DWORD Value, and then add the following registry values:

Value name: iexplore.exe

Value data: 10

Base: Decimal

Note: Again, by setting the value to 10, you increase the connection limit to 10.

6. Exit Registry Editor.

Internet Explorer 8 should now be able to download up to 10 simultaneous files.

LANsurveyor: Map Your Network in Minutes!

Relax while LANsurveyor automatically maps your network.

LANsurveyor automatically discovers your LAN or WAN and produces comprehensive, easy-to-view network diagrams that can be exported into Microsoft Office® Visio®.

You Have Got To Try This! Get the Download Here...

Method #1: By using the Task Manager

In Windows Vista and Windows Server 2008, the Task Manager has been beefed up to show additional information about the system. One of these pieces of info is the server’s running time.

1.    Right-click on the Taskbar, and click Task Manager. You can also click CTRL+SHIFT+ESC to get to the Task Manager.

2.    In Task Manager, select the Performance tab.

3.    The current system uptime is shown under System.

Method #2: By Using the System Information Utility

Probably one of the easiest methods to accomplish this task. The Systeminfo command line utility checks and displays various system statistics such as installation date, installed hotfixes and more.

Open a Command Prompt and type the following command:

systeminfo

You can also narrow down the results to just the line you need:

systeminfo | find "System Boot Time:"

Method #3: By Using the Uptime Utility

Microsoft have published a tool called Uptime.exe. It is a simple command line tool that analyzes the computer's reliability and availability information. It can work locally or remotely. In its simple form, the tool will display the current system uptime. An advanced option allows you to access more detailed information such as shutdown, reboots, operating system crashes, and Service Pack installation.

Read the following KB for more info and for the download links:

Uptime.exe Tool Allows You to Estimate Server Availability with Windows NT 4.0 SP4 or Higher

http://support.microsoft.com/kb/232243

To use it, follow these steps:

1.    Download uptime.exe from the above link, and save it to a folder, preferably in one that's in the system's path (such as SYSTEM32).

2.    Open an elevated Command Prompt window. To open an elevated Command Prompt, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. You can also type CMD in the search box of the Start menu, and when you see the Command Prompt icon click on it to select it, hold CTRL+SHIFT and press ENTER.

3.    Navigate to where you've placed the uptime.exe utility.

4.    Run the uptime.exe utility. You can add a /? to the command in order to get more options.

uptime.exe

Method #4: By Using the NET STATISTICS Utility

Another easy method, if you can remember it, is to use the approximate information found in the statistics displayed by the NET STATISTICS command.

Open a Command Prompt and type the following command:

net statistics workstation

The statistics should tell you how long it’s been running, although in some cases this information is not as accurate as other methods.

Method #5: By Using the Event Viewer

Probably the most accurate of them all, but it does require some clicking. It does not display an exact day or hour count since the last reboot, but it will display important information regarding why the computer was rebooted and when it did so. We need to look at Event ID 6005, which is an event that tells us that the computer has just finished booting, but you should be aware of the fact that there are virtually hundreds if not thousands of other event types that you could potentially learn from.Note: BTW, the 6006 Event ID is what tells us when the server has gone down, so if there’s much time difference between the 6006 and 6005 events, the server was down for a long time.

1.    Open Server  Manager tool by right-clicking the Computer icon on the start menu (or on the Desktop if you have it enabled) and select Manage. Navigate to the Event Viewer.

Note: You can also open the Event Viewer by typing eventvwr.msc in the Run command, and you might as well use the shortcut found in the Administrative tools folder.

2.    Click on Event Viewer (Local) in the left navigation pane.

3.    In the middle pane, click on the Information event type, and scroll down till you see Event ID 6005. Double-click the 6005 Event ID, or right-click it and select View All Instances of This Event.

4.    A list of all instances of the 6005 Event ID will be displayed. You can examine this list, look at the dates and times of each reboot event, and so on.

Note: You can also easily create a Custom View to find all 6005 events. Please read my “Working with Filtering and Custom Views in the Vista Event Viewer” article for more information.

I will use the System Log and 6005 Event ID as the parameters for the custom view, and bingo, we can see all recent reboots of the system.

Method #6: By Using WMI

I found this nice article by the Microsoft Scripting Guy (read article for more details). I've changed the original suggestion a bit to make it more readable. Copy the following text into a text file and save it with a VBS extension. When done, double click on the file to get the system’s running time in minutes.

strComputer = "."

Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootcimv2")
Set colOperatingSystems = objWMIService.ExecQuery _
    ("Select * From Win32_PerfFormattedData_PerfOS_System")

For Each objOS in colOperatingSystems
    intSystemUptime = Int(objOS.SystemUpTime / 60)
    strMessage = "System uptime is "  & intSystemUptime & " minutes"
    msgBox strMessage, 0, "System Uptime"
Next

Hey, Scripting Guy! How Can I Determine the Uptime for a Server?:

http://www.microsoft.com/technet/scriptcenter/resources/qanda/aug05/hey0802.mspx

Method #7: By Using PowerShell

I found this interesting article by the Microsoft Scripting guys. The logic and explanations are too long for me to include here. Read it for more information.

Use PowerShell and WMI to calculate server uptime:

http://technet.microsoft.com/en-us/magazine/2008.12.heyscriptingguy.aspx?pr=blog

ObserveIT Express is a freeware version of ObserveIT's flag ship product - the Pro edition. Read more about it on my "Free Remote Desktop, Terminal & Citrix Session Recorder: ObserveIT Express" article.

In its new version there are various changes that have been made to the product’s user interface (UI) and functionality. Some of these changes and features include:

•    Indication of the length of user sessions
•    “On-Air” real-time replay of active sessions
•    Administrator-initiated server messages with acknowledgment and reply functions
•    Granular permissions for user objects
•    Ability to exclude specific users from being recorded
•    Faster Identification Services pop-up window

Indication of the Length of User Sessions

ObserveIT now allows an administrator or auditor to clearly view the overall length of a user session. It does so by displaying the start and end time of each session. This change makes it easier to quickly determine the start and end of each user session.

Note: If the user session is still active, that last user action time is reflected on the results window, however an “On-Air” icon will represent the fact that the session is still active and the user is still logged on to that server.

Figure 1: Session Duration

“On-Air” Real-time Replay of Active Sessions

One of the most exciting features of ObserveIT is the new “On-Air” feature which allows the administrator or auditor to clearly see that the user session is still active on that server, and if clicked upon, it will launch the Slide Viewer in a real-time refresh mode. In this mode, any action performed by the logged on user in the replayed session will be instantly transmitted to the slide viewer, making it possible to view the user actions in real time.

Figure 2: “On-Air” icon

Administrator-initiated Server Messages with Acknowledgment and Reply Functions

In this version it's possible for the ObserveIT administrator to create one or more messages that will be displayed when a user logs on to the monitored server (agent). This feature enables the administrator to send warnings, information or other types of text to the users that are about to log on to the monitored servers, and is useful in cases of multiple administrators or remote vendors accessing the same machines, ongoing project notifications or other types of one-way communication.

Figure 3: Creating Server Messages

The message(s) will be displayed on the monitored servers’ desktops right after the user logs in. The message(s) window cannot be moved, minimized or resized, and thus forces the user to read it. Each message has an “Acknowledge” check-box that the user must click on in order to acknowledge it, and either move to the next message or close the window in case there was just one message. The user can also move back and re-read the message(s) in case of multiple messages.

Figure 4: Server Messages

While messages are most likely viewed as one-way communication, another feature of the administrator-initiated message is the ability of the receiving user to enter a reply text which will be displayed in the Server or User Diary. This makes it possible for the user or remote vendor to provide textual information back to the ObserveIT administrator or auditor, and have that information recorded inside the ObserveIT database.

ObserveIT provides an easy to use interface for creating, editing, deleting or viewing these messages and replies. Messages can have different characteristics such as the display interval, duration, server focus and more.

Figures 5, 6: Viewing Server Messages

Granular Permissions for User Objects

ObserveIT uses the concept of Console Users. These users can have one of two types of roles, allowing the ObserveIT administrator flexibility when there is need for more than one administrator role, or when there are several separate auditors that need access to specific groups of servers based upon their role in the company:

• An Administrator - role has full control over all the management features of ObserveIT. An Administrator can make changes to the ObserveIT configuration, and is allowed to view all session recordings.
• A View-Only Administrator - role can view session recordings, but cannot gain access to any ObserveIT configuration option. These users can be granted access to certain groups of servers, depending on their job function and security clearance.

The new version of ObserveIT allows the administrator to grant permissions for auditors to replay sessions and be exposed only to information that was generated by specific users. This way, the auditor can only view specific recorded sessions and will not be exposed to potentially sensitive information that was recorded on other sessions that were created by users outside the scope of that auditor’s responsibility.

Figure 7: Granting permissions for specific users

Ability to Exclude Specific Users from Being Recorded

By using Server Policies (which are a collection of configuration settings allowing the administrator flexibility in configuring the recording options, identification services and other Agent settings), it is possible to configure the recording policy to record all logged on users (the default behavior), only record specific users excluding any user not specifically entered, or record all users excluding one or more users.

This makes it possible for the ObserveIT administrator to configure the system not to record particular users that need not be monitored.

This setting is very flexible and can be changed in matter of seconds.

Figure 8: Excluded Users

Faster Identification Services Pop-up Window

With Identification Services enabled, ObserveIT can be configured to require users that logon to the monitored servers to identify themselves with a secondary ObserveIT logon prompt. These users are also known as "Forced-Identification" users.

Whenever a Forced-Identification user logs on to any ObserveIT-monitored server or workstation, the user will first enter their credentials in the regular Windows logon screen prompt. After passing that authentication phase, the user will be displayed with a secondary ObserveIT logon screen.

In this version of ObserveIT, the secondary ObserveIT logon prompt has been re-written to appear faster that before, allowing the logged on user faster access to the desktop.

Figure 9: ObserveIT Secondary Logon

Conclusion

Based upon customer feedback and development map, the new version of ObserveIT brings exciting new capabilities and UI changes, allowing administrators and auditors to have a far better control, flexibility and granularity when configuring the various policies and management tasks. Real-time replaying of recorded sessions is now made available, along with server messages and recording policy improvements and better granular access control configuration for user objects.

You can obtain the freeware version of ObserveIT from this link:

Download ObserveIT Express

For the enterprise, Microsoft is working hard to pair Windows Server 2008 R2 with Windows 7 to help admins enable all of the remote functionality of Win 7, particularly for road warriors.

“With the release of Windows Server 2008 R2, companies of all sizes will get big improvements in virtualization, Web and management,” he says. “These areas, along with several features that improve scalability and reliability, help deliver a strong value proposition on the server side to complement Windows 7.”

If you haven't downloaded the Windows 7 Release Candidate yet, you can download the limited time eval version here.

As always, unlimited eval versions of all Microsoft products are available through Technet Plus Direct

The Technet Windows 7 RC Center has previews and videos available as well.

* Here at the  Petri Knowledgebase, we'll be continuing to build out our Windows 7 category, so be sure to watch for ongoing updates in this category over the summer!