La presente comunicazione intende fornirle le seguenti informazioni in ambito sicurezza:

• Microsoft Security Advisory 935964 (Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution)

Microsoft Security Advisory (935964)

Microsoft Security Advisory 935964 – Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution

Microsoft è a conoscenza di nuovi ulteriori attacchi che sfruttano la vulnerabilità indicata e discussa nel Microsoft Security Advisory 935964 - Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution.

Per evitare una rapida diffusione di situazioni critiche e che la vulnerabilità possa essere sfruttata anche tramite l’utilizzo di apposite varianti di worm, Microsoft consiglia ai propri Clienti di applicare immediatamente il workaround descritto nell’apposita sezione (Security Advisory 935964), il quale permette di bloccare in modo efficace i tentativi di exploit di tale vulnerabilità che potrebbero essere effettuati tramite la rete.

Microsoft sta lavorando allo sviluppo di un update, nel frattempo si consiglia di procedere con urgenza con l’applicazione del workaround indicato senza attendere il rilascio dell’aggiornamento previsto.

Si ricorda inoltre che le versioni affette dal problema sono Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1 e Windows Server 2003 Service Pack 2.

Raccomandazioni:

Consultare il Security Advisory 935964 per una descrizione generale del problema, dettagli sui componenti interessati, fattori mitiganti, azioni suggerite, FAQ e link a risorse aggiuntive.

Per ulteriori dettagli consultare:

·         Microsoft Security Advisory 935964 – Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution - http://www.microsoft.com/technet/security/advisory/935964.mspx

·         MSRC Blog:
http://blogs.technet.com/msrc/

L'elenco dei Microsoft Security Advisory già pubblicati sono disponibili alla pagina:
http://www.microsoft.com/technet/security/advisory/default.mspx

Introduction

Exchange provides you with a single administration tool, Exchange System Manager. However, you also have to use the Active Directory management tools to solve problems, and sometimes also use the IIS management console, because Exchange relies on the underlying web components.

These days you need access to these tools anywhere you go, because Exchange is a critical system, and system administrators are generally not locked up in the computer room. Knowing how to solve problems remotely can save you time when in the middle of the night, instead of driving to work, you simply interface with your systems from your laptop or home computer. Remote access also allows small businesses to save money by relying on technicians that are not onsite.

Local administration

Before we go on the road, let's first consider how we access Exchange locally. A lot of Exchange issues are solved by using the Active Directory Users and Computers management console. For me, as a seasoned Exchange administrator, the easiest way is to go to Start -> Run, type "dsa.msc" and press the Enter key.

However, Microsoft Exchange engineers thought it would be cool to call Exchange System Manager's management console "Exchange System Manager.msc" and also forgot to add the Exchange "bin" directory where this console is located to the system path. So, even if you decide you want to type the full name, Windows will not be able to locate it.

This leaves us with a few other options. Start -> Programs -> Microsoft Exchange -> System Manager is the obvious one. A lot of people drag and drop this icon to the  desktop and access it there. I like to drag and drop it in the quick launch toolbar. If you can't see this toolbar, right click on an empty spot in task bar and choose Toolbar -> Quick Launch.

Figure 1

Along with the Exchange System Manager shortcut, you can drag all the other tools you might need.

Figure 2

You can also create a single management console. For this choose Start -> Run and type "mmc" and press Enter. This will open an empty management console. Now choose File -> Add/Remove Snap-in to add more management console snap-ins to your console.

Figure 3

Pressing the Add button will present you with a list of available snap-ins.

Figure 4

When you add a console, you might be required to select a domain controller to connect to. I sometimes create a management console which connects to different domain controllers to help diagnose replication problems. For a day to day basis though, choosing "Any Writable Domain Controller" is the best option.

Figure 5

After adding a few snap-ins, you get a nice all-in-one tool for administrating your Exchange servers.

Figure 6

Now we can save this onto the desktop or any other convenient folder by choosing File -> Save as…

Saving a console in the Windows directory or any other directory in the search path will allow you to run it using Start -> Run by typing the console name.

Figure 7

Short names in this case with no spacebars, are preferable.

Installing Exchange Management Console on a Workstation

Since, as mentioned before, we want to limit our visits to the cold, cold, server room, we can install Exchange Management tools on a Windows XP Professional workstation.

First of all, make sure that Service Pack 2 (or later) is installed on your Windows XP workstation. Installing the latest patches from the Windows Update site is also recommended.

Once this is done you need to install the Windows 2003 Administration Tools. The package is called adminpak.msi and can be located on any server at the [system drive]:WindowsSystem32 folder. You can access it through the network using UNC by typing for example: \dc1c$windowssystemsadminpak.msi

To install Exchange System Manager itself, first you have to install the IIS core components. In previous versions of Windows workstation you also had to install the SMTP service and then disable it but this is no longer required, starting from Windows XP SP2. To do so go to Start -> Settings -> Control Panel and choose Add/Remove Programs. There choose Add/Remove Windows Components from the left grey pane.

Figure 8

Locate "Internet Information Services (IIS)" in the list and press the "Details" button. There choose "Common Files" and "Internet Information Services Snap-In".

Figure 9

This will neither make your workstation a web or a mail server of any kind. It will just enable you to manage them. You should have the Windows XP Professional SP2 CD available for this process, or perhaps located on a network drive.

Figure 10

Now your workstation is ready for installing Exchange System Manager. Before we begin this process, let me state that installing ESM is the same as installing an Exchange 2003 server. You first have to install from your original Exchange media (or a copy of it) and then install Exchange 2003 SP2 on top of it.

To perform the installation, run under the Exchange 2003 Media CD or its copy, the setup.exe file located in the "ExchangeSetupI386" folder. For some reason the installation does not distinguish between Windows 2003 and Windows XP, and will even let you try to install Exchange services. Since we are not interested in that you should choose "Custom" for "Microsoft Exchange" and "Install" for "Microsoft Exchange System Management Tools".

Figure 11

The process is almost the same for the Exchange 2003 SP2 update though the file is called update.exe instead of setup.exe and the Actions are updated (you need not change the default). Once installation is done you can create a local management console as shown in the previous section.

If you've got Outlook installed on your workstation, you might encounter some MAPI related problems because Outlook and Exchange use different versions of MAPI. To solve this follow the steps detailed in this Microsoft KB article.

Remote Desktop

The question remains to be asked, "Why bother with all this complex installation process?" There are a few utilities that allow you to connect remotely to an Exchange server. The most common is Remote Desktop, previously called Terminal Services. To run it go to Start -> Run and type "mstsc" then press Enter. You can also find the shortcut for it under Start -> Run -> Programs -> Accessories -> Communications.

On a typical server you would be able to start no more than two Remote Desktop sessions. This is why I usually type "mstsc /console" which logs on to the primary session of the server. If you go to the server and unlock it using the same user you will be able to access this session. If you don't want to fuss with the Remote Desktop GUI you can simply type "mstsc –v:[server name] /console".

Remote Desktop is easy to set up through Firewalls and doesn't require domain membership and such. You simply need to create a rule opening port 3389 to a particular server and limit it to certain IP address or Firewall users. You can also set up VPN access and access it using the server's internal IP.

If you plan to access a server through the Internet, best thing to do is implement a black and white color scheme for the server, and set a blank black desktop bitmap. This will speed things up. The GUI can allow you to further save on bandwidth.

Figure 12

Pressing "Options" will reveal a lot of ways to tinker with Remote Desktop, such as limiting display size and colors.

Figure 13

Figure 14

Connecting to local devices and playing remote can really slow you down. Of course sometimes you will need to transfer files or print, but try to make this the exception, unless you are connecting internally. Last but not least you can limit a few graphic Windows elements.

Figure 15

After you finish setting the connection up you can save it for future use.

Figure 16

Please note that in a Remote Desktop session Ctrl + Alt + End replaces Ctrl + Alt + Del, or if you prefer the mouse you can choose Start -> Settings -> Windows Security. If you installed adminpak.msi in the previous section, you get the Remote Desktops MMC Snap-in which you can add to your management console and set up all the remote desktop connections that you need.

Figure 17

You can download this tool here. You can also download the Remote Desktop add-in for Active Directory Users and Computers and right click a server there to connect to it remotely.

Introduction

Let's say someone at the corporate level asks you to add some company events to all the employee calendars. So, you consider your options in an internal meeting. The most obvious option is to send a meeting request to everyone. Once you learn that there are actually quite a few events and also realize that not everyone accepts these meetings (as a convenient way of not going to some of the more tedious events).

So, you consider other options. Outlook has two formats of holidays lists you can import. Outlook.txt is used by Outlook 97, 98 and 2000 and Outlook.hol is used with Outlook XP/2003 and Outlook 2003. You can customize them but users must import them manually, you can import them by creating a profile for each user on a single computer and do this yourself. This can be quite tedious work so you might decide to script the whole thing or even use a pre-prepared code such as this one:

http://www.outlookcode.com/d/forms/holiday.htm

Testing shows that while this code works great on Outlook 2000 with no SP3 installed and below, newer versions will block macros, or ask users to allow these macros to work. You can sign the macros, but you still have to distribute them through the login script which is fine if you're not considering people who rarely login to your internal network such as external employees and some of the sales force. Some of them will be quite insulted when they're not invited to some of the events.

Is all this giving you a headache yet? Well, I propose a different method, that uses the Exchange ExMerge tool to distribute these events.

Installing ExMerge

The Exchange Server Mailbox Merge Wizard was originally a "last resort" tool used to extract information from servers with damaged databases and as a way to migrate mailboxes to a new organization.

Exmerge basically copies all the information from a source server into a .PST file which then can be merged into the destination server. But it can also be used to merge new data which is useful in our case.

To download Exmerge 2003 go here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=429163ec-dcdf-47dc-96da-1c12d67327d5&displaylang=en

When installing it on a workstation, make sure the Exchange 2003 System Manager is installed.

After installation, add "c:program filesexchsrvrbin" to your path so that Exmerge can locate some required Exchange DLLs. This is done using the Control Panel -> System Applet.

Exmerge requires permissions to all the mailboxes in order to be able to import and export information. This permission is denied by default in Exchange 2000/2003 to the administrative accounts.

To overcome this you need to use the ADSIEdit tool. To use it, first install the Windows 2000/2003 Support Tools. Then locate the Exchange Organization object as shown below.

The property page of this object would show the Administrator account, and the Domain Admins and Enterprise Admins to have "Deny" permissions on the "Receive As" and "Send As" properties. Once you uncheck those you would be able to access all mailboxes using the Administrator account.

Alternatively you can create a user, add the user to the "Exchange Enterprise Server group" and the "Server Operators" group.

Creating the Events PST File

Next thing would be to create a template user for the holidays. I've used the Administrator mailbox for this purpose since its calendar was empty.

Now add a few events:

Once this is finished I export everything to a PST file by selecting File -> Import and Export from the main Outlook menu.

Duplicating the PST File

Exmerge exports and imports PST files by using the Alias field which typically would match the usernames. The alias field is known in Active Directory as "mailNickname".

So in order to use Exmerge to import events into multiple calendars we need to use a script making multiple copies of a single PST file like the one just created. Each copy will match the alias of a mailbox.

Following is such a script in VBScript format. To use it simply copy and paste into notepad and save it with a VBS extension. 

Dim rootDSE, domainObject
'Find the domain container for your domain
Set rootDSE=GetObject(LDAP://RootDSE)
DomainContainer = rootDSE.Get("defaultNamingContext")

Set fs = CreateObject ("Scripting.FileSystemObject")

'Now we want to open a channel to Active Directory:

Set conn = CreateObject("ADODB.Connection")
conn.Provider = "ADSDSOObject"
conn.Open "ADs Provider"

'After opening a channel we construct the LDAP query.  It looks for all the

ldapStr = "<LDAP://" & DomainContainer & ">;(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) ));adspath;subtree"

'Then we actually execute the LDAP query.

Set rs = conn.Execute(ldapStr)

'So, now we've got an array of users (rs) that we can use.

While Not rs.EOF

     Set oUser = GetObject (rs.Fields(0).Value)
'Disregard the System Mailbox used internally by Exchange

        if Left (OUser.MailNickname,13) <> "SystemMailbox" Then

'Make a copy of the original PST with using the alias of the user

        fs.CopyFile "c:PSTadministrator.pst","C:PST" & OUser.mailNickname & ".pst"
     End If
     rs.MoveNext
Wend

The script assumes that the template user is Adminstrator and the PST files are in the C:PST folder, but you can change the line that says:

fs.CopyFile "c:PSTadministrator.pst","C:PST" & OUser.mailNickname & ".pst"

to whatever you want. Other than that the script will work in any domain and organization so there's no need to change that.

Importing Using Exmerge

Now we are ready to run the Exmerge Wizard.

Once the import process is finished, opening a user's mailbox shows the appointments.

Deleting Appointments

So setting up the events is taken care of, but what if you need to reschedule or delete an event?

The advanced options of Exmerge allow you to delete any item based on criteria so you can use the "Extract" process to do this. This process exports the information you select to PST files you can simply delete.

Here I selected the "Apocalypse" meeting to be deleted.

And indeed once the process is over the meeting is deleted from all the mailboxes.

Windows 2003 has a Built-In Backup program called NTBACKUP which you can use to backup your Windows environment and when you had installed Exchange 2003 on this system, NTBACKUP is enhanced to allow backups of your Exchange Server databases.

NTBACKUP features

• Local and remote backup of data
• Exchange Backup ready
• Scheduled Backups
• Volume Shadow Copy support
• Integration with Removable Storgae from Windows 2003

How do you enhance NTBACKUP with the capability to Backup Exchange 2003 without installing Exchange Server?

You must install the Exchange System Manager on the Backup Server to backup Exchange Server. It is possible to backup the Exchange Server without Exchange System Manager with the following trick:

Copy ESEBCLI2.DLL from the Exchange 2003 CD into the EXCHSRVRBIN folder

Add the following registry key:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlBackupRestoreDLLPaths – REG_EXPAND_SZ - esebcli2 - c:exchsrvrbinesebcli2.dll.

After modifying the registry you can use NTBACKUP to backup the remote Exchange Server by clicking – Tools – Remote Store.

Online or Offline Backup?

It is possible to Backup Exchange Online or Offline. The recommended method is to Backup the Exchange Server Online. An online backup can backup the Exchange Server databases without the interruption of Exchange services.

An offline backup is a simple copy of the Exchange database files. The Exchange Information store must be stopped before NTBACKUP can be used to Backup your Information store.

Volume Shadow Copy

Beginning with Exchange 2003 it is possible to do Exchange 2003 Volume Shadows Copy backups with 3^rd party Backup applications, but not with the built-in Windows Server 2003 NTBACKUP utility.

The Volume Shadow Copy service coordinates its communication between Requestors (backup applications), Writers (applications like Exchange Server 2003), and Providers (software or hardware components that create the shadow copies). To use the Volume Shadow Copy service to backup Exchange Server 2003, the backup program must include an Exchange Server 2003 aware Volume Shadow Copy service requestor. Because the NTBACKUP program has no such requestor, organizations must use third-party backup applications or implement Exchange 2003 SP1 in its organization.

Backup choices

• Minimum selection is the storage group (SG) to truncate log files
• VSC can create a Snapshot from multiple SG at the same time

Restore choices

• You can choose the entire storage group or a single database or multiple databases from a single SG
• Exchange 2003 RTM supports full backups and copy backups
• All databases must be mounted to purge logfiles

Backup

To start the Backup process click Start – Run – NTBACKUP.

Figure 1: Start the Backup process

During an online backup, the .edb, .stm, and .log files that comprise the Exchange store are being backed up and checked for corruption. The Exchange database store is checked for corruption at file system level. File system level damage may be caused by unreliable hardware, firmware, or disks. This check is done by verifying the checksums on each 4 KB block or page in the database. If there is a checksum failure, backup will terminate (Exchange will not allow you to back up an Exchange store with a wrong checksum in it). This is tpyical for the 1018 error.

Choose a place to save the Backup files.

Figure 2: Choose a Backup device

It is possible to disable Volume Shadow Copy.

Figure 3: NTBACKUP options

The Backup process will begin.

Figure 4: The running NTBACKUP process

You can see the status of your Exchange Backups when you start the event viewer and select the application log.

Figure 5: NTBACKUP status in the event log

Transaction Log files and NTBACKUP

Backup Type	What to Backup	Exchange Logs
Normal	Backs up selected files and marks each file as backed up	Backup Logfiles and delete Transaction Logfiles
Copy	Backs up selected files, but does not mark any as backed up	Backup Logfiles but doesn’t delete Transaction Logfiles
Incremental	Backs up selected files only if they were created or modified since the previous backup	Backup only Logfiles but cannot be used with enabled circular logging
Differential	Backs up selected files only if they were created or modified since the previous backup, but does not mark them as backed up	Backup only Logfiles but cannot be used with enabled circular logging. Logfiles will not be deleted after Backup

The type of Backup depends on the configuration of circular logging. You can specify circular logging settings at the Exchange Storage Group level.

Figure 6: Circular Logging settings

Restore

After a succesful Backup it is possible to do an Exchange Server restore in case of emergency.

You must ensure that the Exchange database store to restore is not mounted. You can dismount a Exchange Database Store in the Exchange System Manager by right clicking the database.

Start the NTBACKUP program and select Restore and Manage Media.

Figure 7: NTBACKUP restore process

In the following screen you must select the Server to restore the data, a temporary location for log and patch files (this directory must be empty).

Click Last Restore Set when this is the last restore device (this is also possible with ESEUTIL)

Click Mount Database after Restore if you want to automatically start the restored database.

Figure 8: restore options

Depending on the size of the database, the restore process can be very time consuming.

Figure 9: Restore Progress

You can read the Logfile after an successful or unsuccessful Exchange restore.

Figure 10: NTBACKUP Logfile

The following screenshots shows the Exchange Server MDBDATA directory. As you can see, there are now more Exchange Server Transcation Logfiles except the actual logfile.

Figure 11: NTBACKUP Logfile

Conclusion

The Built-in Windows 2003 NTBACKUP program is suitable for small and medium sized Exchange organizations which don't want to buy an expensive Third Party Backup program.