Exchange: Identifying File Level Antivirus Exclusions For Exchange Server Installations

Summary:

Protecting Exchange against malicious viruses is critical to ensure the health and availability of your messaging environment. However, it is also critical that some folders\files must be excluded from file level scanning. Scanning these critical folders\files can cause serious damage such as corruption, database not being able to mount, restore problems among other issues. According to Microsoft's recommendation, it is critical that you exclude the following directories.


1. Exclude all directories that include your Exchange database files (EDB STM) For example in a default installation, the Exchange database is placed in your \Exchsrvr\Mdbdata folder. Exclude this entire directory.

2. Exclude your Exchsrvr\Mtadata folder

3. Exclude all logs such as message tracking, SMTP. Exclude the directory Exchsrvr\server_name.log

4. Exclude your Exchange queue directory. Exchsrvr\Mailroot

5. Exclude your directory where your IFS creates the streaming .tmp files. The IFS creates these .tmp files when a large object is streamed into the store and the .stm file is too fragmented to have the entire object written in it. For example, a large object can be a message or a file. During normal operation, when the Microsoft Exchange services are stopped, these files are removed from the Temp folder. By defualt, this folder is in the Exchsrvr\Mdbdata directory. However, they can also be in your %SYSTEMROOT%\TEMP directory.

6. Exclude your Exchsrvr\Bin directory

7. Exclude your IIS system files directory %SYSTEMROOT%\System32\Inetsrv

8. Exclude your Gather logs if running search indexing services. These log files contain log information or catalog for the indexing service.

You may elect to just exclude the entire Exchsrvr directory, however the above configuration will give you the best protection.

If you have ever scanned your Exchange directory where your database or logs were stored, your database may be corrupted. The level of corruption cannot be directly quantified. For example the longer your AV was scanning these directories may lead to more corruption but may not be necessarily true. It may also depend on the AV application as well. However, symptoms of corruption may not be immediately visible and may arise further down the road. Therefore, it is best practice to create a fresh database and move your users to the new database.



References:

Lb*.tmp Files Are Created in the TEMP Folder and Are Not Deleted
http://support.microsoft.com/default.aspx?scid=kb;en-us;328583

Exchange lb*.tmp files in the Windows Temp folder cause ESE -2237 error
http://support.microsoft.com/default.aspx?scid=kb;en-us;294462


James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com
ftp://ftp://ftp.smtp25.org//


How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Invalid Window Handle ID no: 80040102 Exchange System Manager

Summary:

When clicking on the Client Permissions button of a Public folder in Exchange System Manager, you immediately receive Invalid Window Handle ID no: 80040102 Exchange System Manager. Therefore, you are unable to set client permissions for any of your Public Folders.

Solution:

In this instance, the issue was caused by the Public Folder Hierarchy not having the msExchPFTreeType set. This attribute defines whether your Public Folder Hiearchy is MAPI based or a General Purpose Tree. In an Exchange Org, there can only be one MAPI based Public Folder Hiearchy. However, you can have multiple General Purpose Public Folder Hiearchies. General Purpose Public Folder Hiearchies cannot be accessed via MAPI but via OWA.

To define a MAPI Public Folder Hiearchy, set the msExchPFTreeType to 1.
To define a General Purpose Public Folder Hiearchy, set the msExchPFTreeType to 0.

To verify if your Public Folder Hiearchy is set to 1 follow the procedures below.

1. From your Exchange server or Domain Controller, go to Start, Run, ADSIEDIT.MSC Click Ok. (ADSIEDIT is part of your Windows 2000\2003 Support Tools found on the CD)

2. Expand the Configuration Container.

CN=Services
CN=Microsoft Exchange
CN=Your Exchange Org
CN=Administrative Group
CN=First Administrative Group

Highlight CN=Folder Hierarchies.

On the right pane, highlight CN=Public Folders and select properties. Scroll down to find the attribute, msExchPFTreeType. For the value, check if it is set. If not set, set to 1.

3. Go to services and restart your Microsoft Information store. When service has restarted, open Exchange System Manager, and verify that you can set the Client Permission.


References:

Description of public folder tree types in Exchange 2000 Server and in Exchange Server 2003
http://support.microsoft.com/kb/258509/en-us


James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com
ftp.smtp25.org

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Search Network For PST Files

Summary:

In this article, I will provide a script to search your network for .PST files. Microsoft provides a script to search your local computer for a .PST file which you can find here.

http://www.microsoft.com/technet/scriptcenter/resources
/qanda/apr05/hey0408.mspx

I have modified it to also include the computer name since it will be intended to search multiple computers and to write the output to a csv file.

Copy the contents below and save to notepad. Rename this file to searchpst.vbs and save to C: drive.


strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

Set colFiles = objWMIService.ExecQuery _

("Select * from CIM_DataFile Where Extension = 'pst'")

Set fso = CreateObject("Scripting.FileSystemObject")

set wfile = fso.opentextfile("c:\test.csv",2,true)

For Each objFile in colFiles

Wfile.writeline(strComputer & " " & objFile.Drive & " " & objFile.Path & " " & objFile.FileName & "." & objFile.Extension & " " & objFile.FileSize)

Next




Open your command prompt. Start, Run, CMD Ok. Ensure that you are at your your C:\>

Type the following

C:\>cscript searchpst.vbs

Once complete, go to your C: drive and locate text.csv. This csv file should include your computername, drive letter and path of your pst file, name of pst file and size.



Now if you wish to run this on multiple computers on the network you have couple options.

C:\>cscript searchpst.vbs computer1 computer2 computer3


Another option is to have this script read in the computer names from your computers OU in AD.

Copy the contents below to notepad. Save the file as searchpst1.vbs. Open your command prompt and type:

C:\>cscript searchpst1.vbs

Set colComputers = GetObject("LDAP://CN=Computers, DC=msexchange911, DC=net")
For Each objComputer in colComputers
strComputer = objComputer.CN
on error Resume next
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colFiles = objWMIService.ExecQuery _
("Select * from CIM_DataFile Where Extension = 'pst'")
Set fso = CreateObject("Scripting.FileSystemObject")
set wfile = fso.opentextfile("c:\test.csv",2,true)
For Each objFile in colFiles
Wfile.writeline(strComputer & " " & objFile.Drive & " " & objFile.Path & " " & objFile.FileName & "." & objFile.Extension & " " & objFile.FileSize)
next
next


References:

Running WMI Scripts on Multiple Computers
http://www.microsoft.com/technet/scriptcenter/resources
/tales/sg1102.mspx

How Do I Get a List of All PST Files on a Computer
http://www.microsoft.com/technet/scriptcenter/resources
/qanda/apr05/hey0408.mspx


James Chong
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Public Folder Fails To Mount c1041724

Summary:

Public Folder fails to mount. Attempting to mount a Public Folder in Exchange System Manager produces error c1041724.

Cause:

Although there are multiple causes such as lack of permissions, disk space issues or corruption, in this instance the Public Folder database did not mount and produced c1041725 because the store did not point to a valid Public Folder Tree in Adsiedit.

Resolution:

To verify if your Public Folder Store is pointing to a valid Public Folder Heirarchy, perform the following steps.

Note: Use ADSIEDIT with caution, changes can be irreversible. Ensure you have good backups of your Exchange and System State for your Domain Controllers.

1. From your Exchange server or Domain controller, go to start, run, type adsiedit.msc click ok. (Adsiedit is part of your Windows 2000\2003 support tools)

2. Expand Configuration Container (DC hostname)

3. Expand to

CN=Services
CN=Microsoft Exchange
CN=Your Exchange Organization Name
CN=Administrative Groups
CN=First Administrative Groups
CN=Folder Hierarchies (Highlight this)

4. On the right pane, right click CN=Public Folders and select properties

5. You should see a list of attributes. Find the attribute "distinguishedName" The value should resemble similar to:

CN=Public Folders,CN=Folder Hierarchies,CN=First Administrative Group,CN=Administrative Groups,CN=MSexchange911,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Msexchange911,DC=net

Copy this to a notepad we will need to reference this value later.

6. Cancel out that windows. Back in Adsiedit on left pane, expand

CN=Servers
CN=YourExchangeServername
CN=Information Store
CN=YourStorageGroupName

Ensure you select the storage group that is hosting your public folder database.

7. On the right pane, select CN=YourPublicFolderStoreName, right click properties. Locate the attribute "msExchOwningPFTree" For the value, it should equal the value in step 5.



James Chong
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

ADMODIFY: You Receive Failed Changes When Using a Valid Attributte In the Custom Tab

Summary: Admodify is a great utility to make bulk changes for Active Directory objects such as if you wanted to remove an email address for multiple people instead of having to go to each individual account to make the changes. With the latest version of Admodify you can create custom modifications if you know the LDAP attribute. However, when you enter this custom attribute and value into the custom tab you receive a dialog box "Operation Completed" but you receive "Failed Changes" You verify that the attribute name and value are correct.

Case Study:s

In this instance, I was trying to modify the "deliverAndRedirect" attribute. To see what this attribute does:

1. Open Active Directory Users and Computers.

2. Go to the properties of any user account.

3. Go to the Exchange General Tab,Delivery Options.

4. Locate the check box "Delivery Messages to Both Forwarding Address and Mailbox"

This checkbox corresponds to the following LDAP attribute "deliverAndRedirect"

5. I launch ADMODIFY, Modify Attributes. In the Domain List drop down box, select your domain. In your domain controllers list select you domain controller. If ytour Domain Controller does not appear, skip it, it will resume.

6. Uncheck Groups, Contacts and Public Folders and click the Green Arrow.

7. Highlight your Domain and click Add to List at the bottom. Click Ok at the dialog box to enumerate your list of users.

8. In the right pane, highlight a user or multple users and click next. Click the custom tab.

9. Click "Make a customized attribute modification"

Attribute Name: deliverAndRedirect
AttributeValue: True

You click OK. However you get failed changes.


Cause: The attributes Values are case sensitive. In this case True should be set to TRUE.

Attribute Name: deliverAndRedirect
AttributeValue: TRUE



James Chong
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Default Permissions on Exchange Organization

Summary:

The following lists the default permissions on the Exchange Organization on the root of ESM. For Exchange to perform correctly the following permissions are required. Not having the correct permissions can cause issues with Recipient Update Service not running, security vulnerabilities in which unauthorized users have access to mailboxes other than their own and a variety of other issues.

1. Open ESM, right click your Exchange Org name at the root, and select properties. Select the security tab. If you do not see the security tab. Close ESM. Go to Start, Run, type Regedit. Navigate to:

HKEY_Current_User\Software\Microsoft\Exchange\Exadmin.

Create a new DWORD. Name this ShowSecurityPage and give it a value of 1 (Decimal) Close Registry.

2. In ESM, right click your Exchange Org name at the root and select properties and click security tab.

- You should see Exchange Domain Servers for each domain that you host. This group contains Exchange servers from each domain and gives access to the Exchange Configuration container in AD. The Exchange Domain Servers should also be a member of the Exchange Enterprise Servers Domain local security group.

- Authenticated Users should have special permissions (Read Properties and List Object)

- Everyone should have Create Named Properties in Information Store, Create Public Folder, Read, Execute, Read Permissions, List Contents, Read Properties, List Object

Note: By default all Users and Groups listed should have deny set for Send As and Receive as rights except for Exchange Domain Servers.




James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com


How useful was this article? Want to see a tip not listed? Please leave a comment.

Outlook: Demystifying Outlook Cached Mode

Summary:

Outlook 2003 provides a neat feature called Cached Mode. When running Outlook 2003 in Cached Mode, you have the option to download all messages to a local .OST file (similar to a .PST). Thus most of your Outlook tasks is performed locally rather than from your MB that's stored on the server side. This reduces server load and network bandwidth. The following provides list provides an overall picture of running Outlook in Cached Mode.


1. Reduce server load and network bandwidth since tasks/operations are performed locally.

2. You have the option to download all messages when starting Cached Mode or to download only headers such as in IMAP

3. If network connectivity is lost, you still have access to existing content.

4. Some features are still performed on the server side such as Out of Office messages and processing of Outlook rules

5. A common issue user's experience is not getting a real time Global Address List. For example, if a new user is created, a user in Cached Mode may not see this new user in the Global Address Book. This is because when in Cached Mode, you download a copy of the GAL once a day which is by default. You can force to re-download the GAL through Outlook Send\Receive settings. Another option is to use a registry hack

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Outlook\Cached Mode

Value name: ANR Include Online GAL
Value type: REG_DWORD
Value: 1 (1=enabled, 0=disabled)

Additional Resources with GAL and OAB

How to configure how the Offline Address Book is downloaded when you use Outlook 2003 in Cached Exchange Mode
http://support.microsoft.com/kb/823580

Administering the Offline Address Book in Outlook 2003
http://support.microsoft.com/kb/823580

6. Outlook Cached Mode works best with MB's less than 1GB in size.



James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com


How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Exporting and Querying Message Tracking Logs Using Log Parser

Summary:

Exchange Message Tracking utility is a great feature which enables administrators to track message flow for troubleshooting or verification. To enable message tracking, you must go into the properties of the server in Exchange System Manager. In ESM (Exchange System Manager) expand your administrative group, servers, highlight your server, right click properties. Here, you see the option to enable message tracking. In Exchange 2003 you can specify the directory on this pane as to where you want to store these message tracking log files. For 2000 these logs are stored in your Program Files\Exchsrvr\ExServer1.log directory. If you wish to change the location, follow the KB article at the end of this article. When using this tool from ESM, the information is gathered from these message tracking logs. If you were to open these log files, you can see that it is very difficult to read and the message tracking tool in ESM does not give you the option to pipe the results in a file. This article will go over how to export the contents of the message tracking log file to a more friendly text file using Log Parser utility.


Export Exchange Message Tracking Log to a CSV File using Log Parser

1. Download LogParser 2.2

http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en

Note: You can also use the Log Parser GUI but is very limited. You can download the GUI version from: http://www.logparser.com/simpleLPview00.zip

If you wish to use the GUI version, copy all DLLs and EXE files to the your system32 folder and run the LPview00.exe from the system32 folder. (The following steps below assume that you are working with the CLI version.

2. Once you have download Logparser 2.2, go to Start Menu, Programs, Log Parser 2.2, Log Parser 2.2. This will launch a command prompt.

3. Now you can run SQL statements against the message tracking log file. The example below will query any entry where the recipient address is user1@company.com and export it to a text file called export.txt

C:\Program Files\Log Parser 2.2>logparser -q -i:w3c "SELECT* FROM c:\temp2\log.log
WHERE Recipient-Address like `user1@company'" > c:\export.txt

I will have more sample SQL queries soon so check back! If you wish to request a specific SQL query, you can email from.

References:

LogParser References
www.logparser.com
http://www.securityfocus.com/infocus/1712.

How to change the location of the message tracking logs in Exchange 2000 Server
http://support.microsoft.com/kb/317700/



James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com


How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Perfmon Exchange Counters Missing

Summary:

When launching Windows Performance Monitor and scrolling through the Performance Object list, no MS Exchange counters are present. In this instance there are two common issues. One, the Exchange performance counter respository has been disabled and is just not viewable. Second, the performance counter may be corrupted, missing and just needs to be re-built. The Exchange performance counters are in the .ini files within the Exchange Bin directory. To correct the issue start with resolution 1. If this does not correct the issue, rebuild the repository in resolution 2.

Resolution 1.

In some instances, performance counters are just disabled from view. In order to check the status to see if the counter is enabled or disabled, you can use EXCtrlst from the Windows 2000 Resource Kit.

Download Resource Kit
http://www.dynawell.com/support/ResKit/winnt.asp

ExCtrLst - Extensible Performance Counter List
This tool provides information on the Extensible Performance Counter DLLs that have been installed on a computer running Windows 2000\2003, listing the services and applications that provide performance information via the Windows 2000 registry.

1. Save the ExCtrlst to your C:\ drive. Double click the file Exctrlst.exe

2. This will launch the Extensible Counter List Window

3. Scroll through the list until you see your Program Files\Exchsrvr\Bin directory. This will list all the Exchange counters. Highlight it and towards the bottom, see if the performance counter enabled is checked.

4. If the counters are already enabled, then procedure to resolution 2.

Resolution 2

This procedure will go over rebuilding the Exchange performance counter libraries.

1. Go to your command prompt, Start Run, CMD, Ok.

2. C:\>lodctr.exe /r (This will rebuild all performance counters. Wait a few mins for it to rebuild and close and re-open Performance Monitor. If the Exchange counters do not appear go to step 3.

3. Try to rebuild each Exchange counter manually. For example, if you want to rebuild the imap counters

C:\>lodctr.exe imap4ctrs.ini

You can view all the counter ini file names by going to your Program Files\Exchsrvr\Bin directory.



James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com


How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Export SMTP Relay List

Summary:

There may come a time where you wish to export your allowed relay list in your SMTP virtual server. There is nothing in the SMTP Virtual server that can export the list. This can become encumbersome if your organization maintains a long list of relay hosts. I first approached this by trying to perform an LDIFDE query for the SMTP VS object in ADSIEDIT.

CN=1,CN=SMTP,CN=Protocols,CN=EXC03,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=MSexchange911,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Msexchange911,DC=net

However after reviewing the output and viewing the msExchSMTPRelayIPList I noticed that the output was in octet format.

msExchSmtpRelayIpList::
GAAAgCAAAIA8AACARAAAgAEAAABMAAAAAAAAAAAAAAAB
AAAAAQAAAAIAAAACAAAABAAAAAAAAABMAA
CAAAAAAAAAAAAAAAAAAAAAAP////8CAgIC

After doing some research, I came across the following KB article which converts different string formats.

SAMPLE: ARRAYCONVERT.EXE Variant Conversion Functions
http://support.microsoft.com/kb/q250344/

After some testing, I could not get this to work. I came across another utility from the Exchange 2000 resource kit called IPSec.vbs. This script has a wide variety of functions to manage your IP Security settings including exporting your relay list. To export the relay list using IPSec.vbs:

1. Download IPSec.vbs

ftp://ftp.smtp25.org/[ James Chong Scripts ]

Download the entire folder ExIPSecurity and save it to your C:
2. Open command prompt and go to your ExIPSecurity directory.

3. C:\ExIPSecurity>regsvr32 exipsec.dll

4. C:\ExIPSecurity>cscript ipsec.vbs -s Exchangeserver -o e -r relay -d DCServername > c:\ExIPSecurity\relaylist.txt

This will export the relay list to a relaylist.txt file.

Other useful tips using IPsec.vbs

Examples:
Ipsec.vbs -d dc1 -o e -r connection
Ipsec.vbs -d dc1 -o a -r relay -v 127.0.0.1
Ipsec.vbs -d dc1 -o a -r accept -v 123.123.123.0 -m 255.255.255.0
Ipsec.vbs -d dc1 -s server1 -o d -r connection -t domain -v domain1
Ipsec.vbs -d dc1 -s server1 -o c -r deny
Ipsec.vbs -d dc1 -i 2 -o s -r relay -g grant

Note that options '-o s' and '-t domain' are not allowed in global accept/deny lists.




James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com


How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Event Monitoring Via WMI (Backup Report)

Summary:

In this article, I will provide a sample script to monitor event IDs and email the event to the specified email address. This sample code implements the use of WMI quering the Win32_NTLogEvent class for event ID 213. Event ID Source ESE 213 indicates the completion of Exchange Backups. If you do not see Event ID 213, you may be using a third party backup application that does not use the Exchange backup API. If this is the case, you will need to identify the event ID that your third party application uses.

The script will email out so you will need to specify your SMTP server in this script.

Note: You can use built in Windows command eventcreate.exe to simulate event to test.

Event ID 213
Information Store (4168) TEST.NET: The backup procedure has been successfully completed.



1. Modify the portion of the script to specify the source and destination email addresses to send from and to.

2. Copy the contents below and name the file eventmon.vbs

3. Double Click the file. It will continously monitor for the event 213. Therefore you will see wscript process running in task manager process tab. To terminate the job, click end task.

Note: You can download this file from ftp://ftp.smtp25.org/[ James Chong Scripts ]

set objEmail = CreateObject("CDO.Message")

'strComputer=Inputbox("Enter the computer name you want to monitor")
'if strcomputer="" then
strComputer = "."
'end if

set objwmiservice=getobject("winmgmts://" &strcomputer &"/root/cimv2")

strwql="select * " & _
"from __instancecreationevent " & _
"where targetinstance isa 'Win32_NTLogEvent' " & _
"and targetinstance.eventcode = '213' "

set objeventsource=objwmiservice.execnotificationquery(strwql)

wscript.echo "waiting for an event to happen on " &strcomputer

While True
set objeventobject=objeventsource.nextevent()
objEmail.Subject = objEventobject.TargetInstance.ComputerName & _
objEventobject.TargetInstance.logfile & "\" & _
objEventobject.TargetInstance.sourcename
objEmail.From = "admin@mydomain.com"
objEmail.To = "admins@mydomain.com"



objEmail.Textbody = "Computer Name: " & _
objEventobject.TargetInstance.ComputerName & _
"Notification E-Mail from Automated windows event monitoring script." & vbcrlf _
& " Event Type: " & objEventobject.TargetInstance.type & vbcrlf _
& " Event ID: " & objEventobject.TargetInstance.eventcode &vbcrlf _
& " Event source: " & objEventobject.TargetInstance.sourcename & vbcrlf _
& " Event Log: " & objEventobject.TargetInstance.logfile & vbcrlf _
& " Event Time: " & objEventobject.TargetInstance.timewritten & vbcrlf _
& "The Event Err details are :- " & vbcrlf _
& objEventobject.TargetInstance.Message

'==This section provides the configuration information for the remote SMTP server.
'==Normally you will only change the server name or IP.
objemail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2

'Name or IP of Remote SMTP Server
objemail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "mail.mydomain.com"

'Server port (typically 25)
objemail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25

objemail.Configuration.Fields.Update

'==End remote SMTP server configuration section==



objEmail.Send

Wend





James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com


How useful was this article? Want to see a tip not listed? Please leave a comment.