Tuesday, October 30, 2007

Batten-Down the iHatches!


Earlier I posted an article relating to the difficult relationship between enterprise and the iPhone. Now as a follow up it is necessary to look into the security related issues regarding Apple’s venture into mobility.

Lately there have been a number of articles and sites dedicated to hacking the underlying operating system of the iPhone. Initial attempts were purely for benign reasons of curiosity and (not so benign) unlocking. Both of these feats have now been accomplished and have provided some unexpected results. It seems that Apple, in their rush to get the iPhone to market, neglected to lock down security at the OS level. Worse still, the operating system on the iPhone is not some proprietary device based system, but actually a more-or-less fully functional version of Apple’s OS X!

On the surface this seems fantastic! OS X embedded on a $300 device is an incredible deal! Problems arise however when it becomes apparent just how easy it is to hack these devices. The most evident exploit available presently is related to the fact that all applications on the iPhone are run as Root processes. Essentially this allows any application full access to the entire device immediately upon being exploited.

There are any number of articles around now related to the iPhone becoming a mobile hacking platform however this is not the real issue (any hacker worth his salt probably has at least one laptop anyway). The real problem for the consumer is the privacy of their information stored on the device. For instance, malicious code injected into a website accessed by the Safari browser could gain access to the core functionality of any iPhone. An experienced hacker could then gain access to confidential information such as phone logs and contacts.

From the point of view of a personal user this is bad enough. Thinking of it from an enterprise perspective, the lack of security becomes potentially disastrous! Imagine the CEO of a Fortune 500 company having his call logs, contacts and even private photographs on display for the entire world to see! With this exploit it may even be possible for a hacker to gain control of the camera, snapping photos at inopportune times with the CEO’s own device!

I have the honor of calling myself an Apple fan, user and even expert. I am constantly amazed by the wonders of industrial design created within their walls. That said, for the second article in a row, I have to conclude that although I love the idea of the iPhone, it does not belong in business; at least not until Apple decides to leverage the legendary UNIX security that the device already contains!


Thursday, October 25, 2007

CC Checkspam


You have seen the convenience of managing your spam quarantine by logging into the Ceryx Customer Center and by browsing your daily quarantine digests, but do you know that there is an even faster and more convenient way of managing false positives for people who are always on the go?

Say hello to CC Checkspam.

Checkspam is a feature of the Ceryx anti-spam solution that allows you to e-mail a command to Ceryx Customer Center to search for quarantined messages and have the messages released and mailed back to you in real-time. This will work from any desktop or handheld e-mail client provided the account you use to e-mail the command is the one registered in the Customer Center.

Suppose for example you are on the road and are waiting for an important e-mail from your vendor, john.doe@vendor.com. You suspect that the message was quarantined but your CC Quarantine Digest is set to be sent at 10 PM everyday and you have to respond to this vendor before 5 PM. It’s already 4:45 PM and you an hour away from your hotel where you can connect to the internet and log in to the Customer Center in order to release the message. All you have is your BlackBerry that is configured with your Ceryx account.

To quickly release the message, compose a new email on your BlackBerry, address it to checkspam@ceryx.com, enter the e-mail address john.doe@vendor.com in the subject line and then send the message. The system receives your message, queries your quarantine for all messages from john.doe@vendor.com and automatically releases all messages found to your inbox.

Checkspam can only search the From field of quarantined messages. It uses the “contains” comparison operator to compare the value in the Subject field of your submission with the From field of quarantined messages. This means the more general the value you submit, the more quarantined e-mail could potentially be released.

In the example given above, you could have put @vendor.com as the subject in your e-mail instead of john.doe@vendor.com and that would release all messages from any of your vendor’s e-mail users.

Because Checkspam uses this implicit wildcard comparison operator, great care should be taken in choosing the subject of your submission. Do not put just an @ sign or a dot as your subject unless you want everything in your quarantine released to your mailbox.

The Ceryx Customer Center, or CC for short, is a web-based application that allows Ceryx E-mail Firewall users to manage their filtering service. With CC, users can write filters to block spam or allow legitimate mail through. CC administrators in addition can create, modify and delete CC accounts as well as view email firewall statistics. For customers who are on the Ceryx Hosted Exchange service, CC version 1.6 is integrated with Exchange to allow administrators to also manage their e-mail service. When an administrator creates a CC 1.6 account, for example, a corresponding Ceryx Exchange account is also created. For more information on what else you can do with CC 1.6, please contact sales@ceryx.com.


Thursday, October 18, 2007

WebReady Document Viewing


WebReady Document viewing is a new feature in Exchange 2007 Outlook Web Access. It allows user to view common file types without the need to have the corresponding application installed on their PC. As a result, the user will be able to view the attachments without saving them to disk or opening them in a locally-installed application.

When the user requests to view certain attachments from Outlook Web Access 2007, it gives user the option to open attachment as a webpage. Exchange 2007 then does the conversion so the user doesn’t need anything but a web browser to view the attachment.

Currently, WebReady Document viewing in Exchange 2007 supports the following types of files:
• .doc (Microsoft Word Documents)
• .dot (Microsoft Word Templates)
• .rtf (Rich Text Format)
• .xls (Microsoft Excel Spreadsheets)
• .ppt (Microsoft PowerPoint Presentations)
• .pps (Microsoft PowerPoint Slide Shows)
• .pdf (Adobe PDF Documents)

By the way, documents created by Microsoft Office 2007 are not supported in WebReady Document Viewing at the moment. This limitation will be addressed in Exchange 2007 Service pack 1.


Tuesday, October 16, 2007

Data Migration – Part 1: Exporting Data


Part of moving to a new mail system is the migration of user data. Arguably this is the most important part as this is what your customers (users) see and feel on the ‘new’ system (new to them; if you are at this point you have hopefully been playing with the new system for a while, due diligence and all…). If you don’t believe me in saying this is the most important part to test, plan and execute, try moving your CEO’s mailbox in the middle of the day somewhere around year-end or shortly prior to a board meeting from an old system (Exchange or otherwise) to your new Exchange 2007 system. Enough Said.

Of course there are several factors that need to be taken into consideration when moving a USER (not just the data) from one system to another like installing/configuring clients, re-pointing mobile devices etc. For the purpose of this series, I am going to focus on techniques on getting your user’s data from one spot to another.

Data migration can come in many flavors:
- In-House Exchange 2000/2003 to In-House Exchange 2007 (all part of the same Exchange Org)
- In-House Exchange 2000/2003 to In-House Exchange 2007 (new Exchange Org, or AD forest if you would like)
- In-House POP/IMAP based system to In-House Exchange 2007
- In-House GroupWise to In-House Exchange 2007
- In-House Lotus Notes/Domino to In-House Exchange 2007
- All of the above except replace the last part with ‘Hosted Exchange 2007’ (By the way, Hosted Exchange and Software as a Server (SaaS) in general are the best! End Shameless Plug.)

The above list is a subset of possibilities, but these are the most common situations.

Exporting the Data

Lets deal with the first instance, but only because it’s the easiest to handle. Moving mailbox data between Exchange Servers in the same Exchange Org (or Forest) is as simple as using the Move Mailbox from the Exchange 2007 Exchange Management Console (EMC) or through the Exchange Management Shell via the Mailbox-Move cmdlet. The speed in which data can be moved depends on a few factors, as always, like server power/utilization, network connectivity etc. A good rule of thumb we use when quoting customers at the high level is 1GB/hour. For a great article on how to use Exchange’s built-in tools to move mailboxes between servers in the same org, see the following link:

The rest of the instances involve a little bit more work. The hard part is generally getting the data out of the old system in such a way that is useable/importable.

The primary goal is this: get the data to .PST format!

If you’re pulling the data from an Exchange Server (even Exchange 5.5), Exmerge is your friend. Exmerge for those that don’t know, is a tool that runs against the Mailstore and exports all the data on a specified user or group of users mailbox(s) to a *.PST file format. This includes all mail (including the folder tree), deleted items, contacts, calendar items, notes/memos, tasks. Some 'gotchas' that don’t get exported include Mailbox Rules (most of them are client-side anyways), archives (again usually client-side). Another KEY gotcha for Exmerge is that the PST files it exports are in ANSI format, not Unicode. This means that they are subject to the 2GB size limit. So if you exporting the CEO’s 5GB mailbox, you’ll need to take a few runs at it to try and get multiple files down to less than 2GB each. You can filter by date of creation on items to try and narrow down the export. PLAN THIS CAREFULLY!

Exmerge is run on a domain Windows XP/2000 or Server 2000/2003 member (there are older versions available that run on NT). Because of the way inherited permissions are set up on the Exchange Stores by default, you have to be careful which account you run Exmerge as. For Exmerge purposes, I would suggest a dual processor server with lots of storage that is dedicated to this process. Exmerge is very capable of running multi-threaded processes so it can export up to 4 accounts at the same time. For detailed instructions on how to set up Exmerge with the appropriate permissions, see this link:


For POP/IMAP type systems, this can be really easy or really difficult. Remember that in a POP setup, generally all the user’s mail is pulled down to the client when the user ‘POPs’ her mail. IMAP does leave the mail on the server, but that’s all it leaves. If the user has contacts, calendar items, tasks, notes (no matter which client software they are using) they are generally ALL stored on the local machine. This is because the POP and IMAP protocols where designed for EMAIL, not the rest of the stuff. The bright side is that if your users are using Outlook or Outlook Express already, there is an export to PST function right at the client. Although not the most glamorous use of time, this could mean the Jr. Admin gets to sit in the server room with two or three different machines in front of her each performing an export to PST on a different user for the next week. Hey, it’s good training.

As for the ‘other’ systems (GroupWise, Lotus Notes/Domino etc.), you generally have to use some sort of third party tool to export the data. We have used Quest Software’s tools for both GroupWise and Notes with success (http://www.quest.com). As part of our Due Diligence when planning and preparing for a customer data migration using a third party tool, we do the following to ensure a smooth migration:

1) We perform test migrations of large, non-production mailboxes (during off hours if at all possible) for the sole purpose of finding out how long it takes to migrate a unit of data. We generally like to metric how much data we can move in an hour and through experience have been able to guess it is usually around 1GB/hour.

2) We perform content test migrations. What this means is to create an empty mailbox on the old system, add one or two items of each item type that is available (so a few mail items, calendar items, recurring appointments, meetings with a few attendees, contacts, tasks with reminders or any other ‘everyday use functionality’ you can think of), and following the process of the tools you are using, move the mailbox to the new system. Coming up with a detailed test plan including documenting what was in the original mailbox, and a test script of what is expected in the new mailbox will allow you to plan for exceptions. There will be exceptions. Some of them can be fixed; some of them users will need to live with. For the latter, if the users are told well in advance, it results in less of an impact on your help desk when you actually move people over.

So at this point you should have a big hard drive full of PST files with your user’s data. You are half-way there. Stay tuned for Part 2 in which I will discuss getting your newly exported PST files into Exchange 2007.


Friday, September 14, 2007

Web-based Offline Address Book


Microsoft’s Exchange Server 2007 introduces a new method of Offline Address Book (OAB) distribution that does not involve Public Folders (the required method in previous versions of Exchange). The new implementation is an HTTP mechanism that allows the OAB to be downloaded via the web.

The following are some key items regarding OAB downloads in Exchange 2007:

1) Web-based OAB downloads are only supported by Outlook 2007 email clients.

2) The Public Folder method for OAB download is still supported for backwards compatibility with earlier email clients (Outlook 2003 or earlier).

3) The Autodiscover service must be configured in order for web downloads to work correctly (you can refer to previous blog entries for more details on Autodiscover)

4) The new distribution has several advantages such as the ability to support more concurrent client connections, reduce bandwidth usage, and provide more resilient OAB downloads. The web-based OAB downloads utilize the Background Intelligent Transfer Service (BITS) technology that is also used to download updates from the Windows Update site.

For a more in-depth look at this feature and its associated components, please see the Microsoft Exchange Team Blog link below:



Tuesday, August 28, 2007

BlackBerry Helpful Tips


I am a BlackBerry addict. There I said it.... My friends, family and colleagues should be proud. I carry it with me everywhere, and check it hundreds of times a day. I use it all the time, and even when I am NOT looking at it, the mere sight of someone checking their wireless device makes my hand reach for the holster. While some people might say that their BlackBerry, Windows Mobile device or iPhone is an extension to their Outlook/Exchange experience... I use my wireless device so frequently that I am starting to think that Outlook is in fact the extension. We live in a mobile world and wireless messaging is a terrific fix for any workaholic.

In my business life, I run a Hosted Exchange company that services the upper SMB and Mid-Markets. Our customers come from every industry and segment. The one common characteristic across our entire customer base is that email is their most mission critical application, it is very important to their business. Many of them would be crippled by a problem with their BlackBerry. As a bona fide BlackBerry junkie, I thought I should share with you a few “little known secrets” which can help you in a pinch.

Extending BlackBerry Battery Life:
I charge my device daily, not because it needs it but because I never know how much power I will need tomorrow. I like to start the day with a fully charged battery. I also tend to replace my battery every 12-18 months; this is more of a proactive decision to keep the device operating like new. If your battery is prematurely draining, I have a tip for you that might refresh your device. It worked for me. About a month ago my battery started to die by mid afternoon after beginning the day fully charged. Nothing in my daily routine had changed but the battery wasn't lasting any more. I tried the usual methods including reboot, take out the battery, let it run down and then fully charge it, all to no avail. I bought a new battery. Surprisingly, the new battery lasted a little bit longer but still did not compare to what I used to get before the problem started. Late one night, I called our 24x7x365 Helpdesk. I was both surprised and skeptical at what they suggested. I was even more surprised to find out that it worked. They suggested that I do the following:
1) Cycle your Content Protection (Security/General Settings - set it to enabled and then disabled), next cycle the device (either with Alt + Left Shift + Del or pull the battery).
2) The next step requires your BES Administrator - have your administrator send you a new policy (if you don't have a policy have them send you a blank one). This solved my BlackBerry battery problem and I hope it helps you as well.

Fixing an Erratic Track Wheel
If your track wheel is jumpy and erratic AND you REALLY WANT a new BlackBerry, Windows Device or iPhone .... stop reading now... I am about to take away your logical justification. What I am about to tell you will fix one of the most common, annoying and debilitating problems with the BlackBerry devices. If you have ever experienced it you will know what I mean. Whenever you move the track wheel the cursor jumps around randomly and it is impossible to work. The fix that I used is simple and easy. Head to your favorite electronics store and buy some Control Cleaner (Potentiometer cleaner, contact cleaner, TV tuner cleaner, etc.), it comes in a spray bottle and is around $10 at Radio Shack. Remove your battery and spray some into the track wheel, work the solution in by rotating your track wheel and pushing the button. Wait for the solution to dry before replacing your battery. When I did this, it worked the first time and my jumpy track wheel was fixed. You might have to do it a couple of times if it doesn't work. I have done this on a couple of units and have been successful both times, but I cannot take responsibility if it doesn't work for you or if something goes wrong. The way I see it, the device is garbage as soon as the track wheel starts to jump, so what have you got to lose?

I hope that you find these tips useful.

Tuesday, August 21, 2007

Manage Misbehaving Add-Ins in Outlook 2007


When new Outlook, or Office for that matter is released, they are generally made to be backward compatible with previous versions. Due to various reasons, some third party add-ins that functioned perfectly in Outlook 2003 might not work or even misbehave and cause problems loading Outlook 2007. Here is how you can disconnect a misbehaving Add-in:

1. If an add-in causes Outlook to crash when Outlook is loading, Outlook 2007 should prompt you to disable the add-in. If it doesn’t and Outlook crashes then use the command line outlook.exe /safe to start Outlook in safe mode.
2. Select the Tools menu, and then Trust Center.
3. Click on the Add-ins tab (on left vertical tab pane), and then click the Go button at the bottom of the page.
4. Find that add-in and uncheck the box next to the add-in to disable it and click OK.

When you get a proper patch that makes your third party add-in compatible with Outlook 2007 and you want to enable it, you can follow the above procedure and just check the listed add-ins that you want to enable. While you can access this from the Trust Center via the Add-ins tab, the easiest way in Outlook is to select the Help menu, then Disabled Items. Find the add-in on the list of disabled items, select it, and click the Enable button to enable the add-in again.

If Outlook believes the add-in is misbehaving it can automatically disable it. There are some add-ins that are disabled immediately when Outlook is installed. In all cases, enable an add-in again only if you are sure that it will not cause any problems in Outlook.