Recently, I needed to determine which local LAN hosts were infected with spyware on a network of Windows XP computers. This network is a single Active Directory Forest, with a single ‘domain.local’ domain name.
In the absence of any anti-spyware management tools, I decided to use the DNS server on the domain controller to help me determine which workstations were infected.

First, I changed the outbound forwarder servers to use OpenDNS. OpenDNS is a free recursive DNS service that you can use to resolve all DNS queries on the Internet safely. The reason for this is that the OpenDNS servers will re-direct your infected machine’s traffic away from known botnets and known distribution points for spyware to their own, essentially cutting off an infected workstation’s access from known “bad guys”.

Usually, when I implement the OpenDNS service on a LAN, I notice an *INSTANT* improvement in available bandwidth.. Try it for yourself. More info here: www.opendns.org

Next, you need to clear the cache on your DNS server. To do this, open DNS Management in your MMC, right-click the server, and click “Clear cache”. Now, click “View”, and “Advanced” in the MMC’s menu, and you can now view the cache.
Right-click the server again, and click “Properties”.
On the “Logging” tab, turn on “Debug Logging”, note or set the location of the log to be written.
Now, right-click the server, and click “All Tasks” -> “Restart” to restart the DNS service.
Since most spyware infected hosts need to phone home on a regular basis, you can now just watch the cache for incriminating lookups, and read the DNS debug log for the IP address of the offending hosts.
Anyway, it worked for me, and I was able to identify the 3 hosts on the LAN that had spyware infections, in about 10 mins… (without staring at a protocol analyzer…)

Note: Do not forget to turn the DNS debug logging off again when you are finished. This logfile will grow *very* quickly, and become difficult to open or manage within hours on a busy LAN.

Have you ever set up 150 workstations, all from one cloned base image, and forgotten to turn on Remote Desktop? Even if you haven’t, this may save you some work. Save the following batch script to your desktop, and double-click it.

remotely_enable_rdp.bat

Thanks, Microsoft!

For this particular exercise, let’s pretend that you are, once again, named Bob. You work for TailswimToys.com, and they use a Microsoft Windows Small Business Server 2008, running Exchange 2007 for email and collaboration services. You use Outlook 2007, and are very happy with it overall.

All of your customers know you as bob@tailswimtoys.com [eat that, spammers… ;) ]

Recently, TailSwimToys experienced a huge economic windfall, and acquired Fabrimak.com, whose main business model is appearing in test questions, under an altered name.

Anyway, bob@fabrimak.com needs the ability to communicate with Fabrimak’s customer base without letting them know that he is *also* bob@tailswimtoys.com, which they would view as silly, thus undermining their confidence in Bob. (And Bob’s company)

In order for Bob to send an email from an address other than his default email address, you need to do the following:

Note: You may want to stop all inbound email services while you do this. This way, anyone sending email to an address that you’re moving to a distribution group will not bounce, but will sit on their mail server in the retry queue, and will be delivered after you’ve created the group, and re-started the inbound mail services. (typically, you’ve got 12 hours before an email will expire from the queue and cause a NDR.)

This assumes that you’ve already configured your Exchange server to accept email for the Fabrimak.com domain, and all necessary DNS records have been created, as these are beyond the scope of this post.

First, open the Exchange Management Console, and delete all but the default email address from the user’s mailbox. (leave bob@tailswimtoys.com in there, this will be the email address used when Bob doesn’t specify an outbound address.)

Next, remove the Recipient Update Policy setting from the user’s mailbox in the Exchange Management Console. This is necessary so that the alternate addresses aren’t re-applied to the mailbox on the next run of the Recipient Update Service.

Then, create a Mail-Enabled Distribution Group named bob@fabrimak.com, and apply the secondary email address to it. (in this case, bob@fabrimak.com) Make the user Bob a member of this group. Also, you’ll need to grant Bob “Send-As” permissions to the Mail-Enabled Distribution Group, so he can “Send-As” from the Group. Another thing you’ll need to do is remove the Recipient Update Policy setting from the Mail-Enabled Distribution Group, as it’s enabled by default.

After these configuration changes, Bob will be able to compose a new email, select to show the “From:” field in Outlook, click “From:”, and select the Mail-Enabled Distribution Group named “bob@fabrimak.com”, and that is the only address for Bob that the receiving party will see.

We’ve recently run into a situation that we realized is no longer possible when running Exchange Server 2007 on Windows Server 2008.

You cannot choose an alternate email address from which to “Send-As”, because the Exchange server will resolve your user object against the Active Directory, and replace whatever alternate address you’ve chosen with your user object’s default email address, as listed in the Active Directory.

Here’s the scenario-
Fabrimak is a company with many divisions. All of these divisions function as individual companies, and as such, have their own corporate identities, domain names, URLs, etc. However, due to the current trend of downsizing and leaner operational costs, they share a core Active Directory domain namespace, running Windows Small Business Server 2008 Premium Edition.

I know this is starting to sound like a test question for an MCSE exam, but bear with me.

The domain names in use currently are as follows:
Fabrimak.local (internal domain)
Tailswimtoys.com (default Internet domain in Exchange)
Consoto.com
Northbound.us

So, when users of Fabrimak’s internal network open up Outlook 2007, and create a new outgoing email, manually select to show the “From:” field, and choose to use their ‘user@consoto.com’ address, the mail recipient sees that the email came from ‘user@tailswimtoys.com’. This is because the outgoing email address used is decided when Outlook resolves the user account used to log into Exchange against the Active Directory, returning whatever address is listed as the user’s default. (Usually managed in the Exchange Console with the Recipient Update Policy.)

Even if you choose to show the “From:” field, and select an alternate (albeit valid) email address, the Exchange server will change the outgoing address used to your user account’s default outgoing email address.

Apparently, this ability to “Send-As” was purposefully removed by Microsoft, during the codebase rewrite of Exchange server.

However, (with the help of some friends from Redmond) there is a workaround. Allowing this “Send-As” behavior *is* possible. The workaround entails the use of Mail-Enabled Distribution Groups, and the removal of the Recipient Update Policy from the user account.

Details coming in my next post.

I can’t say enough how much of an amazing change this is from all previous versions of Windows. A ton of hard work went into this, and it shows. This release marks the very first time that all of my applications work together at the same time. I can now sync my phone using bluetooth, and access it’s internal storage directly from explorer.

There is an issue with the fingerprint reader being recognized after waking my Lenovo X61. I assume it’s because there isn’t a USB device bus scan immediately after wake-up. It doesn’t matter too much to me, though.. You can click on “Switch User”, and then the fingerprint reader will be recognized, and works for login.

This is a *very* excellent site for testing things like Exchange Server SSL configuration, and ActiveSync problems… Chances are, your configuration is incorrect… ;)

https://www.testexchangeconnectivity.com/

I was able to run Windows 7 Ultimate all day. It was convenient, faster than Vista, and has as much eye candy as OS X or KDE. This morning, a few minutes before work started, I installed Windows Live messenger, Office 2007, and Connectwise. All applications worked correctly, except for Connectwise, which was fixed using compatibility mode.
3rd party apps installed and working correctly so far are:

Filezilla
Connectwise
Putty
Sun Virtualbox
Mozilla Firefox
IBM Fingerprint reader software
Western Digital MyBook software
AVG 8.0
T-Mobile Dash Smartphone software

You know, some of you out there in the ether may get the idea that I don’t like Microsoft. If you get that feeling, I can understand why. But, you’re wrong. I have a great respect for them, and their software. It has often been known to be insecure, incomplete, ineffective, and annoying. That being said, consider the start. A group of slacker nerds dropped out of college, lived, slept, ate, and breathed code just because they wanted to, and sold their {not entirely finished/owned/understood} OS to a rather large computer manufacturer with *NO FRIGGING* possibility of knowing if they could pull it off. But, they did. And they succeeded. And their OS and software runs on millions more machines than the OS you and I wrote. For that, I really admire Microsoft. They just did it. Did you?

So, this news of subscription-based access to their OS and software is extremely interesting to me. All I’ll say about it is that my admiration for Microsoft would grow logarithmically should they decide to implement a program rewarding an exemplary GPA for students paying their subscription fees. A straight-up 4.0 GPA student should enjoy all of their services for free.
Maybe they should receive an all-expenses paid trip through UC Berkeley for their CS degree. Microsoft possesses the ability to make an important difference here. I believe that educating our children better benefits not only us, but the entire world.

United States Patent Application: 0080319910.

VirtualBox 2.1 Supports 64-Bit VM In 32-Bit Host

Slashdot | VirtualBox 2.1 Supports 64-Bit VM In 32-Bit Host.

Sun ROCKS!!!!! Thanks, guys!

This one really surprises me. Microsoft, (albeit under court order) has begun working with Samba’s developers to ensure proper interoperability between Active Directory and Samba.
For those of you not familiar with it, Samba is the open source implementation of the Server Message Block protocol, also known as SMB. It’s a way for non-windows computers to communicate using Window’s native language, SMB.
This is really fantastic news, as the biggest reason that implementation of Linux or UNIX into a heterogeneous Windows environment is problematic at best is the lack of a single point of administration for user accounts.
(And, currently, AFAIK, there’s no built-in password synchronization to Active Directory for Linux and UNIX users. Sure, you can script it, but that’s messy…)

According to this article, Microsoft is treating the Samba developers as “Premium Support” customers, and cooperating fully, even devoting the resources of knowlegeable developers to answer relevant technical questions for the Samba team.

So Microsoft, THANK YOU!!!
Interoperability will benefit us all. Thanks for doing the right thing.