A downloaded .xls file attachment is empty when you open the file by using Outlook Web Access

[Michael B. Smith]

I know this came up here. A patch is now available:

 

http://support.microsoft.com/kb/950675/EN-US

 

Regards,

 

Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP

My blog: http://TheEssentialExchange.com/blogs/michael

Monitoring Exchange w/OpsMgr now available  
http://snurl.com/45ppf


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

Moving Ninja E2K3 -> E2k7

[Stefan Jafs]

Is there a way of retaining all settings when moving to E2k&?

__
Stefan Jafs


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: RIM BPS being axed in July

[Maglinger, Paul]

Heck, Cisco does that all the time.  I go out on the web to look for
updates and search dang near the whole website because some genius
changed the name.  Sheesh! 

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Saturday, March 07, 2009 12:51 AM
To: MS-Exchange Admin Issues
Subject: Re: RIM BPS being axed in July

On Sat, Mar 7, 2009 at 12:18 AM,   wrote:
> Hopefully they will just license a under 25 user version for SMB
pricing..

  You mean go back to that.  We're running "BlackBerry Enterprise
Server, SMB Edition".  The one limited to 15 license seats.
BPS/Unite/etc. didn't exist when we did our initial roll-out of 5 BB
users; there was the full edition of BES and the SMB edition and that
was it.  RIM has come full circle.

  Frankly, it's the product renaming/reorganizing schizophrenia itself
that worries me.  RIM can't go ten months without introducing or
discontinuing a variant of their server product.  It's a sign of a
lack of clear direction.  :-(

-- Ben

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: A downloaded .xls file attachment is empty when you open the file by using Outlook Web Access

[William Lefkovics]

Congrats on finally getting the book out there. 

 

What is it called again?  Exchange 2016 - Enterprise Cloud Version?

 

 

From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Monday, March 09, 2009 5:19 AM
To: MS-Exchange Admin Issues
Subject: A downloaded .xls file attachment is empty when you open the file
by using Outlook Web Access

 

I know this came up here. A patch is now available:

 

http://support.microsoft.com/kb/950675/EN-US

 

Regards,

 

Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP

My blog: http://TheEssentialExchange.com/blogs/michael

Monitoring Exchange w/OpsMgr now available  
http://snurl.com/45ppf

 

 


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

Kinda offtopic: Domain tombstone lifetime setting

[Hurley, Leslie L CIV SPAWAR Charleston]

Is it possible to set a tombstone lifetime (TSL) for a domain to
"never".
Reading the KB articles on lingering objects I only see 60 and 180 days
quoted.

Thank you in advance, 


Leslie Hurley



"Beauty without vanity, strength without violence, courage without
ferocity,
and all the virtues of man without his vices."

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

OWA

[Fogarty, Richard R CTR USA USASOC]

We're currently running a hefty E2k3 environment.  

 

Currently, our customers only have access to their e-mail (when outside our
infrastructure) by using the existing terminal server - which can only be
accessed through the VPN.  I'm proposing (through an impact assessment) that
we view the possibilities of providing access without using the following
methods.

 

I've come up with two possibilities:

1.)OWA

2.)RPC over HTTP

 

For quite some time, OWA has not been authorized.  It appears that there are
some valid points - and some control issues that have taken it off the
table.  Since our customers have the ability to work with some sensitive
documents, OWA has always been discounted due to the possibility of a
customer opening up a sensitive document on a public computer.  I'm not
aware of any way to delete all of the cache after the docs have been
downloaded on said public computer.  In fact, it doesn't even have to be
public, it could be the customers home computer as well.  In either case,
there are valid concerns.

 

Apparently, our infrastructure guys (for some reason) believe pulling OWA
into the mix would create a huge task to redesign our infrastructure.  So,
to accommodate them, I recommended using RPC over HTTP when using the VPN.
This way, anyone that has a travel approved laptop, still has the ability to
pull down their mail - to their system, and not be bothered with the TS.
So, essentially, connect to the VPN - get your mail, disconnect - work,
reconnect and send all your mail.  A bit of a pain, but a compromise
nonetheless.

 

While attempting the Impact Assessment, it was brought up that many other
"similar" units that have similar customers provide OWA as a service.
During the review processes of this IA, my boss asked, ok, if OWA isn't
recommended here due to security concerns - how can XXX unit get by with it?


I can't speak about the other security personnel, but I do have some
concerns about the "left over" garbage once a user is done on a computer.
Is OWA still considered a security risk?  How do others ensure documents
read on a public computer are not left over for others to view?

Comments?

Thanks

Rick

 

 


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: RIM BPS being axed in July

[Michael B. Smith]

Yeah, well, BPS uses WebDAV instead of MAPI - which made it safe to install
on the Exchange Server (unlike BES). I've got probably a dozen small
installs of BPS that wouldn't have happened without that...

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com] 
Sent: Monday, March 09, 2009 9:05 AM
To: MS-Exchange Admin Issues
Subject: RE: RIM BPS being axed in July

Heck, Cisco does that all the time.  I go out on the web to look for
updates and search dang near the whole website because some genius
changed the name.  Sheesh! 

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Saturday, March 07, 2009 12:51 AM
To: MS-Exchange Admin Issues
Subject: Re: RIM BPS being axed in July

On Sat, Mar 7, 2009 at 12:18 AM,   wrote:
> Hopefully they will just license a under 25 user version for SMB
pricing..

  You mean go back to that.  We're running "BlackBerry Enterprise
Server, SMB Edition".  The one limited to 15 license seats.
BPS/Unite/etc. didn't exist when we did our initial roll-out of 5 BB
users; there was the full edition of BES and the SMB edition and that
was it.  RIM has come full circle.

  Frankly, it's the product renaming/reorganizing schizophrenia itself
that worries me.  RIM can't go ten months without introducing or
discontinuing a variant of their server product.  It's a sign of a
lack of clear direction.  :-(

-- Ben

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~



~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: OWA

[Alan Monaghan]

I thought that if owa was thru the SSL certificate that there was no left
over garbage for anyone to find or get!?!

Is that not true...

Inquiring minds and all that. Well, and that is why I set it up that way and
nice to know if I made a mistake.



Felis demulcta mitis ...
Alan G. Monaghan 
   [ MCSE+I - Win4.0/ MCSE - Win2k/ BJCP # C0389(Recognized)  Ò¿Ó¬ ]
Systems Administrator 
Gardner Publications, Inc.

*Phone .. 1-513-527-8867 
*Fax  1-513-527-8801 
*Cell ... 1-513-378-0919  
*E-mail . al...@gardnerweb.com
*URL  http://Bullwinkle.GardnerWeb.Com/



>> -Original Message-
>> From: Fogarty, Richard R CTR USA USASOC [mailto:rick.foga...@us.army.mil]
>> Sent: Monday, March 09, 2009 9:31 AM
>> To: MS-Exchange Admin Issues
>> Subject: OWA
>> 
>> We're currently running a hefty E2k3 environment.
>> 
>> 
>> 
>> Currently, our customers only have access to their e-mail (when outside
our infrastructure) by using
>> the existing terminal server - which can only be accessed through the VPN.
I'm proposing (through an
>> impact assessment) that we view the possibilities of providing access
without using the following
>> methods.
>> 
>> 
>> 
>> I've come up with two possibilities:
>> 
>> 1.)OWA
>> 
>> 2.)RPC over HTTP
>> 
>> 
>> 
>> For quite some time, OWA has not been authorized.  It appears that there
are some valid points - and
>> some control issues that have taken it off the table.  Since our customers
have the ability to work
>> with some sensitive documents, OWA has always been discounted due to the
possibility of a customer
>> opening up a sensitive document on a public computer.  I'm not aware of
any way to delete all of the
>> cache after the docs have been downloaded on said public computer.  In
fact, it doesn't even have to
>> be public, it could be the customers home computer as well.  In either
case, there are valid
>> concerns.
>> 
>> 
>> 
>> Apparently, our infrastructure guys (for some reason) believe pulling OWA
into the mix would create a
>> huge task to redesign our infrastructure.  So, to accommodate them, I
recommended using RPC over HTTP
>> when using the VPN.  This way, anyone that has a travel approved laptop,
still has the ability to
>> pull down their mail - to their system, and not be bothered with the TS.
So, essentially, connect to
>> the VPN - get your mail, disconnect - work, reconnect and send all your
mail.  A bit of a pain, but a
>> compromise nonetheless.
>> 
>> 
>> 
>> While attempting the Impact Assessment, it was brought up that many other
"similar" units that have
>> similar customers provide OWA as a service.  During the review processes
of this IA, my boss asked,
>> ok, if OWA isn't recommended here due to security concerns - how can XXX
unit get by with it?
>> 
>> 
>> I can't speak about the other security personnel, but I do have some
concerns about the "left over"
>> garbage once a user is done on a computer.  Is OWA still considered a
security risk?  How do others
>> ensure documents read on a public computer are not left over for others to
view?
>> 
>> Comments?
>> 
>> Thanks
>> 
>> Rick
>> 
>> 
>> 
>> 
>> 
>> 
>> 


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: A downloaded .xls file attachment is empty when you open the file by using Outlook Web Access

[Michael B. Smith]

Thanks!

 

It's a mouthful (and no, I didn't choose the title or the picture!)

 

"Monitoring Exchange Server 2007 with System Center Operations Manager
2007".

 

There is a hefty OpsMgr component, but there is lots of stuff just on good
"best practices" for operating small and medium Exchange environments. "Best
practices" in my opinion of course. J

 

From: William Lefkovics [mailto:will...@lefkovics.net] 
Sent: Monday, March 09, 2009 9:21 AM
To: MS-Exchange Admin Issues
Subject: RE: A downloaded .xls file attachment is empty when you open the
file by using Outlook Web Access

 

Congrats on finally getting the book out there. 

 

What is it called again?  Exchange 2016 - Enterprise Cloud Version?

 

 

From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Monday, March 09, 2009 5:19 AM
To: MS-Exchange Admin Issues
Subject: A downloaded .xls file attachment is empty when you open the file
by using Outlook Web Access

 

I know this came up here. A patch is now available:

 

http://support.microsoft.com/kb/950675/EN-US

 

Regards,

 

Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP

My blog: http://TheEssentialExchange.com/blogs/michael

Monitoring Exchange w/OpsMgr now available  
http://snurl.com/45ppf


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: Kinda offtopic: Domain tombstone lifetime setting

[Michael B. Smith]

I guess I would ask the standard "what are you actually trying to
accomplish"?

By the time you get to Windows 2008 FFL, you've got AD Recycle Bins, which
accomplish far more than an extended TSL.

-Original Message-
From: Hurley, Leslie L CIV SPAWAR Charleston [mailto:leslie.hur...@navy.mil]

Sent: Monday, March 09, 2009 9:27 AM
To: MS-Exchange Admin Issues
Subject: Kinda offtopic: Domain tombstone lifetime setting

Is it possible to set a tombstone lifetime (TSL) for a domain to
"never".
Reading the KB articles on lingering objects I only see 60 and 180 days
quoted.

Thank you in advance, 


Leslie Hurley



"Beauty without vanity, strength without violence, courage without
ferocity,
and all the virtues of man without his vices."

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~



~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: OWA

[Cameron Cooper]

We use OWA in our environment and like you we were concerned about the
security of it.  Since then we have implemented RSA SecurID Tokens with
OWA.  This way the users aren't entering in a user name and password.
With the RSA SecurID tokens, the users enter in a user name and then a 4
digit PIN (which can be any size, for us figured that this would work
the best) + the 6 digit numbers on the token.  The numbers on the token
change every 60 seconds, thus you get a new password to enter in every
time.  When the user(s) are done, they log off and anyone who tries to
get into the account can't due to not having the PIN and token number.
There is also a setting in RSA that will remove the cache.

 

---___

Cameron Cooper

IT Director - CompTIA A+ Certified

Aurico Reports, Inc

Phone: 847-890-4021Fax: 847-255-1896

ccoo...@aurico.com

 


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: OWA

[Tim Evans]

We have gone thru a similar decision making process here. Currently, I have 
disabled access to all attachments in OWA. There is a setting in IE under 
advance options "Do not save encrypted pages to disk" that leave nothing in the 
local temporary files cache (assuming you are using SSL to access OWA). 
Unfortunately, it is not enabled by default. I'd like to find a way to enable 
it the login form, but making that change  is beyond my abilities.

...Tim

From: Fogarty, Richard R CTR USA USASOC [mailto:rick.foga...@us.army.mil]
Sent: Monday, March 09, 2009 6:31 AM
To: MS-Exchange Admin Issues
Subject: OWA

We're currently running a hefty E2k3 environment.

Currently, our customers only have access to their e-mail (when outside our 
infrastructure) by using the existing terminal server - which can only be 
accessed through the VPN.  I'm proposing (through an impact assessment) that we 
view the possibilities of providing access without using the following methods.

I've come up with two possibilities:

1.)OWA

2.)RPC over HTTP

For quite some time, OWA has not been authorized.  It appears that there are 
some valid points - and some control issues that have taken it off the table.  
Since our customers have the ability to work with some sensitive documents, OWA 
has always been discounted due to the possibility of a customer opening up a 
sensitive document on a public computer.  I'm not aware of any way to delete 
all of the cache after the docs have been downloaded on said public computer.  
In fact, it doesn't even have to be public, it could be the customers home 
computer as well.  In either case, there are valid concerns.

Apparently, our infrastructure guys (for some reason) believe pulling OWA into 
the mix would create a huge task to redesign our infrastructure.  So, to 
accommodate them, I recommended using RPC over HTTP when using the VPN.  This 
way, anyone that has a travel approved laptop, still has the ability to pull 
down their mail - to their system, and not be bothered with the TS.  So, 
essentially, connect to the VPN - get your mail, disconnect - work, reconnect 
and send all your mail.  A bit of a pain, but a compromise nonetheless.

While attempting the Impact Assessment, it was brought up that many other 
"similar" units that have similar customers provide OWA as a service.  During 
the review processes of this IA, my boss asked, ok, if OWA isn't recommended 
here due to security concerns - how can XXX unit get by with it?

I can't speak about the other security personnel, but I do have some concerns 
about the "left over" garbage once a user is done on a computer.  Is OWA still 
considered a security risk?  How do others ensure documents read on a public 
computer are not left over for others to view?

Comments?

Thanks
Rick






~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: OWA

[Michael B. Smith]

Three things:

 

1] Disable attachments via OWA

2] Use SSL combined with Forms-Based authentication with OWA

3] Force the "Public Computer" setting on OWA

 

With those three things, barring an exploit, I would feel quite good about
OWA's security.

 

Actually, better than RPC/HTTP. There is no way using RPC/HTTP to constrain
what computer attaches to RPC/HTTP. I guess that with Windows 2008 Network
Access Control/Protection (or a similar solution from another vendor), you
could do it based on the MAC address of the VPN client - but no
Exchange-based way.

 

From: Fogarty, Richard R CTR USA USASOC [mailto:rick.foga...@us.army.mil] 
Sent: Monday, March 09, 2009 9:31 AM
To: MS-Exchange Admin Issues
Subject: OWA

 

We're currently running a hefty E2k3 environment.  

 

Currently, our customers only have access to their e-mail (when outside our
infrastructure) by using the existing terminal server - which can only be
accessed through the VPN.  I'm proposing (through an impact assessment) that
we view the possibilities of providing access without using the following
methods.

 

I've come up with two possibilities:

1.)OWA

2.)RPC over HTTP

 

For quite some time, OWA has not been authorized.  It appears that there are
some valid points - and some control issues that have taken it off the
table.  Since our customers have the ability to work with some sensitive
documents, OWA has always been discounted due to the possibility of a
customer opening up a sensitive document on a public computer.  I'm not
aware of any way to delete all of the cache after the docs have been
downloaded on said public computer.  In fact, it doesn't even have to be
public, it could be the customers home computer as well.  In either case,
there are valid concerns.

 

Apparently, our infrastructure guys (for some reason) believe pulling OWA
into the mix would create a huge task to redesign our infrastructure.  So,
to accommodate them, I recommended using RPC over HTTP when using the VPN.
This way, anyone that has a travel approved laptop, still has the ability to
pull down their mail - to their system, and not be bothered with the TS.
So, essentially, connect to the VPN - get your mail, disconnect - work,
reconnect and send all your mail.  A bit of a pain, but a compromise
nonetheless.

 

While attempting the Impact Assessment, it was brought up that many other
"similar" units that have similar customers provide OWA as a service.
During the review processes of this IA, my boss asked, ok, if OWA isn't
recommended here due to security concerns - how can XXX unit get by with it?


I can't speak about the other security personnel, but I do have some
concerns about the "left over" garbage once a user is done on a computer.
Is OWA still considered a security risk?  How do others ensure documents
read on a public computer are not left over for others to view?

Comments?

Thanks

Rick

 

 

 

 


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: Kinda offtopic: Domain tombstone lifetime setting

[Hurley, Leslie L CIV SPAWAR Charleston]

Will be quite awhile before we're on 2008.

Right now trying ot make sure some of my "roaming" domains can remain
part
of the forest. So I need to find out what the options are for setting
the
TSL.

LH* 


Leslie Hurley



-Original Message-
From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Monday, March 09, 2009 9:42
To: MS-Exchange Admin Issues
Subject: RE: Kinda offtopic: Domain tombstone lifetime setting

I guess I would ask the standard "what are you actually trying to
accomplish"?

By the time you get to Windows 2008 FFL, you've got AD Recycle Bins,
which
accomplish far more than an extended TSL.

-Original Message-
From: Hurley, Leslie L CIV SPAWAR Charleston
[mailto:leslie.hur...@navy.mil]

Sent: Monday, March 09, 2009 9:27 AM
To: MS-Exchange Admin Issues
Subject: Kinda offtopic: Domain tombstone lifetime setting

Is it possible to set a tombstone lifetime (TSL) for a domain to
"never".
Reading the KB articles on lingering objects I only see 60 and 180 days
quoted.

Thank you in advance, 


Leslie Hurley



"Beauty without vanity, strength without violence, courage without
ferocity,
and all the virtues of man without his vices."

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~



~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

Re: OWA

[Ben Scott]

On Mon, Mar 9, 2009 at 9:31 AM, Fogarty, Richard R CTR USA USASOC
 wrote:
> Since our customers have the ability to work with some sensitive
> documents, OWA has always been discounted due to the possibility of a
> customer opening up a sensitive document on a public computer.

  Disabling OWA attachments, as MBS suggests, might fix that, but
then, I'm guessing the reason people want OWA is to open those
sensitive attachments, right?  :)

  SSL doesn't protect "leftovers" as some suggest.  For one, by
default, MSIE still caches SSL content in the plaintext "Temporary
Internet Files".  You can enable "Do not save encrypted pages to
disk", but we've found that causes some sites to malfunction.  Plus,
to open an attachment, the attachment *must* be saved as plaintext to
disk, so the application can open the file.  SSL protects the
transport over the wire, nothing more.

  But the biggest issue with OWA (and things like it) is that you're
allowing any computer in the world to access your systems.  That
includes computers without updates, with poorly chosen security
settings, with no firewall, full of spyware, including keystroke
loggers to sniff your OWA password, etc., etc.

  Using a OTP device like the RSA SecurID fobs will counter the
password sniffing attack, so bad guys won't be able to get into OWA
from elsewhere.  But they can still sniff content from the OWA session
itself.

  And nothing will protect against lusers saving sensitive content
from an email body to the untrusted computer.

  Frankly, in an environment where security is of overriding concern,
I recommend against allowing *any* untrusted computer to connect to
trusted resources in any way, shape, or form.  If they need remote
access, user is provisioned with a trusted laptop (configured by
company IT, without admin rights for the user) and they can use that
to connect to OWA or full Outlook via some kind of secure tunnel
(i.e., VPN).  This is the only way to ensure the trust chain isn't
broken.

  This is all based on risk assessment, of course.  In many
organizations (especially smaller ones), email and in-company desktops
are already pretty insecure, and there's nothing overly sensitive in
email in the first place.  OWA's not much of a risk, then.  But given
that your email address ends in <.mil>, I'm guessing you're not one of
those.  :)

-- Ben

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: RIM BPS being axed in July

[Sobey, Richard A]

I couldn't see the information in those articles, but I wonder if they're going 
to kill the SRP keys at some point too. For those that already have BPS and 
with no real need to upgrade to BES, that would be a real shame.

From: bounce-8451114-8066...@lyris.sunbelt-software.com 
[mailto:bounce-8451114-8066...@lyris.sunbelt-software.com] On Behalf Of 
gswe...@actsconsulting.net
Sent: 07 March 2009 05:18
To: MS-Exchange Admin Issues
Subject: RIM BPS being axed in July

Read a few reports that Rim is discontinuing BPS and Unite in July of this year 
and ending support in 2010.  This is a bad move for Rim, we have at least 25 
deployments of BPS to SMB's with 10 and under Blackberry's.  I am guessing that 
it did not financially take off for them, but this has the undertone to move 
the entire SMB away from Blackberry to WM or Iphones, especially if Apple 
starts utilizing more of the EAS functions and gets encryption on par.

Hopefully they will just license a under 25 user version for SMB pricing..

http://www.blackberrynews.com/2009/02/26/unite-and-bps-on-the-rim-chopping-block/
http://www.blackberryforums.com/blackberrynews-com-feed/178410-unite-bps-rim-chopping-block.html

Anyone else have a take on this?

Greg





~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: OWA

[David Mazzaccaro]

What is the best way to force the "public computer" setting?  Simply
remove the radio button and text from the html?
 

 


From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Monday, March 09, 2009 9:52 AM
To: MS-Exchange Admin Issues
Subject: RE: OWA



Three things:

 

1] Disable attachments via OWA

2] Use SSL combined with Forms-Based authentication with OWA

3] Force the "Public Computer" setting on OWA

 

With those three things, barring an exploit, I would feel quite good
about OWA's security.

 

Actually, better than RPC/HTTP. There is no way using RPC/HTTP to
constrain what computer attaches to RPC/HTTP. I guess that with Windows
2008 Network Access Control/Protection (or a similar solution from
another vendor), you could do it based on the MAC address of the VPN
client - but no Exchange-based way.

 

From: Fogarty, Richard R CTR USA USASOC
[mailto:rick.foga...@us.army.mil] 
Sent: Monday, March 09, 2009 9:31 AM
To: MS-Exchange Admin Issues
Subject: OWA

 

We're currently running a hefty E2k3 environment.  

 

Currently, our customers only have access to their e-mail (when outside
our infrastructure) by using the existing terminal server - which can
only be accessed through the VPN.  I'm proposing (through an impact
assessment) that we view the possibilities of providing access without
using the following methods.

 

I've come up with two possibilities:

1.)OWA

2.)RPC over HTTP

 

For quite some time, OWA has not been authorized.  It appears that there
are some valid points - and some control issues that have taken it off
the table.  Since our customers have the ability to work with some
sensitive documents, OWA has always been discounted due to the
possibility of a customer opening up a sensitive document on a public
computer.  I'm not aware of any way to delete all of the cache after the
docs have been downloaded on said public computer.  In fact, it doesn't
even have to be public, it could be the customers home computer as well.
In either case, there are valid concerns.

 

Apparently, our infrastructure guys (for some reason) believe pulling
OWA into the mix would create a huge task to redesign our
infrastructure.  So, to accommodate them, I recommended using RPC over
HTTP when using the VPN.  This way, anyone that has a travel approved
laptop, still has the ability to pull down their mail - to their system,
and not be bothered with the TS.  So, essentially, connect to the VPN -
get your mail, disconnect - work, reconnect and send all your mail.  A
bit of a pain, but a compromise nonetheless.

 

While attempting the Impact Assessment, it was brought up that many
other "similar" units that have similar customers provide OWA as a
service.  During the review processes of this IA, my boss asked, ok, if
OWA isn't recommended here due to security concerns - how can XXX unit
get by with it?


I can't speak about the other security personnel, but I do have some
concerns about the "left over" garbage once a user is done on a
computer.  Is OWA still considered a security risk?  How do others
ensure documents read on a public computer are not left over for others
to view?

Comments?

Thanks

Rick

 

 

 

 


 


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

Exchange 2003 and creating folders for users

[Oliver Marshall]

Is there a way to create a folder in users mailboxes with 2003 ? Ideally a way 
to create it so that it comes back if they delete it.

Olly


--
G2 Support
Network Support : Online Backups : Server Management

[cid:image001.jpg@01C9A0C5.83D1DC60]

Tel:0870 904 3443
Email:  oliver.marsh...@g2support.com
Web:http://www.g2support.com
Mail:   2nd Floor, 130a Western Rd, Brighton, Sussex, BN12LA

G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE
BN3 7LE. Our registered company number is OC316341.



~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~<>

RE: OWA

[Michael B. Smith]

That's one way. You can also set the TrustedClientTimeout to be the same
value as the PublicClientTimeout

 

KB 830827

 

As far as I know, the timeout is the only different between public and
private.

 

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonhhc.com] 
Sent: Monday, March 09, 2009 10:40 AM
To: MS-Exchange Admin Issues
Subject: RE: OWA

 

What is the best way to force the "public computer" setting?  Simply remove
the radio button and text from the html?

 


 

  _  

From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Monday, March 09, 2009 9:52 AM
To: MS-Exchange Admin Issues
Subject: RE: OWA

Three things:

 

1] Disable attachments via OWA

2] Use SSL combined with Forms-Based authentication with OWA

3] Force the "Public Computer" setting on OWA

 

With those three things, barring an exploit, I would feel quite good about
OWA's security.

 

Actually, better than RPC/HTTP. There is no way using RPC/HTTP to constrain
what computer attaches to RPC/HTTP. I guess that with Windows 2008 Network
Access Control/Protection (or a similar solution from another vendor), you
could do it based on the MAC address of the VPN client - but no
Exchange-based way.

 

From: Fogarty, Richard R CTR USA USASOC [mailto:rick.foga...@us.army.mil] 
Sent: Monday, March 09, 2009 9:31 AM
To: MS-Exchange Admin Issues
Subject: OWA

 

We're currently running a hefty E2k3 environment.  

 

Currently, our customers only have access to their e-mail (when outside our
infrastructure) by using the existing terminal server - which can only be
accessed through the VPN.  I'm proposing (through an impact assessment) that
we view the possibilities of providing access without using the following
methods.

 

I've come up with two possibilities:

1.)OWA

2.)RPC over HTTP

 

For quite some time, OWA has not been authorized.  It appears that there are
some valid points - and some control issues that have taken it off the
table.  Since our customers have the ability to work with some sensitive
documents, OWA has always been discounted due to the possibility of a
customer opening up a sensitive document on a public computer.  I'm not
aware of any way to delete all of the cache after the docs have been
downloaded on said public computer.  In fact, it doesn't even have to be
public, it could be the customers home computer as well.  In either case,
there are valid concerns.

 

Apparently, our infrastructure guys (for some reason) believe pulling OWA
into the mix would create a huge task to redesign our infrastructure.  So,
to accommodate them, I recommended using RPC over HTTP when using the VPN.
This way, anyone that has a travel approved laptop, still has the ability to
pull down their mail - to their system, and not be bothered with the TS.
So, essentially, connect to the VPN - get your mail, disconnect - work,
reconnect and send all your mail.  A bit of a pain, but a compromise
nonetheless.

 

While attempting the Impact Assessment, it was brought up that many other
"similar" units that have similar customers provide OWA as a service.
During the review processes of this IA, my boss asked, ok, if OWA isn't
recommended here due to security concerns - how can XXX unit get by with it?


I can't speak about the other security personnel, but I do have some
concerns about the "left over" garbage once a user is done on a computer.
Is OWA still considered a security risk?  How do others ensure documents
read on a public computer are not left over for others to view?

Comments?

Thanks

Rick

 

 

 

 

 

 

 

 


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: OWA

[Fogarty, Richard R CTR USA USASOC]

Actually, in this case, only certified travel laptops have the ability to
attach to the VPN.  We know who, when etc connects - so with RPC over HTTP,
we should be pretty secure.  I'll dig into the three options you listed
below to become more familiar.


Thanks!
Rick

 

From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Monday, March 09, 2009 9:52 AM
To: MS-Exchange Admin Issues
Subject: RE: OWA

 

Three things:

 

1] Disable attachments via OWA

2] Use SSL combined with Forms-Based authentication with OWA

3] Force the "Public Computer" setting on OWA

 

With those three things, barring an exploit, I would feel quite good about
OWA's security.

 

Actually, better than RPC/HTTP. There is no way using RPC/HTTP to constrain
what computer attaches to RPC/HTTP. I guess that with Windows 2008 Network
Access Control/Protection (or a similar solution from another vendor), you
could do it based on the MAC address of the VPN client - but no
Exchange-based way.

 

From: Fogarty, Richard R CTR USA USASOC [mailto:rick.foga...@us.army.mil] 
Sent: Monday, March 09, 2009 9:31 AM
To: MS-Exchange Admin Issues
Subject: OWA

 

We're currently running a hefty E2k3 environment.  

 

Currently, our customers only have access to their e-mail (when outside our
infrastructure) by using the existing terminal server - which can only be
accessed through the VPN.  I'm proposing (through an impact assessment) that
we view the possibilities of providing access without using the following
methods.

 

I've come up with two possibilities:

1.)OWA

2.)RPC over HTTP

 

For quite some time, OWA has not been authorized.  It appears that there are
some valid points - and some control issues that have taken it off the
table.  Since our customers have the ability to work with some sensitive
documents, OWA has always been discounted due to the possibility of a
customer opening up a sensitive document on a public computer.  I'm not
aware of any way to delete all of the cache after the docs have been
downloaded on said public computer.  In fact, it doesn't even have to be
public, it could be the customers home computer as well.  In either case,
there are valid concerns.

 

Apparently, our infrastructure guys (for some reason) believe pulling OWA
into the mix would create a huge task to redesign our infrastructure.  So,
to accommodate them, I recommended using RPC over HTTP when using the VPN.
This way, anyone that has a travel approved laptop, still has the ability to
pull down their mail - to their system, and not be bothered with the TS.
So, essentially, connect to the VPN - get your mail, disconnect - work,
reconnect and send all your mail.  A bit of a pain, but a compromise
nonetheless.

 

While attempting the Impact Assessment, it was brought up that many other
"similar" units that have similar customers provide OWA as a service.
During the review processes of this IA, my boss asked, ok, if OWA isn't
recommended here due to security concerns - how can XXX unit get by with it?


I can't speak about the other security personnel, but I do have some
concerns about the "left over" garbage once a user is done on a computer.
Is OWA still considered a security risk?  How do others ensure documents
read on a public computer are not left over for others to view?

Comments?

Thanks

Rick

 

 

 

 

 

 


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: Kinda offtopic: Domain tombstone lifetime setting

[Michael B. Smith]

I'm not aware of any issue setting it to any "reasonable" value. I know some
companies that set it to a year. It is an integer field, so it should have a
problem with integer values.

That being said, I'm not personally aware of anyone setting it to higher
than a year.

You are aware that while an object is tombstoned, most of its attributes
have been stripped, right? Except those attributes that have the 0x8 mask in
searchFlags (which are few)? And that reanimating the object doesn't bring
those attributes back?

-Original Message-
From: Hurley, Leslie L CIV SPAWAR Charleston [mailto:leslie.hur...@navy.mil]

Sent: Monday, March 09, 2009 10:01 AM
To: MS-Exchange Admin Issues
Subject: RE: Kinda offtopic: Domain tombstone lifetime setting

Will be quite awhile before we're on 2008.

Right now trying ot make sure some of my "roaming" domains can remain
part
of the forest. So I need to find out what the options are for setting
the
TSL.

LH* 


Leslie Hurley



-Original Message-
From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Monday, March 09, 2009 9:42
To: MS-Exchange Admin Issues
Subject: RE: Kinda offtopic: Domain tombstone lifetime setting

I guess I would ask the standard "what are you actually trying to
accomplish"?

By the time you get to Windows 2008 FFL, you've got AD Recycle Bins,
which
accomplish far more than an extended TSL.

-Original Message-
From: Hurley, Leslie L CIV SPAWAR Charleston
[mailto:leslie.hur...@navy.mil]

Sent: Monday, March 09, 2009 9:27 AM
To: MS-Exchange Admin Issues
Subject: Kinda offtopic: Domain tombstone lifetime setting

Is it possible to set a tombstone lifetime (TSL) for a domain to
"never".
Reading the KB articles on lingering objects I only see 60 and 180 days
quoted.

Thank you in advance, 


Leslie Hurley



"Beauty without vanity, strength without violence, courage without
ferocity,
and all the virtues of man without his vices."

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~



~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~



~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: OWA

[Fogarty, Richard R CTR USA USASOC]

Thanks all for the comments - exactly what I was looking for.  Enough for me
to finish the assessment.

 

Rick

 

From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Monday, March 09, 2009 10:51 AM
To: MS-Exchange Admin Issues
Subject: RE: OWA

 

That's one way. You can also set the TrustedClientTimeout to be the same
value as the PublicClientTimeout

 

KB 830827

 

As far as I know, the timeout is the only different between public and
private.

 

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonhhc.com] 
Sent: Monday, March 09, 2009 10:40 AM
To: MS-Exchange Admin Issues
Subject: RE: OWA

 

What is the best way to force the "public computer" setting?  Simply remove
the radio button and text from the html?

 


 

  _  

From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Monday, March 09, 2009 9:52 AM
To: MS-Exchange Admin Issues
Subject: RE: OWA

Three things:

 

1] Disable attachments via OWA

2] Use SSL combined with Forms-Based authentication with OWA

3] Force the "Public Computer" setting on OWA

 

With those three things, barring an exploit, I would feel quite good about
OWA's security.

 

Actually, better than RPC/HTTP. There is no way using RPC/HTTP to constrain
what computer attaches to RPC/HTTP. I guess that with Windows 2008 Network
Access Control/Protection (or a similar solution from another vendor), you
could do it based on the MAC address of the VPN client - but no
Exchange-based way.

 

From: Fogarty, Richard R CTR USA USASOC [mailto:rick.foga...@us.army.mil] 
Sent: Monday, March 09, 2009 9:31 AM
To: MS-Exchange Admin Issues
Subject: OWA

 

We're currently running a hefty E2k3 environment.  

 

Currently, our customers only have access to their e-mail (when outside our
infrastructure) by using the existing terminal server - which can only be
accessed through the VPN.  I'm proposing (through an impact assessment) that
we view the possibilities of providing access without using the following
methods.

 

I've come up with two possibilities:

1.)OWA

2.)RPC over HTTP

 

For quite some time, OWA has not been authorized.  It appears that there are
some valid points - and some control issues that have taken it off the
table.  Since our customers have the ability to work with some sensitive
documents, OWA has always been discounted due to the possibility of a
customer opening up a sensitive document on a public computer.  I'm not
aware of any way to delete all of the cache after the docs have been
downloaded on said public computer.  In fact, it doesn't even have to be
public, it could be the customers home computer as well.  In either case,
there are valid concerns.

 

Apparently, our infrastructure guys (for some reason) believe pulling OWA
into the mix would create a huge task to redesign our infrastructure.  So,
to accommodate them, I recommended using RPC over HTTP when using the VPN.
This way, anyone that has a travel approved laptop, still has the ability to
pull down their mail - to their system, and not be bothered with the TS.
So, essentially, connect to the VPN - get your mail, disconnect - work,
reconnect and send all your mail.  A bit of a pain, but a compromise
nonetheless.

 

While attempting the Impact Assessment, it was brought up that many other
"similar" units that have similar customers provide OWA as a service.
During the review processes of this IA, my boss asked, ok, if OWA isn't
recommended here due to security concerns - how can XXX unit get by with it?


I can't speak about the other security personnel, but I do have some
concerns about the "left over" garbage once a user is done on a computer.
Is OWA still considered a security risk?  How do others ensure documents
read on a public computer are not left over for others to view?

Comments?

Thanks

Rick

 

 

 

 

 

 

 

 

 

 


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: Kinda offtopic: Domain tombstone lifetime setting

[Michael B. Smith]

...so it should NOT have...

-Original Message-
From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Monday, March 09, 2009 11:04 AM
To: MS-Exchange Admin Issues
Subject: RE: Kinda offtopic: Domain tombstone lifetime setting

I'm not aware of any issue setting it to any "reasonable" value. I know some
companies that set it to a year. It is an integer field, so it should have a
problem with integer values.

That being said, I'm not personally aware of anyone setting it to higher
than a year.

You are aware that while an object is tombstoned, most of its attributes
have been stripped, right? Except those attributes that have the 0x8 mask in
searchFlags (which are few)? And that reanimating the object doesn't bring
those attributes back?

-Original Message-
From: Hurley, Leslie L CIV SPAWAR Charleston [mailto:leslie.hur...@navy.mil]

Sent: Monday, March 09, 2009 10:01 AM
To: MS-Exchange Admin Issues
Subject: RE: Kinda offtopic: Domain tombstone lifetime setting

Will be quite awhile before we're on 2008.

Right now trying ot make sure some of my "roaming" domains can remain
part
of the forest. So I need to find out what the options are for setting
the
TSL.

LH* 


Leslie Hurley



-Original Message-
From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Monday, March 09, 2009 9:42
To: MS-Exchange Admin Issues
Subject: RE: Kinda offtopic: Domain tombstone lifetime setting

I guess I would ask the standard "what are you actually trying to
accomplish"?

By the time you get to Windows 2008 FFL, you've got AD Recycle Bins,
which
accomplish far more than an extended TSL.

-Original Message-
From: Hurley, Leslie L CIV SPAWAR Charleston
[mailto:leslie.hur...@navy.mil]

Sent: Monday, March 09, 2009 9:27 AM
To: MS-Exchange Admin Issues
Subject: Kinda offtopic: Domain tombstone lifetime setting

Is it possible to set a tombstone lifetime (TSL) for a domain to
"never".
Reading the KB articles on lingering objects I only see 60 and 180 days
quoted.

Thank you in advance, 


Leslie Hurley



"Beauty without vanity, strength without violence, courage without
ferocity,
and all the virtues of man without his vices."

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~



~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~



~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: OWA

[Fogarty, Richard R CTR USA USASOC]

Exactly to the point.  I don't think using an RSA SecureID fob will fix the
overarching security issue (as I see it.)  So, I guess OWA is probably not
the answer at this point as most users will still need to see the
attachments.

So, for our area, I'm going to recommend using a hybrid approach to start -
use RPC/HTTP over the VPN and dig deeper into OWA in our test environment.

Appreciate it.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Monday, March 09, 2009 10:26 AM
To: MS-Exchange Admin Issues
Subject: Re: OWA

On Mon, Mar 9, 2009 at 9:31 AM, Fogarty, Richard R CTR USA USASOC
 wrote:
> Since our customers have the ability to work with some sensitive
> documents, OWA has always been discounted due to the possibility of a
> customer opening up a sensitive document on a public computer.

  Disabling OWA attachments, as MBS suggests, might fix that, but
then, I'm guessing the reason people want OWA is to open those
sensitive attachments, right?  :)

  SSL doesn't protect "leftovers" as some suggest.  For one, by
default, MSIE still caches SSL content in the plaintext "Temporary
Internet Files".  You can enable "Do not save encrypted pages to
disk", but we've found that causes some sites to malfunction.  Plus,
to open an attachment, the attachment *must* be saved as plaintext to
disk, so the application can open the file.  SSL protects the
transport over the wire, nothing more.

  But the biggest issue with OWA (and things like it) is that you're
allowing any computer in the world to access your systems.  That
includes computers without updates, with poorly chosen security
settings, with no firewall, full of spyware, including keystroke
loggers to sniff your OWA password, etc., etc.

  Using a OTP device like the RSA SecurID fobs will counter the
password sniffing attack, so bad guys won't be able to get into OWA
from elsewhere.  But they can still sniff content from the OWA session
itself.

  And nothing will protect against lusers saving sensitive content
from an email body to the untrusted computer.

  Frankly, in an environment where security is of overriding concern,
I recommend against allowing *any* untrusted computer to connect to
trusted resources in any way, shape, or form.  If they need remote
access, user is provisioned with a trusted laptop (configured by
company IT, without admin rights for the user) and they can use that
to connect to OWA or full Outlook via some kind of secure tunnel
(i.e., VPN).  This is the only way to ensure the trust chain isn't
broken.

  This is all based on risk assessment, of course.  In many
organizations (especially smaller ones), email and in-company desktops
are already pretty insecure, and there's nothing overly sensitive in
email in the first place.  OWA's not much of a risk, then.  But given
that your email address ends in <.mil>, I'm guessing you're not one of
those.  :)

-- Ben

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: OWA

[Kennedy, Jim]

You could also only allow OWA over the VPN


> -Original Message-
> From: Fogarty, Richard R CTR USA USASOC
> [mailto:rick.foga...@us.army.mil]
> Sent: Monday, March 09, 2009 11:15 AM
> To: MS-Exchange Admin Issues
> Subject: RE: OWA
> 
> Exactly to the point.  I don't think using an RSA SecureID fob will fix
> the
> overarching security issue (as I see it.)  So, I guess OWA is probably
> not
> the answer at this point as most users will still need to see the
> attachments.
> 
> So, for our area, I'm going to recommend using a hybrid approach to
> start -
> use RPC/HTTP over the VPN and dig deeper into OWA in our test
> environment.
> 
> Appreciate it.
> 
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Monday, March 09, 2009 10:26 AM
> To: MS-Exchange Admin Issues
> Subject: Re: OWA
> 
> On Mon, Mar 9, 2009 at 9:31 AM, Fogarty, Richard R CTR USA USASOC
>  wrote:
> > Since our customers have the ability to work with some sensitive
> > documents, OWA has always been discounted due to the possibility of a
> > customer opening up a sensitive document on a public computer.
> 
>   Disabling OWA attachments, as MBS suggests, might fix that, but
> then, I'm guessing the reason people want OWA is to open those
> sensitive attachments, right?  :)
> 
>   SSL doesn't protect "leftovers" as some suggest.  For one, by
> default, MSIE still caches SSL content in the plaintext "Temporary
> Internet Files".  You can enable "Do not save encrypted pages to
> disk", but we've found that causes some sites to malfunction.  Plus,
> to open an attachment, the attachment *must* be saved as plaintext to
> disk, so the application can open the file.  SSL protects the
> transport over the wire, nothing more.
> 
>   But the biggest issue with OWA (and things like it) is that you're
> allowing any computer in the world to access your systems.  That
> includes computers without updates, with poorly chosen security
> settings, with no firewall, full of spyware, including keystroke
> loggers to sniff your OWA password, etc., etc.
> 
>   Using a OTP device like the RSA SecurID fobs will counter the
> password sniffing attack, so bad guys won't be able to get into OWA
> from elsewhere.  But they can still sniff content from the OWA session
> itself.
> 
>   And nothing will protect against lusers saving sensitive content
> from an email body to the untrusted computer.
> 
>   Frankly, in an environment where security is of overriding concern,
> I recommend against allowing *any* untrusted computer to connect to
> trusted resources in any way, shape, or form.  If they need remote
> access, user is provisioned with a trusted laptop (configured by
> company IT, without admin rights for the user) and they can use that
> to connect to OWA or full Outlook via some kind of secure tunnel
> (i.e., VPN).  This is the only way to ensure the trust chain isn't
> broken.
> 
>   This is all based on risk assessment, of course.  In many
> organizations (especially smaller ones), email and in-company desktops
> are already pretty insecure, and there's nothing overly sensitive in
> email in the first place.  OWA's not much of a risk, then.  But given
> that your email address ends in <.mil>, I'm guessing you're not one of
> those.  :)
> 
> -- Ben
> 
> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
> ~ http://www.sunbeltsoftware.com/Ninja~
> 
> 
> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
> ~ http://www.sunbeltsoftware.com/Ninja~

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: OWA

[David Mazzaccaro]

thx!



From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Monday, March 09, 2009 10:51 AM
To: MS-Exchange Admin Issues
Subject: RE: OWA



That's one way. You can also set the TrustedClientTimeout to be the same
value as the PublicClientTimeout

 

KB 830827

 

As far as I know, the timeout is the only different between public and
private.

 

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonhhc.com] 
Sent: Monday, March 09, 2009 10:40 AM
To: MS-Exchange Admin Issues
Subject: RE: OWA

 

What is the best way to force the "public computer" setting?  Simply
remove the radio button and text from the html?

 


 



From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Monday, March 09, 2009 9:52 AM
To: MS-Exchange Admin Issues
Subject: RE: OWA

Three things:

 

1] Disable attachments via OWA

2] Use SSL combined with Forms-Based authentication with OWA

3] Force the "Public Computer" setting on OWA

 

With those three things, barring an exploit, I would feel quite good
about OWA's security.

 

Actually, better than RPC/HTTP. There is no way using RPC/HTTP to
constrain what computer attaches to RPC/HTTP. I guess that with Windows
2008 Network Access Control/Protection (or a similar solution from
another vendor), you could do it based on the MAC address of the VPN
client - but no Exchange-based way.

 

From: Fogarty, Richard R CTR USA USASOC
[mailto:rick.foga...@us.army.mil] 
Sent: Monday, March 09, 2009 9:31 AM
To: MS-Exchange Admin Issues
Subject: OWA

 

We're currently running a hefty E2k3 environment.  

 

Currently, our customers only have access to their e-mail (when outside
our infrastructure) by using the existing terminal server - which can
only be accessed through the VPN.  I'm proposing (through an impact
assessment) that we view the possibilities of providing access without
using the following methods.

 

I've come up with two possibilities:

1.)OWA

2.)RPC over HTTP

 

For quite some time, OWA has not been authorized.  It appears that there
are some valid points - and some control issues that have taken it off
the table.  Since our customers have the ability to work with some
sensitive documents, OWA has always been discounted due to the
possibility of a customer opening up a sensitive document on a public
computer.  I'm not aware of any way to delete all of the cache after the
docs have been downloaded on said public computer.  In fact, it doesn't
even have to be public, it could be the customers home computer as well.
In either case, there are valid concerns.

 

Apparently, our infrastructure guys (for some reason) believe pulling
OWA into the mix would create a huge task to redesign our
infrastructure.  So, to accommodate them, I recommended using RPC over
HTTP when using the VPN.  This way, anyone that has a travel approved
laptop, still has the ability to pull down their mail - to their system,
and not be bothered with the TS.  So, essentially, connect to the VPN -
get your mail, disconnect - work, reconnect and send all your mail.  A
bit of a pain, but a compromise nonetheless.

 

While attempting the Impact Assessment, it was brought up that many
other "similar" units that have similar customers provide OWA as a
service.  During the review processes of this IA, my boss asked, ok, if
OWA isn't recommended here due to security concerns - how can XXX unit
get by with it?


I can't speak about the other security personnel, but I do have some
concerns about the "left over" garbage once a user is done on a
computer.  Is OWA still considered a security risk?  How do others
ensure documents read on a public computer are not left over for others
to view?

Comments?

Thanks

Rick

 

 

 

 

 

 

 

 


 


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

Re: OWA

[Ben Scott]

On Mon, Mar 9, 2009 at 11:15 AM, Fogarty, Richard R CTR USA USASOC
 wrote:
> So, for our area, I'm going to recommend using a hybrid approach to start -
> use RPC/HTTP over the VPN and dig deeper into OWA in our test environment.

  FWIW, sometimes OWA over a VPN from a trusted client can sometimes
be a useful scenario.

  On a related note, make sure you're doing whole disk encryption on
those laptops.  Otherwise a stolen laptop means easy disclosure of any
sensitive stuff downloaded/cached/etc on the laptop.  Like SSL, a VPN
only protects the transport, not the end-point.

-- Ben

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: OWA

[Karl Wenger]

To combat some of the inefficiencies of OWA and its security model, we
utilize the OWA Suite from messageware.  http://www.messageware.com/

Thanks,

--Karl

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Monday, March 09, 2009 9:47 AM
To: MS-Exchange Admin Issues
Subject: Re: OWA

On Mon, Mar 9, 2009 at 11:15 AM, Fogarty, Richard R CTR USA USASOC
 wrote:
> So, for our area, I'm going to recommend using a hybrid approach to
start -
> use RPC/HTTP over the VPN and dig deeper into OWA in our test
environment.

  FWIW, sometimes OWA over a VPN from a trusted client can sometimes
be a useful scenario.

  On a related note, make sure you're doing whole disk encryption on
those laptops.  Otherwise a stolen laptop means easy disclosure of any
sensitive stuff downloaded/cached/etc on the laptop.  Like SSL, a VPN
only protects the transport, not the end-point.

-- Ben

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: OWA

[Ralph Smith]

Any idea what the pricing structure is on that.  They have no pricing on
their web site, and I'd rather not get involved with their sales team if
it's clearly out of our price range.  Thanks.

-Original Message-
From: Karl Wenger [mailto:kwen...@extraspace.com] 
Sent: Monday, March 09, 2009 1:48 PM
To: MS-Exchange Admin Issues
Subject: RE: OWA

To combat some of the inefficiencies of OWA and its security model, we
utilize the OWA Suite from messageware.  http://www.messageware.com/

Thanks,

--Karl

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Monday, March 09, 2009 9:47 AM
To: MS-Exchange Admin Issues
Subject: Re: OWA

On Mon, Mar 9, 2009 at 11:15 AM, Fogarty, Richard R CTR USA USASOC
 wrote:
> So, for our area, I'm going to recommend using a hybrid approach to
start -
> use RPC/HTTP over the VPN and dig deeper into OWA in our test
environment.

  FWIW, sometimes OWA over a VPN from a trusted client can sometimes
be a useful scenario.

  On a related note, make sure you're doing whole disk encryption on
those laptops.  Otherwise a stolen laptop means easy disclosure of any
sensitive stuff downloaded/cached/etc on the laptop.  Like SSL, a VPN
only protects the transport, not the end-point.

-- Ben

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

Confidentiality Notice: 

--



This communication, including any attachments, may contain confidential 
information and is intended only for the individual or entity to whom it is 
addressed. Any review, dissemination, or copying of this communication by 
anyone other than the intended recipient is strictly prohibited. If you are not 
the intended recipient, please contact the sender by reply email, delete and 
destroy all copies of the original message.

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: OWA

[Fogarty, Richard R CTR USA USASOC]

Yes, DAR has been a requirement for some time.  Each of our travel laptops
have encryption installed.  Thanks for checking.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Monday, March 09, 2009 11:47 AM
To: MS-Exchange Admin Issues
Subject: Re: OWA

On Mon, Mar 9, 2009 at 11:15 AM, Fogarty, Richard R CTR USA USASOC
 wrote:
> So, for our area, I'm going to recommend using a hybrid approach to start
-
> use RPC/HTTP over the VPN and dig deeper into OWA in our test environment.

  FWIW, sometimes OWA over a VPN from a trusted client can sometimes
be a useful scenario.

  On a related note, make sure you're doing whole disk encryption on
those laptops.  Otherwise a stolen laptop means easy disclosure of any
sensitive stuff downloaded/cached/etc on the laptop.  Like SSL, a VPN
only protects the transport, not the end-point.

-- Ben

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: OWA

[Fogarty, Richard R CTR USA USASOC]

Hmmm, hadn't thought of that... Not sure why, just hadn't.

-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Monday, March 09, 2009 11:14 AM
To: MS-Exchange Admin Issues
Subject: RE: OWA

You could also only allow OWA over the VPN


> -Original Message-
> From: Fogarty, Richard R CTR USA USASOC
> [mailto:rick.foga...@us.army.mil]
> Sent: Monday, March 09, 2009 11:15 AM
> To: MS-Exchange Admin Issues
> Subject: RE: OWA
> 
> Exactly to the point.  I don't think using an RSA SecureID fob will fix
> the
> overarching security issue (as I see it.)  So, I guess OWA is probably
> not
> the answer at this point as most users will still need to see the
> attachments.
> 
> So, for our area, I'm going to recommend using a hybrid approach to
> start -
> use RPC/HTTP over the VPN and dig deeper into OWA in our test
> environment.
> 
> Appreciate it.
> 
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Monday, March 09, 2009 10:26 AM
> To: MS-Exchange Admin Issues
> Subject: Re: OWA
> 
> On Mon, Mar 9, 2009 at 9:31 AM, Fogarty, Richard R CTR USA USASOC
>  wrote:
> > Since our customers have the ability to work with some sensitive
> > documents, OWA has always been discounted due to the possibility of a
> > customer opening up a sensitive document on a public computer.
> 
>   Disabling OWA attachments, as MBS suggests, might fix that, but
> then, I'm guessing the reason people want OWA is to open those
> sensitive attachments, right?  :)
> 
>   SSL doesn't protect "leftovers" as some suggest.  For one, by
> default, MSIE still caches SSL content in the plaintext "Temporary
> Internet Files".  You can enable "Do not save encrypted pages to
> disk", but we've found that causes some sites to malfunction.  Plus,
> to open an attachment, the attachment *must* be saved as plaintext to
> disk, so the application can open the file.  SSL protects the
> transport over the wire, nothing more.
> 
>   But the biggest issue with OWA (and things like it) is that you're
> allowing any computer in the world to access your systems.  That
> includes computers without updates, with poorly chosen security
> settings, with no firewall, full of spyware, including keystroke
> loggers to sniff your OWA password, etc., etc.
> 
>   Using a OTP device like the RSA SecurID fobs will counter the
> password sniffing attack, so bad guys won't be able to get into OWA
> from elsewhere.  But they can still sniff content from the OWA session
> itself.
> 
>   And nothing will protect against lusers saving sensitive content
> from an email body to the untrusted computer.
> 
>   Frankly, in an environment where security is of overriding concern,
> I recommend against allowing *any* untrusted computer to connect to
> trusted resources in any way, shape, or form.  If they need remote
> access, user is provisioned with a trusted laptop (configured by
> company IT, without admin rights for the user) and they can use that
> to connect to OWA or full Outlook via some kind of secure tunnel
> (i.e., VPN).  This is the only way to ensure the trust chain isn't
> broken.
> 
>   This is all based on risk assessment, of course.  In many
> organizations (especially smaller ones), email and in-company desktops
> are already pretty insecure, and there's nothing overly sensitive in
> email in the first place.  OWA's not much of a risk, then.  But given
> that your email address ends in <.mil>, I'm guessing you're not one of
> those.  :)
> 
> -- Ben
> 
> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
> ~ http://www.sunbeltsoftware.com/Ninja~
> 
> 
> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
> ~ http://www.sunbeltsoftware.com/Ninja~

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~



~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

Re: Exchange 2003 and creating folders for users

[Eric Woodford]

Can you maybe push that out via group policy?

Scripting would be difficult as you would need to open a Mapi profile to
each mailbox (slow and you'd need to run it each day), and create the
folder, then it wouldn't even be permanent unless you don't give them owner
rights to it?!




On Mon, Mar 9, 2009 at 7:44 AM, Oliver Marshall <
oliver.marsh...@g2support.com> wrote:

>  Is there a way to create a folder in users mailboxes with 2003 ? Ideally
> a way to create it so that it comes back if they delete it.
>
>
>
> Olly
>
>
>
>
>
> --
>
> G2 Support
>
> Network Support : Online Backups : Server Management
>
>
>
> [image: g2supportsmall_250x58]
>
>
>
> Tel:0870 904 3443
>
> Email:  oliver.marsh...@g2support.com
>
> Web:http://www.g2support.com
>
> Mail:   2nd Floor, 130a Western Rd, Brighton, Sussex, BN12LA
>
>
>
> G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE
>
> BN3 7LE. Our registered company number is OC316341.
>
>
>
>
>
>
>

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~<>

RE: Exchange 2003 and creating folders for users

[Michael B. Smith]

It's a capability present in Exchange 2007, but I don't know of any
automated way to do it in Exchange 2003.

 

From: Eric Woodford [mailto:ericwoodf...@gmail.com] 
Sent: Monday, March 09, 2009 6:26 PM
To: MS-Exchange Admin Issues
Subject: Re: Exchange 2003 and creating folders for users

 

Can you maybe push that out via group policy? 

 

Scripting would be difficult as you would need to open a Mapi profile to
each mailbox (slow and you'd need to run it each day), and create the
folder, then it wouldn't even be permanent unless you don't give them owner
rights to it?! 

 



 

On Mon, Mar 9, 2009 at 7:44 AM, Oliver Marshall
 wrote:

Is there a way to create a folder in users mailboxes with 2003 ? Ideally a
way to create it so that it comes back if they delete it.

 

Olly

 

 

--

G2 Support

Network Support : Online Backups : Server Management

 

g2supportsmall_250x58

 

Tel:0870 904 3443

Email:  oliver.marsh...@g2support.com

Web:http://www.g2support.com  

Mail:   2nd Floor, 130a Western Rd, Brighton, Sussex, BN12LA

 

G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE

BN3 7LE. Our registered company number is OC316341. 

 

 

 

 

 

 


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~<>

RE: Exchange 2003 and creating folders for users

[Barsodi.John]

Or if you have an archive system in place, most of the big players have this 
capability when their client is running on your user's machines.  Something I 
looked at when POCing archive systems with Ex 2003.  Else, like Michael said - 
Exchange 2007.  Upgrade to 2007 and experience the sweetness of managed folders.

- John Barsodi
From: Michael B. Smith [mailto:mich...@theessentialexchange.com]
Sent: Monday, March 09, 2009 3:29 PM
To: MS-Exchange Admin Issues
Subject: RE: Exchange 2003 and creating folders for users

It's a capability present in Exchange 2007, but I don't know of any automated 
way to do it in Exchange 2003.

From: Eric Woodford [mailto:ericwoodf...@gmail.com]
Sent: Monday, March 09, 2009 6:26 PM
To: MS-Exchange Admin Issues
Subject: Re: Exchange 2003 and creating folders for users

Can you maybe push that out via group policy?

Scripting would be difficult as you would need to open a Mapi profile to each 
mailbox (slow and you'd need to run it each day), and create the folder, then 
it wouldn't even be permanent unless you don't give them owner rights to it?!




On Mon, Mar 9, 2009 at 7:44 AM, Oliver Marshall 
mailto:oliver.marsh...@g2support.com>> wrote:

Is there a way to create a folder in users mailboxes with 2003 ? Ideally a way 
to create it so that it comes back if they delete it.



Olly





--

G2 Support

Network Support : Online Backups : Server Management



[cid:image001.jpg@01C9A0CC.691E3650]



Tel:0870 904 3443

Email:  oliver.marsh...@g2support.com

Web:http://www.g2support.com

Mail:   2nd Floor, 130a Western Rd, Brighton, Sussex, BN12LA



G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE

BN3 7LE. Our registered company number is OC316341.














~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~<>

RE: Exchange 2003 and creating folders for users

[Sam Cayze]

ExMerge for an initial push of the folder?  Automatic-no idea.
Somehow, I have seen Anti-Virus company automatically create Outlook
folders, but no idea how.  You might need to build an Outlook Plugin.  



From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Monday, March 09, 2009 5:29 PM
To: MS-Exchange Admin Issues
Subject: RE: Exchange 2003 and creating folders for users



It's a capability present in Exchange 2007, but I don't know of any
automated way to do it in Exchange 2003.

 

From: Eric Woodford [mailto:ericwoodf...@gmail.com] 
Sent: Monday, March 09, 2009 6:26 PM
To: MS-Exchange Admin Issues
Subject: Re: Exchange 2003 and creating folders for users

 

Can you maybe push that out via group policy? 

 

Scripting would be difficult as you would need to open a Mapi profile to
each mailbox (slow and you'd need to run it each day), and create the
folder, then it wouldn't even be permanent unless you don't give them
owner rights to it?! 

 



 

On Mon, Mar 9, 2009 at 7:44 AM, Oliver Marshall <
oliver.marsh...@g2support.com> wrote:

Is there a way to create a folder in users mailboxes with 2003 ? Ideally
a way to create it so that it comes back if they delete it.

 

Olly

 

 

--

G2 Support

Network Support : Online Backups : Server Management

 

 

 

Tel:0870 904 3443

Email:  oliver.marsh...@g2support.com

Web:http://www.g2support.com  

Mail:   2nd Floor, 130a Western Rd, Brighton, Sussex, BN12LA

 

G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE

BN3 7LE. Our registered company number is OC316341. 

 

 

 

 

 

 


 


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~<>

RE: Exchange 2003 and creating folders for users

[Michael B. Smith]

Which, by the way, I'll be giving a session on next week at WinConnections
Spring 2009 in the sunny & beautiful Orlando Florida!

 

EXC15: Exchange Messaging Records Management

 

I'll also be presenting sessions on Exchange HA with WLBS and Exchange 2007
monitoring with OpsMgr 2007.

 

Another familiar face from this mailing list, William Lefkovics, will also
be presenting three sessions; on Exchange Tools, Exchange Security Best
Practices, and using PAL - The Performance and Log Analyzer.

 

Come say "hi" if you are there! If you aren't - you should be! J



 

Regards,

 

Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP

My blog: http://TheEssentialExchange.com/blogs/michael

Monitoring Exchange w/OpsMgr now available  
http://snurl.com/45ppf

 

From: Barsodi.John [mailto:john.bars...@igt.com] 
Sent: Monday, March 09, 2009 6:34 PM
To: MS-Exchange Admin Issues
Subject: RE: Exchange 2003 and creating folders for users

 

Or if you have an archive system in place, most of the big players have this
capability when their client is running on your user's machines.  Something
I looked at when POCing archive systems with Ex 2003.  Else, like Michael
said - Exchange 2007.  Upgrade to 2007 and experience the sweetness of
managed folders.

 

- John Barsodi

From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Monday, March 09, 2009 3:29 PM
To: MS-Exchange Admin Issues
Subject: RE: Exchange 2003 and creating folders for users

 

It's a capability present in Exchange 2007, but I don't know of any
automated way to do it in Exchange 2003.

 

From: Eric Woodford [mailto:ericwoodf...@gmail.com] 
Sent: Monday, March 09, 2009 6:26 PM
To: MS-Exchange Admin Issues
Subject: Re: Exchange 2003 and creating folders for users

 

Can you maybe push that out via group policy? 

 

Scripting would be difficult as you would need to open a Mapi profile to
each mailbox (slow and you'd need to run it each day), and create the
folder, then it wouldn't even be permanent unless you don't give them owner
rights to it?! 

 



 

On Mon, Mar 9, 2009 at 7:44 AM, Oliver Marshall
 wrote:

Is there a way to create a folder in users mailboxes with 2003 ? Ideally a
way to create it so that it comes back if they delete it.

 

Olly

 

 

--

G2 Support

Network Support : Online Backups : Server Management

 

g2supportsmall_250x58

 

Tel:0870 904 3443

Email:  oliver.marsh...@g2support.com

Web:http://www.g2support.com  

Mail:   2nd Floor, 130a Western Rd, Brighton, Sussex, BN12LA

 

G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE

BN3 7LE. Our registered company number is OC316341. 

 

 

 

 

 

 

 

 

 

 


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~<>

RE: Exchange 2003 and creating folders for users

[Michael B. Smith]

"When the only tool you have is a sledgehammer, everything looks like a
railroad spike."

 

ExMerge is definitely a sledgehammer. J I would have to test to be 100%
certain, but I think that ExMerge, like Export-Mailbox in 2007, will only
create the folder if there is something to export. Which raises the dilemma
of ensuring there is something to export!

 

It's moderately easy to do in MAPI, and I've written scripts under contract
to do that kind of thing. Glen Scales might have samples on his Exchange
development blog.

 

But I was referring to in-built functionality.

 

From: Sam Cayze [mailto:sam.ca...@rollouts.com] 
Sent: Monday, March 09, 2009 6:46 PM
To: MS-Exchange Admin Issues
Subject: RE: Exchange 2003 and creating folders for users

 

ExMerge for an initial push of the folder?  Automatic-no idea.   Somehow, I
have seen Anti-Virus company automatically create Outlook folders, but no
idea how.  You might need to build an Outlook Plugin.  

 

  _  

From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Monday, March 09, 2009 5:29 PM
To: MS-Exchange Admin Issues
Subject: RE: Exchange 2003 and creating folders for users

It's a capability present in Exchange 2007, but I don't know of any
automated way to do it in Exchange 2003.

 

From: Eric Woodford [mailto:ericwoodf...@gmail.com] 
Sent: Monday, March 09, 2009 6:26 PM
To: MS-Exchange Admin Issues
Subject: Re: Exchange 2003 and creating folders for users

 

Can you maybe push that out via group policy? 

 

Scripting would be difficult as you would need to open a Mapi profile to
each mailbox (slow and you'd need to run it each day), and create the
folder, then it wouldn't even be permanent unless you don't give them owner
rights to it?! 

 



 

On Mon, Mar 9, 2009 at 7:44 AM, Oliver Marshall
 wrote:

Is there a way to create a folder in users mailboxes with 2003 ? Ideally a
way to create it so that it comes back if they delete it.

 

Olly

 

 

--

G2 Support

Network Support : Online Backups : Server Management

 

g2supportsmall_250x58

 

Tel:0870 904 3443

Email:  oliver.marsh...@g2support.com

Web:http://www.g2support.com  

Mail:   2nd Floor, 130a Western Rd, Brighton, Sussex, BN12LA

 

G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE

BN3 7LE. Our registered company number is OC316341. 

 

 

 

 

 

 

 

 

 

 


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~<>

Re: Exchange 2003 and creating folders for users

[Kurt Buff]

Yeah, I should be rich, too, but I'm not.

By any chance are these presentations archived somewhere so that we
can download them later for our edification?


Kurt

On Mon, Mar 9, 2009 at 14:52, Michael B. Smith
 wrote:
> 
>
> Which, by the way, I’ll be giving a session on next week at WinConnections
> Spring 2009 in the sunny & beautiful Orlando Florida!
>
>
>
> EXC15: Exchange Messaging Records Management
>
>
>
> I’ll also be presenting sessions on Exchange HA with WLBS and Exchange 2007
> monitoring with OpsMgr 2007.
>
>
>
> Another familiar face from this mailing list, William Lefkovics, will also
> be presenting three sessions; on Exchange Tools, Exchange Security Best
> Practices, and using PAL – The Performance and Log Analyzer.
>
>
>
> Come say “hi” if you are there! If you aren’t – you should be! J
>
> 
>
>
>
> Regards,
>
>
>
> Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP
>
> My blog: http://TheEssentialExchange.com/blogs/michael
>
> Monitoring Exchange w/OpsMgr now available http://snurl.com/45ppf
>
>
>
> From: Barsodi.John [mailto:john.bars...@igt.com]
> Sent: Monday, March 09, 2009 6:34 PM
> To: MS-Exchange Admin Issues
> Subject: RE: Exchange 2003 and creating folders for users
>
>
>
> Or if you have an archive system in place, most of the big players have this
> capability when their client is running on your user’s machines.  Something
> I looked at when POCing archive systems with Ex 2003.  Else, like Michael
> said – Exchange 2007.  Upgrade to 2007 and experience the sweetness of
> managed folders.
>
>
>
> - John Barsodi
>
> From: Michael B. Smith [mailto:mich...@theessentialexchange.com]
> Sent: Monday, March 09, 2009 3:29 PM
> To: MS-Exchange Admin Issues
> Subject: RE: Exchange 2003 and creating folders for users
>
>
>
> It’s a capability present in Exchange 2007, but I don’t know of any
> automated way to do it in Exchange 2003.
>
>
>
> From: Eric Woodford [mailto:ericwoodf...@gmail.com]
> Sent: Monday, March 09, 2009 6:26 PM
> To: MS-Exchange Admin Issues
> Subject: Re: Exchange 2003 and creating folders for users
>
>
>
> Can you maybe push that out via group policy?
>
>
>
> Scripting would be difficult as you would need to open a Mapi profile to
> each mailbox (slow and you'd need to run it each day), and create the
> folder, then it wouldn't even be permanent unless you don't give them owner
> rights to it?!
>
>
>
>
>
> On Mon, Mar 9, 2009 at 7:44 AM, Oliver Marshall
>  wrote:
>
> Is there a way to create a folder in users mailboxes with 2003 ? Ideally a
> way to create it so that it comes back if they delete it.
>
>
>
> Olly
>
>
>
>
>
> --
>
> G2 Support
>
> Network Support : Online Backups : Server Management
>
>
>
>
>
> Tel:    0870 904 3443
>
> Email:  oliver.marsh...@g2support.com
>
> Web:    http://www.g2support.com
>
> Mail:   2nd Floor, 130a Western Rd, Brighton, Sussex, BN12LA
>
>
>
> G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE
>
> BN3 7LE. Our registered company number is OC316341.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~

RE: Exchange 2003 and creating folders for users

[Sam Cayze]

Very true.  Well, to make sure Exmerge worked, and kill another bird,
you could keep an Item in the source folder with the Subject line: "Quit
deleting this folder"   :)
 
i'm not really serious though...



From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Monday, March 09, 2009 6:01 PM
To: MS-Exchange Admin Issues
Subject: RE: Exchange 2003 and creating folders for users



"When the only tool you have is a sledgehammer, everything looks like a
railroad spike."

 

ExMerge is definitely a sledgehammer. J I would have to test to be 100%
certain, but I think that ExMerge, like Export-Mailbox in 2007, will
only create the folder if there is something to export. Which raises the
dilemma of ensuring there is something to export!

 

It's moderately easy to do in MAPI, and I've written scripts under
contract to do that kind of thing. Glen Scales might have samples on his
Exchange development blog.

 

But I was referring to in-built functionality...

 

From: Sam Cayze [mailto:sam.ca...@rollouts.com] 
Sent: Monday, March 09, 2009 6:46 PM
To: MS-Exchange Admin Issues
Subject: RE: Exchange 2003 and creating folders for users

 

ExMerge for an initial push of the folder?  Automatic-no idea.
Somehow, I have seen Anti-Virus company automatically create Outlook
folders, but no idea how.  You might need to build an Outlook Plugin.  

 



From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Monday, March 09, 2009 5:29 PM
To: MS-Exchange Admin Issues
Subject: RE: Exchange 2003 and creating folders for users

It's a capability present in Exchange 2007, but I don't know of any
automated way to do it in Exchange 2003.

 

From: Eric Woodford [mailto:ericwoodf...@gmail.com] 
Sent: Monday, March 09, 2009 6:26 PM
To: MS-Exchange Admin Issues
Subject: Re: Exchange 2003 and creating folders for users

 

Can you maybe push that out via group policy? 

 

Scripting would be difficult as you would need to open a Mapi profile to
each mailbox (slow and you'd need to run it each day), and create the
folder, then it wouldn't even be permanent unless you don't give them
owner rights to it?! 

 



 

On Mon, Mar 9, 2009 at 7:44 AM, Oliver Marshall <
oliver.marsh...@g2support.com> wrote:

Is there a way to create a folder in users mailboxes with 2003 ? Ideally
a way to create it so that it comes back if they delete it.

 

Olly

 

 

--

G2 Support

Network Support : Online Backups : Server Management

 

 

 

Tel:0870 904 3443

Email:  oliver.marsh...@g2support.com

Web:http://www.g2support.com  

Mail:   2nd Floor, 130a Western Rd, Brighton, Sussex, BN12LA

 

G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE

BN3 7LE. Our registered company number is OC316341. 

 

 

 

 

 

 

 

 

 

 


 


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~<>

SCR Zero Dataloss

[Liby Philip Mathew]

Hi there,
I am in the midst of deploying SCR.
My environment 2 DC, 1 stand alone Mailbox server on Windows 2003 x64 and 1 
Edge server on Windows 2003 x64.
How do I configure the SCR target for 0 data loss?
What are the drawbacks when I opt for 0 data loss?
What are the backup options I have?
Right now I have NTBackup dump the database locally to the disk with log 
truncation and backup using Symantec 12 to tape.
Appreciate a your inputs and suggestion
Regards
Liby



Disclaimer
[The information contained in this e-mail message and any attached files are 
confidential information and intended solely for the use of the individual or 
entity to whom they are addressed. This transmission may contain information 
that is privileged, confidential or exempt from disclosure under applicable 
law. If you have received this e-mail in error, please notify the sender 
immediately and delete all copies. If you are not the intended recipient, any 
disclosure, copying, distribution, or use of the information contained herein 
is STRICTLY PROHIBITED. Path Solutions accepts no responsibility for any 
errors, omissions, computer viruses and other defects.]

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja~