Daily IT Matters, this is the place where I post my daily findings on IT.

Thursday, September 27, 2007

RPC over HTTP for Outlook

Project: RPC over HTTP for Outlook

Introduction

RPC over HTTP for Outlook 2003 / 2007 is a technique for using Outlook as a mailclient for Exchange remotely from anywhere. But with sporting all the features you have when you are normally sitting at your desk at work (I presume you already have outlook as a client for exchange at work)

Advantages:

  1. Only one port open at the firewall, port 443.
    We now have SMTP, POP3 and HTTP (25, 110 and 80) wide open to the outside world, for supporting email, Outlook Web Access and Outlook Mobile Access.
  2. The SMTP port can now be configured to only accept mail from from your provider (I have bSMTP setup), this will significantly decrease the number of attacks on our network. SMTP is prone to attacks and is used a lot by spammers (searching for open relays)
  3. All data coming in and out of the network is now encrypted through SSL.

Disadvantages:

  1. The Outlook Client must be version 2003 or later.
  2. The OS must be windows XP SP1 with http://go.microsoft.com/fwlink/?linkid=3052&kbid=331320 installed or just SP2.
  3. The outlook client is harder to setup ( I do not really think its hard but its different)

Setup:

First to thing to do is setting up an RPC proxy on the Exchange Server.
This can be done by just going to Add/Remove Programs and then go to network services and there select RPC Proxy.
Installing is just a point and click exercise there is nothing to it.

After installing has finished there is one thing you should do.

The setup installs 2 virtual directory under your Default Website in IIS 6.

- Rpc

- RpcWithCert

We need to configure the directory security on the RPC object. (and not on the Default Website! Doing that will break OWA). First we disable anonymous access, and enable Basic Authentication. Also in Default Domain and Realm fill in your domain name, mine is <domain>.local. When you hit the OK button there will be a message stating that the passwords will be send in cleartext and that protocol analyzers can gather them, however this does not apply to HTTPS connections since the whole connection is encrypted (you can safely hit Yes)

Now we should setup the rpc server to use specific ports.

You must do this by editing the registry. Locate the Key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy

servername:6001-6002;
servername.domain.local:6001-6002;
remote.domain.com:6004

the above must be entered on one line in the ValidPorts Key.

servername = The netbios name of the server (no FQDN)

servername.domain.local = internally FQDN (servername + your domainname)

remote.domain.com = external name where the website is reachable.

RPC is setup correctly now, we can move on to the next part.

Setting up Exchange

The next part is configuring exchange 2003 SP1 (SP1 must be installed otherwise the settings below are not available, and thus leaving you to edit the registry) as a backend server for RPC.

Go to the ESM and find the server right click it and go to the RPC – HTTP tab.

There you will find the following setting.

RPC-HTTP back-end server select it.

You will have to restart your machine to complete the setup.

After the machine is rebooted, you are ready to configure an outlook client

Otherwise then others on the web are saying there is really nothing fancy about it, you don’t need to be on your LAN first to set it up.

Setting UP an Outlook Profile

Just create an exchange profile (I assume you know how)

Type in the netbios name of the server on the first page.

Type in your name (if you are remote the name resolving process will not work, just click cancel then) after you have done this go to [more settings] à tab [connection] go to sub [exchange over internet] select proxy settings of exchange.

In the HTTPS part type in your remote.domain.com, and select basic authentication.

NTLM might work or not because some firewall are modifying NTLM packets when they pass-through, basic authentication always work.

(trade off: you will have to enter always a password when you connect outlook to exchange some might see this as an advantage instead of a trade off)

Make sure you select both the settings about using HTTP first instead of TCP.

(atleast that is what I do)

Now all you have to do is to get an SSL certificate and install it on your machine.

Installing SSL certificate from Godaddy.

Installing Intermediate Certificate Bundle (gd_iis_intermediates.p7b):

i. Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC).

ii. In the Management Console, select File; then "Add/Remove Snap In."

iii. In the Add/Remove Snap-In dialog, select Add.

iv. In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.

v. Choose Computer Account; then click Next and Finish.

vi. Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.

vii. If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.

viii. Right-click on Intermediate Certification Authorities and choose All Tasks; then click Import.

ix. Follow the wizard prompts to complete the installation procedure.

x. Click Browse to locate the certificate file (gd_iis_intermediates.p7b).

xi. Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next.

xii. Click Finish.

Installing SSL Certificate

i. Select the Internet Information Service console within the Administrative Tools menu.

ii. Select the Web site (host) for which the certificate was made.

iii. Right mouse-click and select Properties.

iv. Select the Directory Security tab.

v. Select the Server Certificate option.

vi. The Welcome to the Web Server Certificate Wizard windows opens. Click OK.

vii. Select Process the pending request and install the certificate. Click Next.

viii. Enter the location for the certificate file at the Process a Pending Request window. The file extension may be .txt or .crt instead of .cer (search for files of type all files).

ix. When the correct certificate file is selected, click Next.

x. Verify the Certificate Summary to make sure all information is accurate. Click Next.

xi. Select Finish.

Now you’re done.

This is how I’ve done it if you have questions feel free to email me.

Tuesday, September 25, 2007

How to Uninstall WSUS 3.0 after you have (removed/fucked up) the database manually

Well if somehow your wsus 3.0 database becomes corrupt.
Due to an Database administrator removing the instance for example.

I tried to remove through the Add/Remove programs dialog but all I got back was.


Event Type: Information
Event Source: MsiInstaller
Event Category: None
Event ID: 11725
Date: 25-09-2007
Time: 11:17:18
User: Domain\Administrator
Computer: WSUSSERVER
Description:
Product: Microsoft Windows Server Update Services 3.0 -- Removal failed.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data:
0000: 7b 32 43 30 44 37 45 33 {2C0D7E3
0008: 35 2d 45 45 36 45 2d 34 5-EE6E-4
0010: 44 43 37 2d 42 41 31 33 DC7-BA13
0018: 2d 32 43 36 38 41 45 44 -2C68AED
0020: 45 42 35 39 44 7d EB59D}


And voila the program was removed from the ADD/Remove Programs dialog.
So I had nothing.

Inspecting the Wsus installation log at %temp%\wsus*.log
Reveals the following:

MSI (s) (8C:74) [11:17:38:402]: Product: Microsoft Windows Server Update Services 3.0 -- Removal failed.

There you have it, you have absolutely nothing to work on.

Then you will have to do the following to get your WSUS back.

First what I did was to completely remove the Database.
I had used the internal WSUS 3.0 database so to remove that I did the following.
Go to command prompt and there type in:

msiexec /x {CEB5780F-1A70-44A9-850F-DE6C4F6AA8FB} callerid=ocsetup.exe
I found this on the Microsoft Technet

Microsoft Technet

This starts the deinstallation of the Windows Internal Database.
So the first hurdle has been taken, the database is gone.

Now I wanted to start the installation of wsus again but this resulted in the same vague error messages I already stated above.

Now I had to remove the complete installation of WSUS 3.0 which is an msi app.
I remembered that there was an Windows Installer CleanUp Utility.

I downloaded it from Microsoft:
Windows Installer CleanUp Utility

When I ran that utility on the machine it showed me alot of programs but also the crooked WSUS 3.0 I selected that one, and choose [Remove]
In the application log showed the following:

Event Type: Information
Event Source: MsiInstaller
Event Category: None
Event ID: 11707
Date: 25-09-2007
Time: 11:23:16
User: Domain\Administrator
Computer: WSUSSERVER
Description:
Product: Windows Installer Clean Up -- Installation operation completed successfully.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7b 31 32 31 36 33 34 42 {121634B
0008: 30 2d 32 46 34 42 2d 31 0-2F4B-1
0010: 31 44 33 2d 41 44 41 33 1D3-ADA3
0018: 2d 30 30 43 30 34 46 35 -00C04F5
0020: 32 44 44 35 32 7d 2DD52}


That is what I wanted to see.

After that I manually removed the installation folder of wsus which was in my case
D:\WSUS.

This enabled me to re-install wsus 3.0 and its now purring like a kitten.

Here is my clientdiag on the commandprompt on my machine.

C:\clientupdate>clientdiag

WSUS Client Diagnostics Tool

Checking Machine State
Checking for admin rights to run tool . . . . . . . . . PASS
Automatic Updates Service is running. . . . . . . . . . PASS
Background Intelligent Transfer Service is not running. PASS
Wuaueng.dll version 7.0.6000.374. . . . . . . . . . . . PASS
This version is WSUS 2.0

Checking AU Settings
AU Option is 4: Scheduled Install . . . . . . . . . . . PASS
Option is from Policy settings

Checking Proxy Configuration
Checking for winhttp local machine Proxy settings . . . PASS
Winhttp local machine access type

Winhttp local machine Proxy. . . . . . . . . . NONE
Winhttp local machine ProxyBypass. . . . . . . NONE
Checking User IE Proxy settings . . . . . . . . . . . . PASS
User IE Proxy. . . . . . . . . . . . . . . . . NONE
User IE ProxyByPass. . . . . . . . . . . . . . NONE
User IE AutoConfig URL Proxy . . . . . . . . . NONE
User IE AutoDetect
AutoDetect not in use

Checking Connection to WSUS/SUS Server
WUServer = http://wsusserver
WUStatusServer = http://wsusserver
UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
Connection to server. . . . . . . . . . . . . . . . . . PASS
SelfUpdate folder is present. . . . . . . . . . . . . . PASS

Press Enter to Complete


Yes I have re-downloaded all the updates, maybe its possible to leave the download folder for the updates but I havent tried it.

I hope this will help you in uninstalling wsus and reinstall wsus 3.0.

Sunday, September 23, 2007

Desktop Security

Well this entry deals with the current security setup I have on my computer.
And explains why I have them installed.

Security comes in several layers I'm not talking about OSI.

1. Router Firewall / NAT.
2. Software Firewall (Application based firewall)
3. Hostbased Intrusion Protection (HIPS)
4. Antivirus.
5. Anti Spyware.

1. The first one is pretty simple either you have it or you don't.
My router I got with my broadband comes with NAT but no Firewall.
NAT = Network Address Translation.
NAT offers a nice first layer of defense for hackers, because they need to figure out what the internal network is.

The internal network can be easy to figure out on a specially crafted website, there are several websites that show your internal IP address on your network.

eg. http://ip-lookup.net/lan-address

You see its easy to get your local lan address.
Here are some Apache logs, I had apache running locally for MRTG and I had NOT done any portforwards on my router so my apache should not get any attempt from outside. (so why the hell did this happens on my system??, luckily the attempts are all unsuccessful)

[Wed Jan 31 23:00:33 2007] [error] [client xxx.xxx.xxx.xxx] File does not exist: c:/mrtg/wwwroot/scripts/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/winnt/system32/cmd.exe
[Wed Jan 31 23:00:33 2007] [error] [client xxx.xxx.xxx.xxx] File does not exist: c:/mrtg/wwwroot/scripts/../../../../../../../..//winnt/system32/cmd.exe
[Wed Jan 31 23:00:33 2007] [error] [client xxx.xxx.xxx.xxx] File does not exist: c:/mrtg/wwwroot/iisadmpwd/../../../../../../../..//winnt/system32/cmd.exe
[Wed Jan 31 23:00:33 2007] [error] [client xxx.xxx.xxx.xxx] File does not exist: c:/mrtg/wwwroot/msadc/../../../../../../../..//winnt/system32/cmd.exe
[Wed Jan 31 23:00:33 2007] [error] [client xxx.xxx.xxx.xxx] (2)No such file or directory: script not found or unable to stat: c:/mrtg/apache/cgi-bin/../../../../../../../../

Now that looks like a nice attempt by a script kiddie.

2. This could have been prevented if had installed an application based firewall.
Currently I run Comodo version 3.0.7.208 (which is beta) and should not be used because sometimes the configuration goes a wall. But you can save your config file if its ok and when it goes a-wall you simply reload the config file. This is a bit of a hassle but hey you get something nice back.

Comodo 3.0.7.208 (current beta = 3.0.8.214)
The new beta will address the config loss problem.
Opening a port on comodo can be quite tricky and this might be a problem for the regular home user who only wants to download a nice torrent file.

This option has been put away under firewall settings / advanced / network security / global rules. Took me 15 minutes to find it.

Comodo beta comes also equipped with defense+ which is an HIPS (Host based intrusion protection) This feature can work on your nerves as it really can ask your ears off.
But that is quite easy to solve by adjusting the settings.

3. Comodo comes equipped with a HIPS but I now run Threatfire on my PC. (because comodo asks your ears off)
Threatfire was formerly known as the artist Cyberhawk.
I love it, it tells you when something fishy is going on. It doesn't ask your ears of like comodo defense+. I really think this is a necessary addon to your security.

4. Antivirus, most people do have an antivirus solution but forget to let it update.
Or they let the subscription run out, leaving the system open for new virusses.
I run Avast on my machine, you can request a free serial for updates.
Avast runs pretty flawlessly on my system and doesn't render my pc useless when doing a scan like Kaspersky does.

5. Anti Spyware, I run Spyware Terminator and I'm really pleased about it.
There isnt much you can say about other then it really protects your system.
Hmm I went in again in the settings and it seems that it has now suddenly gained an HIPS as well. I've turned it on and I'll see if it is any good.
I will let you know in a few hours.

All of these security doesn't take more then 25 mb of memory which is quite acceptable.

I hope this makes your pc and home network a bit safer without crippling your systems.

Links.

Comodo Firewall.
www.personalfirewall.comodo.com
Threatfire
www.threatfire.com
Spyware Terminator
http://www.spywareterminator.com/
Avast
www.avast.com/eng/avast_4_home.html
Google