How to Setup RPC over HTTP for Microsoft Outlook

The most of the work for setting up RPC over HTTP actually has to be done on the server side. On the client side, you’ll need to ensure that your servers have Microsoft Windows XP. If you’re using Service Pack 1, you’ll need the Q331320 hotfix, which is included with Service Pack 2 and later. You’ll also need to have Exchange Server 2003 running on Windows Server 2003 for the front-end and back-end servers your users communicate with, and all global catalogs and domain controllers that your servers and clients talk to must also be running Windows Server 2003.

Note: The Office Resource Kit contains a wealth of material on deploying RPC over HTTP using the Custom Installation Wizard, which makes it possible to seamlessly enable it for some or all of your users at the time you deploy it.

The settings for RPC over HTTP are associated with individual profiles and can only be applied to a single Exchange server account in each profile. You modify these settings using the same interface you’re probably familiar with, but the settings themselves are different. (Remember, you must already have set up your Exchange servers and global catalogs as described in Chapter 11.)

The key to getting RPC over HTTP set up for Outlook is found in a single simple check box, Connect To My Exchange Mailbox Using HTTP, shown in Figure 13-4. (You get to this check box by editing an account with the Tools | Email Accounts command, clicking Change, clicking More Settings, and clicking the Connection tab.) This check box is visible when you’re running Outlook 2003 on a system that meets the prerequisites and talking to an Exchange server that meets its prerequisite requirements. If any component is missing or misconfigured, the check box won’t appear.

After you select the check box, of course, the real fun begins. The Exchange Proxy Settings button controls the appearance of the Exchange Proxy Settings dialog box (see Figure 13-5). You can specify the URL for your Exchange server (which, for a standard Exchange Server 2003 installation, will be the same as the name of the front-end server) and whether you want to require the use of SSL. For maximum security, you should ensure that the Connect Using SSL Only and Mutually Authenticate The Session When Connecting With SSL check boxes are both selected; this combination provides the best protection against spoofing and eavesdropping. The other settings are pretty much irrelevant from a security standpoint, with the exception of the Use This Authentication When Connecting To My Proxy Server For Exchange control.

There are two other useful things to know about Outlook 2003 RPC over HTTPS support. The first is that you can disable the user interface controls that let users change RPC over HTTPS behavior. This is useful if you want to ensure that your users don’t set it up on their own, or if you want to prevent them from changing settings once you’ve deployed them. To do this, add the EnableRPCTunnelingUI value (a REG_DWORD) to HKEY_CURRENT_USERSoftwarePoliciesMicrosoftOffice11.0OutlookRPC. When this value is set to 0, the user interface (UI) controls are hidden; when it’s set to 1, or not present, the UI controls are visible as long as Outlook is running on a machine that meets the operating system requirements.

The other useful thing to know is that you can turn on RPC over HTTPS at a later date, after your initial Outlook 2003 deployment. To do this, you should use the Office Resource Kit’s Custom Maintenance Wizard, which lets you make some types of configuration changes and deploy them as files that can automatically update installed Office configurations.

How to Use Forefront to guard Microsoft Exchange Server

Introduction

Microsoft Forefront Server for Exchange (FSE) is a tool that will help companies deal with the threats associated with e-mail service. Microsoft Exchange is used in a large number of businesses for e-mail services. Microsoft FSE was not always so widely used, but its integration with Active Directory (starting with Exchange 2000) made it a more viable product for companies to use. The number of threats written to compromise these systems has increased as more companies implement Microsoft FSE in their infrastructure. The importance of e-mail to productivity in most companies is the reason that extra security mechanisms, like Microsoft FSE, need to be in place. Attachments and phishing scams pose serious threats to companies. The Microsoft FSE gives companies extra mechanisms to filter attachments and scan for viruses.

The Microsoft FSE server allows network administrators to centrally manage the security of the exchange servers. Administrators using FSE can conduct filtering, scanning, and job scheduling of e-mail-related attachments from a central management console. Reports can give the security professional using FSE indication of what the real problems are and help them to discern from where they are originating. Using FSE can help companies effectively deal with security issues related to e-mail.

How to implement Microsoft Forefront Server for Exchange

When you are implementing FSE you should ensure that you carefully plan your deployment to ensure that the additional load placed on your FSE servers does not negatively impact performance and that you do not inadvertently block legitimate messages.

Due to the fi ltering abilities of FSE, it is very easy to block legitimate messages. This causes inconvenience for the recipient of the message, but also creates more work for administrators who either have to provide an alternative method of sending fi les to people or retrieve the fi les from quarantine and forward them to the recipient. Depending on the amount of legitimately blocked attachments, you may have to dedicate significant resources to review and deliver quarantined attachments.

It is common within companies to block executable attachments from being sent and received. This is done to protect the company’s infrastructure from programs, which could potentially cause problems, and also prevent potentially dangerous attachments being sent to third parties. While this will help to protect your infrastructure, it can easily cause legitimate messages to be blocked causing inconvenience to the sender and the recipient.

Planning a FSE Deployment

The complexity of your FSE deployment will vary depending on the complexity of your FSE infrastructure and the types of message filtering you want to implement. In order to help with your planning it is recommended that you split this into two components, Antivirus (AV) scanning and message filtering. When you are planning the deployment of FSE, it is important to understand the FSE infrastructure. It is assumed in the course of this chapter that an FSE 2007 infrastructure is being used. In FSE 2007, the functionality has been split into five roles:

■ Client Access Server Allows clients to access FSE.

■ Hub Transport Server Transports messages between mailbox servers and to edge transport servers.

■ FSE Stores users mailboxes.

■ FSE Provides unified messaging capabilities.

■ FSE Allows messages to be sent and received from external sources.

 

The first four roles can all be installed on a single server for small deployments. The Edge Transport Server has to be installed on its own server as it usually resides in a perimeter network.

This chapter will refer to different roles when indicating where to install or how to configure FSE. It is assumed that these are installed on separate servers.

Antivirus Scanning

FSE allows you to virus scan messages as they enter and transit through your FSE infrastructure. When they are in the user’s mailbox, this is done by deploying FSE on your Edge and Hub Transport roles and on the Mailbox role. It is recommended that you deploy AV scanning on all of your servers running the FSE. This ensures that messages are virus-scanned providing for a safe FSE infrastructure.

You can use up to five AV engines to scan each message and then attempt to clean the message, remove the attachment, or log that a virus was detected. When messages are cleaned or removed, they can be quarantined allowing you to retrieve the fi les if required. You can specify different AV engines for each of the three Scan Job types—Transport, Real Time, and Manual—although it is recommended that you keep them the same.

On servers running the edge and hub roles, you can choose to scan internal, incoming, and outgoing messages. It is recommended that you choose to scan all three. This allows you to ensure that no virus-infected messages enter or leave your organization and that internal machines are not sending viruses to your own users.

By default, FSE only virus scans a message once, this allows for the best use of resources across your FSE infrastructure. This means that if a message is scanned on an edge role, it will not be re-scanned on the hub role used to relay the message through your organization.

On servers running the mailbox role, you have more control over which messages are virus-scanned. You can perform real time scanning which allows for messages to be scanned as they are accessed. This will, by default, only scan messages that have not been scanned for viruses before. These are usually public folder posts, calendar appointments, and messages in folders like Sent Items, as these messages do not pass through the hub role. While there is an overhead to scanning messages as they are accessed in terms of both resources and a delay to the end user, the impact should be minimal due to the small amount of messages that will be scanned.

You can also configure messages to be background scanned. Background scanning allows you to re-scan messages that have been received or created within the last x days by re-scanning. It is likely that new AV definitions will have been released, meaning that any new viruses will be detected. This is the only AV scan that will, by default, re-scan messages that have been previously virus-scanned. Running this scan is a considerable overhead, so you should set it to run in off-peak hours.

The fi nal option is to perform a manual scan, which can be scheduled to run at a specific time. This is most commonly used when you first install FSE, to allow you to scan and stamp all existing messages, ensuring that your infrastructure is virus free. AV stamping is used to indicate that a message has already been virus-scanned. This stamp is placed in the message header when it is being routed through the FSE infrastructure.

Once the message have been accepted into users mailbox, the AV stamp is converted into a MAPI property of the message.

For each of the Scan Jobs on the Mailbox Role, you can choose which mailboxes they scan. This can be useful if you have a large number of mailboxes and you want to use the Manual Scan Job to scan these in batches. For the Real Time Scan Job, it is recommended that you scan all mailboxes, which will ensure that your entire infrastructure is protected.

Once a message is detected as containing a virus, the recommended action is to delete the attachment. While you can opt to clean a message, this uses considerable resources and most attachments containing viruses are usually unsolicited. Therefore, there is no point in trying to clean them. Unsolicited messages are also known as spam.

These messages usually have a commercial content where the recipient has not requested this information. It is common for these messages to contain misleading attachments that contain viruses.

When you are planning your AV protection, you should ensure that all of your messages are scanned at least once to ensure that they are free from viruses. You should do this not only for incoming messages, but also for outgoing and internal messages.

By scanning these messages you are ensuring that you are not sending viruses to other companies and that your entire infrastructure remains virus free. If you opt to quarantine detected viruses you should ensure that you clean out the quarantine area on a regular basis to prevent the quarantine database from being filled up and that disk space does not run out. You can opt to automatically purge this information after a number of days. It is recommended that you enable this and purge messages after 30 days. The purge setting will also affect messages quarantined due to messages filtering.

Message Filtering

Message Filtering in FSE allows you to fi lter messages based on attachments, message content, keywords, and who is sending the message. This filtering is in addition to

filtering performed by the Exchange Edge role and is performed after the FSE filtering.

Therefore, it is likely that a large amount of unsolicited e-mail will have been rejected by this stage.

FSE Message Filtering is a lot more flexible than the filtering offered in Exchange, and allows you to quarantine the messages you filter. This allows you to recover deleted messages and attachments if required, along with being able to create highly complex and customized filters to meet your company’s requirements.

It is vital that you plan your filtering correctly, otherwise you could end up filtering messages that you never intended to. The Transport Scan Job allows you to filter messages based on their attachments and the contents of the message body. You can specify senders that you always want to receive e-mails from; these are known as safe senders. If you enable filtering on Real Time and Manual Scan Jobs, you can filter messages based on their attachments and against the contents of the Subject and Senders Domain.

It is recommended that you restrict all fi le filtering to the Transport Scan Job. This way messages are only scanned once before they are submitted for delivery. The reason for this is that if you enable filtering for executable fi les in the real time scan and a user attempts to send a message with an executable fi le attached, the message will be modified while it sits in the Drafts folder. This will result in an error when the user tries to send the e-mail. These error messages can cause confusion for the sender and may result in an increased number of calls to your Helpdesk.

By moving the fi le filtering to the Transport Scan Job, users will be able to send e-mails, but they will be checked during transit. This allows for the message to be filtered and for a notification e-mail to be sent if configured. While this has the same end effect as the message being filtered, the end user has a better experience. When you configure fi le filtering you can do this based on extension, type, and fi le size. This provides you with a large amount of flexibility when configuring the file filters. It is recommended that you filter by fi le type wherever possible, as this prevents people from changing a fi le extension to bypass the fi lter. An example of file filtering will be provided in the configuration section of this chapter.

Once you have planned your fi le filtering, you will need to plan any other filtering methods you plan to use. If you need to check the body of the message for certain phrases, this can be done using the Transport Scan Job. Also known as keyword filtering, this filter provides more control than the content filter in FSE.

When you create a keyword filter you can configure logical operators. Logical operators allow you to specify that multiple words have to be in the message body or those words having to appear multiple times. Using this technique allows you to create complex filters.

The final set of filters you can create are content filters. These are available in the Real Time and Manual Scan Jobs and allow you to specify sender domains. This allows you to filter messages from certain e-mail addresses or domains. While you can perform the same functionality using sender filtering on an FSE Edge server, this filter has the added ability to quarantine messages and can be used if you have not deployed an Edge server.

Using the content filter you can also filter messages based on their subject. This allows you to filter on common unsolicited e-mail subjects, which may be useful if you are not running an FSE Edge server. When you start to plan you FSE filtering, you should ensure that you are not duplicating workload if you are using the anti-spam filters on an FSE Edge server. You should not duplicate their work in FSE, as this places an additional work load on your servers. You should ensure that you test your filters before deploying them to make sure they only filter e-mail you want to filter (e.g., if you are only filtering incoming executables and not ones sent between internal recipients).

You should be aware that the more filtering you add, the higher the load on your servers. If you are using real time filtering this will also affect the access time for users when accessing messages.

How to install Forefront Server for Exchange

When you install FSE you can either install it locally on each machine or by performing a remote install. Remote installs are performed within the Forefront installer. When possible, it is recommended that local installations are performed. This section will take you through performing both a local and a remote installation along with how to install FSE on clustered mailbox servers. When you install FSE you have the option to perform a full installation. This can be performed on Exchange servers running the Edge Transport, Hub Transport, and Mailbox roles or a Client Installation, which installation allows you to install the Forefront Server Administrator onto administration machines and can only be installed locally.

If you have clustered mailbox servers using either Single Copy Cluster (SCC) or Cluster Continuous Replication (CCR), the installation process will differ slightly to installing on other FSE servers. The process is different for both SCC and CCR clusters. If you are using Local Continuous Replication (LCR), the installation of Forefront Server for Exchange should be the same as a normal install.

If you are using Standby Continuous Replication (SCR), you should not install FSE unless this server becomes active. Once the server is made active, you will then need to configure it as required. Fortunately, to speed up the configuration, you can use configuration templates.

When performing a local installation you should be logged into the machine as a user that has administrative rights on the machine. As part of the installation, you may be required to restart some of the FSE services; therefore, it is recommended that installation is performed during off-peak hours.

To perform a local install:

1. Run the FSE Installer.

2. Click Next.

3. Accept the License Agreement.

4. Enter User Name and Company Name and click Next.

5. Select Local Installation and click Next.

6. For a full installation, select Full Installation and click Next.

7. Select Secure Mode or Compatible Mode and click Next. When you select Secure Mode, AV scan and fi lter messages are forwarded from quarantine. When you select Compatible Mode, AV scan messages are forwarded from quarantine.

8. Select up to four AV engines (see screenshot) and click Next.

9. Click Next.

10. If you need to use a Proxy Server for updates, enter Address and Port and click Next. (If you need to use a username and password you can specify this under General Options once FSE is installed.)

11. Choose the Installation Location and click Next.

12. Choose the Programs Folder and click Next.

13. Review the Installation Options and click Next.

14. You may be asked if you want to restart Exchange Transport Service. If you want to restart this now click Next; if you want to restart this later click Skip.

15. If you choose to restart the service, click Next once the service has restarted.

16. You may be asked if you want to restart FSE Information Store. If you want to restart this now click Next; if you want to restart this later click Skip.

17. If you choose to restart the service, click Next once the service has restarted.

18. Click Finish.

19. For a Client installation Select Client – Admin console only and click Next.

20. Choose the Installation Location and click Next.

21. Choose the Programs Folder and click Next.

22. Review the Installation Options and click Next.

23. Click Finish.

 

How to configure Microsoft Forefront Server for Exchange

 

Once you have installed FSE, you will need to configure the various settings to ensure that messages are processed as required for your business.

There are two ways to configure FSE. The first option is to use the Forefront Server Security Administrator (FSA), which allows you to configure each server running FSE on an individual basis using the tool locally or remotely. The other option is to use Forefront Server Security Management Console (FSSMC), which allows for Forefront servers to be centrally administered (The Management Console is an additional product and is not included with FSE). For this reason, this section will focus on the FSA as the method used to configure FSE.

While the configuration information is stored in a number of different locations, the majority of the information is stored in a series of FDB fi les, which are located in the FSE installation directory. This information can also be stored in templates to allow for settings to be copied across servers. The remainder of the information is stored in the registry. This information is usually server specific, and the majority of the settings can be modified through the FSA.

When you are running clustered mailbox servers you should ensure you connect FSA to the Exchange Virtual Machine. The one exception to this is if you need to release quarantined fi les from a passive node. In that case, you should connect FSA directly to the passive node. All configuration information is replicated between the active and passive nodes ensuring that if a failover occurs the configuration information is available.

Settings

The Settings section allows you to configure the AV scanning options and server configuration for FSE along with the ability to create new configuration templates.

Throughout this section there will be up to three available Scan Jobs for which you can modify settings. The Scan Jobs available are dependent on the Exchange Roles installed on the server.

If the server is running the Edge Transport or Hub Transport role, the Transport Scan Job will be available. If the server is running the Mailbox Role, the Real Time Scan Job and Manual Scan Job will be available. If you add roles to the server, you will need to re-run the FSE installer for the relevant Scan Jobs to be made available. Scan jobs are automatically removed if you install a role.

Scan Job

The Scan Job section allows you to configure which messages and mailboxes will be processed by the jobs.

For each of the Scan Jobs, you can specify the deletion text that is used when an attachment is removed and replaced with a text fi le containing the specified text.

To allow for e-mail-specific information to be entered, there are a number of keyword substitution macros available.

Keyword substitution macros can be inserted by right-clicking in the Edit Text field and selecting Paste Keyword, and then selecting the Macro to insert.

Transport Scan Job

The Transport Scan Job is used to process messages on servers running the Edge or

Hub Transport Roles. This can be configured to process inbound, outbound and/or internal e-mail. The option to scan internal messages is available on servers running the Edge role, even though Internal mail should not reach the Edge.

The other configurable option is the tag text, which is used when keyword filtering is enabled for the Scan Job. Tag text allows for a subject line text and header tag text to be specified. These are applied to an e-mail when it triggers a keyword match, and the action is set to tag the message.

Real Time and Manual Scan Jobs

The Real Time and Manual Scan Jobs are used to process messages on the servers running he mailbox role. These will process messages that have not previously be scanned. This is particularly important for messages that do not use a hub transport server, including messages in sent items, public folder posts, and calendar messages.

The real time scan processes messages as they are accessed by a client; this is also known as an on access scan. By default, this will only process messages that have never been scanned before and are within a certain time range. This range in the first release of FSE is within the previous 24 hours but can be changed. If you are running FSE for Exchange 2007 Service Pack 1, this value is fixed to be every day since FSE was installed. Settings specified for the real time scan are also used for the background scans.

The manual scan can either be run on a manual basis or on a schedule. This is usually used to scan specific mailboxes or to clean up a mail server after a virus outbreak.

For both of these scans you can configure which mailboxes and public folders are scanned. There are three available options for each:

■ All Scans all current and future mailboxes or public folders

■ None Does not scan any mailboxes or public folders

■ Selected Scans only the selected mailboxes or public folders

If you select Selected you will need to select which mailboxes or public folders to scan:

1. Select Selected.

2. Click on the Mailbox or Public Folder icon.

3. Check the mailboxes or public folders you want to scan; you can select an entire store. If you select a store, then only current mailboxes will be included. Any new mailboxes will eed to be added as required

4. Click on the Back Arrow to exit the Selection List.

5. Click OK to save the changes.

It is recommended that you leave the real time scan set to “All” as this will ensure that messages that have not been scanned are scanned to ensure they do not contain viruses.

Summary

With the increasing number of viruses being circulated through e-mail, it is becoming more important to ensure that your FES infrastructure if fully protected against viruses and other threats that threaten your infrastructure.

FSE allows you to virus scan messages as they transit through you FSE infrastructure and when they are in the user’s mailbox, ensuring that your infrastructure remains virus free. In addition to virus scanning, you can also apply fi lters, which allow you to proactively protect against unwanted attachments, along with checking the contents of the messages.

When you are considering deploying FSE, you should carefully plan your deployment to ensure that you do not adversely affect the performance of your Exchange servers and that you do not accidentally delete legitimate messages.

When you start to deploy FES, you should do this out of hours and start with the Edge Transport Servers first, followed by the Hub Transport Servers and then the Mailbox Servers. This helps to ensure that you do not introduce any new viruses to your infrastructure once you have started your deployment.

In order to effectively manage FES across your entire Exchange deployment, you should consider using FSSMC, which allows you to centrally manage the configuration and the quarantine databases.

When deploying security products, it is possible to over-engineer their design and deployment. This can often cause unforeseen issues and a level of complexity that is not always necessary. Your initial deployment should provide the basics for what you require. You should then add additional scanning and filtering as required while ensuring that you do not overload your infrastructure, and that the end user’s experience is not adversely affected.

Automatic Proxy Detection Or Web Proxy Auto Discovery

Using Web Proxy Auto Discovery (WPAD) is a simple and effective way to configure web browsers to use the ISA firewall as a proxy server. WPAD can be implemented using DNS or DHCP, with DNS being the more common of the two. For WPAD using DNS, configuration is simple and straightforward; all that is required is that you configure a host record in DNS called WPAD that resolves to the IP address of your ISA firewall’s internal network interface.

 

On the ISA firewall, enable the ‘Publish automatic discovery information for this network’option on the ‘Auto Discovery’ tab for the Internal network.

 

 

For Internet Explorer, navigate to ‘Tools/Internet Options/Connections/Lan Settings’ and select the option to ‘Automatically detect settings’ and your work is done!

 

Unfortunately this functionality can be easily leveraged for nefarious purposes. An attacker could create their own WPAD record (which can be accomplished simply if dynamic DNS is not configured correctly) and redirect traffic through a host that they control. From there they could have full view in to all web-based communication between a client and an Internet-based remote host.

In order to address this security concern, Microsoft has made changes to the way DNS works beginning in Windows Server 2008. DNS in Windows Server 2008 now includes a feature called the global query block list. Essentially this is a list of names that the DNS server will not respond to if queried. By default this list includes two entries; WPAD and ISATAP. You can view this list by executing the following command from an elevated command prompt:

dnscmd /info /globalqueryblocklist

If you are using Windows Server 2008 DNS and you wish to leverage DNS WPAD functionality you must instruct the DNS server to respond to these requests. Simply creating the DNS record by itself is not enough. On Windows Server 2008 you can configure WPAD by creating your DNS record as usual, then remove WPAD from the global query block list by executing the following command from an elevated command prompt:

dnscmd /config /globalqueryblocklist isatap

This command replaces the existing global query block list with only isatap. Remember to execute this command on each DNS server that is authoritative for your zone.

Although not recommended, you can also disable the global query block list functionality altogether by executing the following command from an elevated command prompt:

dnscmd /config /enableglobalqueryblocklist 0

Of course this functionality can be restored by executing the following command from an elevated command prompt:

dnscmd /config /enableglobalqueryblocklist 1

The global query block list functionality is also now included in security update MS09-008 for Windows Server 2003 DNS and WINS servers. This means that everything we’ve discussed here applies to Windows Server 2003 DNS servers with the MS09-008 update installed, with the exception of how the block list is configured. With Windows Server 2003 DNS and the MS09-008 update, management of the global query block list is done through the following registry key:

HKLMSYSTEMCurrentControlSetServices

DNSParametersGlobalQueryBlockList

 

If you have already configured WPAD record in DNS, the good news is that if you perform an in-place upgrade to Windows Server 2008, WPAD functionality will not be disabled. The same holds true if you install the security update for MS09-008. Any existing functionality will remain if it was in place prior to the upgrade or update. For additional information on the MS09-008 security update, read this blog post by the Microsoft Security Research and Defense team.

Active Directory Rights Management Services (AD RMS)

Active Directory Rights Management Services (AD RMS) is an information protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized use. Content owners can define who can open, modify, print, forward, or take other actions with the information.

Introduction

Your organization’s overall security strategy must incorporate methods for maintaining security, protection, and validity of company data and information. This includes not only controlling access to the data, but also how the data is used and distributed to both internal and external users. Your strategy may also include methods to ensure that the data is tamperresistant and that the most current information is valid based on the expiration of outdated or time-sensitive information.
AD RMS enhances your organization’s existing security strategy by applying persistent usage policies to digital information. A usage policy specifies trusted entities, such as individuals, groups of users, computers, or applications. These entities are only permitted to use the
information as specified by the rights and conditions configured within the policy. Rights can include permissions to perform tasks such as read, copy/paste, print, save, forward, and edit. Rights may also be accompanied by conditions, such as when the usage policy expires for a
specific entity. Usage policies remain with the protected data at all times to protect information stored within your organization’s intranet, as well as information sent externally via e-mail or transported on a mobile device.

AD RMS Features

An AD RMS solution is typically deployed throughout the organization with the goal of protecting sensitive information from being distributed to unauthorized users. The addition of AD RMS–enabled client applications such as the 2007 Office system or AD RMS–compatible server roles such as Exchange Server 2007 and Microsoft Office SharePoint Server 2007 provides an overall solution for the following uses:

Enforcing document rights

Every organization has documents that can be considered sensitive information. Using AD RMS, you can control who is able to view these sensitive files and prevent readers from accessing selected application functions, such as printing, saving, copying, and pasting. If a group of employees is collaborating on a document and frequently updating it, you can configure and apply a policy that includes an expiration date of document rights for each published draft. This helps to ensure that all
involved parties are using only the latest information—the older versions will not open after they expire.

Protecting e-mail communication

Microsoft Office Outlook 2007 can use AD RMS to prevent an e-mail message from being accidentally or intentionally mishandled. When a
user applies an AD RMS rights policy template to an e-mail message, numerous tasks can be disabled, such as forwarding the message, copying and pasting content, printing, and exporting the message.

Depending on your security requirements, you may have already implemented a number of technologies to secure digital content. Technologies such as Access Control Lists (ACLs), Secure Multipurpose Internet Mail Extensions (S/MIME), or the Encrypted File System (EFS) can all be used to help secure e-mail and company documents. However, AD RMS still provides additional benefits and features in protecting the confidentiality and use of the data stored within the documents.

Active Directory Rights Management Services Components

The implementation of an AD RMS solution consists of several components, some of which are optional. The size of your organization, scalability requirements, and data sharing requirements all affect the complexity of your specific configuration.

AD RMS Root Cluster

The AD RMS root cluster is the primary component of an RMS deployment and is used to manage all certification and licensing requests for clients. There can be only one root cluster in each Active Directory forest that contains at least a single Windows Server 2008 server that runs the AD RMS server role. You can add multiple servers to the cluster to be used for redundancy and load balancing. During initial installation, the AD RMS root cluster performs an automatic enrollment that creates and signs a server licensor certificate (SLC). The SLC is
used to grant the AD RMS server the ability to issue certificates and licenses to AD RMS clients. In previous versions of RMS, the SLC had to be signed by the Microsoft Enrollment Service over the Internet. This required Internet connectivity from either the RMS server or from another computer to be used for offline enrollment of the server. Windows Server 2008 AD RMS has removed the requirement to contact the Microsoft Enrollment Service. Windows Server 2008 includes a server self-enrollment certificate that is used to sign the SLC locally. This removes the previous requirement for an Internet connection to complete the RMS
cluster enrollment process.

Web Services

Each server that is installed with the AD RMS server role also requires a number of Webrelated server roles and features. The Web Server (IIS) server role is required to provide most of the AD RMS application services, such as licensing and certification. These IIS-based services are called application pipelines. The Windows Process Activation Service and Message Queuing features are also required for AD RMS functionality. The Window Process Activation Service is used to provide access to IIS features from any application that hosts Windows Communication Foundation services. Message Queuing provides guaranteed message delivery between the AD RMS server and the SQL Server database. All transactions are first written to the message queue and then transferred to the database. If connectivity to the database is lost, the transaction information will be queued until connectivity  resumes.
During the installation of the AD RMS server role, you specify the Web site on which the AD RMS virtual directory will be set up. You also provide the address used to enable clients to communicate with the cluster over the internal network. You can specify an unencrypted URL, or you can use an SSL certificate to provide SSL-encrypted connections to the cluster.

Licensing-only Clusters

A licensing-only cluster is optional and is not part of the root cluster; however, it relies on the root cluster for certification and other services (it cannot provide account certification services on its own). The licensing-only cluster is used to provide both publishing licenses and use licenses to users. A licensing-only cluster can contain a single server, or you can add multiple servers to provide redundancy and load balancing. Licensing-only clusters are typically deployed to address specific licensing requirements, such as supporting unique rights management
requirements of a department or supporting rights management for external business partners as part of an extranet scenario.

Database Services

AD RMS requires a database to store configuration information, such as configuration settings, templates, user keys, and server keys. Logging information is also stored within the database. SQL Server is also used to keep a cache of expanded group memberships obtained from Active Directory to determine if a specific user is a member of a group. For production environments, it is recommended that you use a database server such as SQL Server 2005 or later. For test environments, you can use an internal database that is provided with Windows Server 2008; however, the internal database only supports a single-server root cluster.

How AD RMS Works

Server and client components of an AD RMS solution use various types of eXtensible rights Markup Language (XrML)–based certificates and licenses to ensure trusted connections and protected content. XrML is an industry standard that is used to provide rights that are linked to the use and protection of digital information. Rights are expressed in an XrML license attached to the information that is to be protected. The XrML license defines how the information owner wants that information to be used, protected, and distributed.

AD RMS Deployment Scenarios

To meet specific organizational requirements, AD RMS can be deployed in a number of different scenarios. Each of these scenarios offers unique considerations to ensure a secure and effective rights-management solution. These are some possible deployment scenarios:

■ Providing AD RMS for the corporate intranet
■ Providing AD RMS to users over the Internet
■ Integrating AD RMS with Active Directory Federation Services

Deploying AD RMS within the Corporate Intranet

A typical AD RMS installation takes place in a single Active Directory Forest. However, there may be other specific situations that require additional consideration. For example, you may need to provide rights-management services to users throughout a large enterprise with multiple branch offices. For scalability and performance reasons, you might choose to implement licensing-only clusters within these branch offices. You may also have to deploy an AD RMS solution for an organization that has multiple Active Directory forests. Since each
forest can only contain a single root cluster, you will have to determine appropriate trust policies and AD RMS configuration between both forests. This will effectively allow users from both forests to publish and consume rights-management content.

Deploying AD RMS to Users over the Internet

Most organizations have to support a mobile computing workforce, which consists of users that connect to organizational resources from remote locations over the Internet. To ensure that mobile users can perform rights-management tasks, you have to determine how to
provide external access to the AD RMS infrastructure. One method is to place a licensing-only server within your organization’s perimeter network. This will allow external users to obtain use and publishing licenses for protecting or viewing information. Another common solution
is to use a reverse proxy server such as Microsoft Internet Security and Acceleration (ISA) Server 2006 to publish the extranet AD RMS cluster URL. The ISA server will then handle all requests from the Internet to the AD RMS cluster and passes on the requests when necessary. This is a more secure and effective method, so it is typically recommended over
placing licensing servers within the perimeter network location.

Deploying AD RMS with Active Directory Federation Services

Windows Server 2008 includes the Active Directory Federation Services (AD FS) server role, which is used to provide trusted inter-organizational access and collaboration scenarios between two organizations. AD RMS can take advantage of the federated trust relationship as a basis for users from both organizations to obtain RAC, use, and publishing licenses. In order to install AD RMS support for AD FS, you will need to have already deployed an AD FS solution within your environment. This scenario is recommended if one organization has AD RMS and the other does not. If both have AD RMS, trust policies are typically recommended.

Configure Forefront TMG 2010 as WPAD server (Auto Proxy Discovery)

WPAD stands for Web Proxy Auto-Discovery Protocol. WPAD contains the information proxy settings for clients. Windows client uses WPAD protocol to obtain proxy information from DHCP and DNS server. Clients query for WPAD entry and returns with address of WPAD server in which WPAD.dat or Wspad.dat is stored. WPAD server can be a Forefront TMG server or an separate IIS server holding WPAD.dat or wspad.dat URL. Configuring a WPAD server is pretty simple as described in the following steps:

1. Select and configure an automatic discovery mechanism.
2. Implement a WPAD server and DNS or Implement a WPAD Server and DHCP.
3. Configure automatic discovery through GPO for Windows client computers

What’s in WPAD.dat and WSPAD.dat file? The Wpad.dat file is a Microsoft JScript® file used by the Web client browser to set browser settings. Wpad.dat contains the following information:

• The proxy server that should be used for client requests.
• Domains and IP addresses that should be accessed directly, bypassing the proxy.
• An alternate route in case the proxy is not available.
• TMG Enterprise Server, Wpad.dat provides a list of all servers in the array

In the TMG Server WSPAD implementation uses the WPAD mechanism, and constructs the Wspad.dat file to provide the client with proxy settings, and some additional Firewall client configuration information not required for automatic detection. The relevant automatic detection entries in Wspad.dat are the server name and port name.

Configure WPAD Entry in an authoritive DHCP Server:

Click Start, point to All Programs, point to Administrative Tools, and then click DHCP.

In the console tree, right-click the applicable DHCP server, click Set Predefined Options, and then click Add.

In Name, type WPAD. In Code, type 252. In Data type, select String, and then click OK.

In String, type http://Computer_Name:Port/wpad.dat where Port is the port number on which automatic discovery information is published. You can specify any port number. By default, Forefront TMG publishes automatic discovery information on port 8080. Ensure that you use lowercase letters when typing wpad.dat. Forefront TMG uses wpad.dat and is case sensitive.

Right-click Scope Options, and then click Configure options. Confirm that Option 252 is selected.

Note: Assign the primary domain name to clients using DHCP. A DHCP server can be configured with a DHCP scope option to supply DHCP clients with a primary domain name. You can use port 8080 if you are using DHCP to deliver WPAD. Most corporate uses port for so many web application or primary web site. My preferred method is to deliver WPAD using DHCP.

Configuring WPAD Entry in Active Directory DNS (AD DS):

Click Start, point to All Programs, point to Administrative Tools, and then click DNS.

In the console tree, right-click the forward lookup zone for your domain, and click New Alias (CNAME).

In Alias name, type WPAD.

In Fully qualified name for target host, type the FQDN of the WPAD server. If the Forefront TMG computer or array already has a host (A) record defined, you can click Browse to search the DNS namespace for the Forefront TMG server name.

Note: If clients belong to multiple domains, you will need a DNS entry for each domain. Firewall clients should be configured to resolve the WPAD entry using an internal DNS server. For WPAD entries obtained from DNS, the WPAD server must listen on port 80. Do NOT configure CNAME entry in AD DS if you are using DHCP to deliver WPAD.

Important! Use ONLY one deliver method that means either DNS or DHCP

Configuring TMG Server as the WPAD Server: You can configure Forefront TMG as the WPAD server as follows

In the console tree of Forefront TMG Management, click Networking. In the details pane, click the Networks tab, and then select the network on which you want to listen for WPAD requests from clients (usually the default Internal network).

On the Tasks tab, click Edit Selected Network.

On the Auto Discovery tab, select Publish automatic discovery information.

In Use this port for automatic discovery requests, specify the port on which the Forefront TMG WPAD server should listen for WPAD requests from clients.

Click on Forefront TMG Client Tab, Check Enable Forefront TMG Client Support for this network, by default TMG server name will selected in this option, for TMG Enterprise Edition, you can select any Array Member hosting WPAD. Check Automatically Detect Settings, Check Use Automatic configuration script and select Use Default URL, Check Use a web proxy server. You may select one of the following:

• Use default URL. Forefront TMG provides a default configuration script at the location http://FQDN:8080/array.dll?Get.Routing.Script, where the FQDN is that of the Forefront TMG computer. This script contains the settings specified on the Web Browser tab of the network properties.
• Use custom URL. As an alternative to the default script, you can construct your own Proxy Auto-Configuration (PAC) file and place it on a Web server. When the client Web browser looks for the script at the specified URL, the Web server receives the request and returns the custom script to the client.

Apply Changes, Click ok.

To run the AD Marker tool for automatic detection: Use this tools if you use active directory as deliver mechanism.

To store the marker key in Active Directory, at the command prompt, type:

TmgAdConfig.exe add -default -type winsock -url <service-url> [-f] where:

The service-url entry should be in the format http://<TMG Server Name>:8080/wspad.dat.

The following parameters can be used in the commands:

To delete a key from Active Directory, at a command line prompt, type:TmgAdConfig.exe del -default -type winsock

To configure the Active Directory marker for a specific site, use the –site command line parameter.

For a complete list of options, type TmgAdConfig.exe -?

For detailed usage information, type TmgAdConfig.exe <command> -help

The TmgAdConfig tool creates the following registry key in Active Directory: LDAP://Configuration/Services/Internet Gateway(“Container”) /Winsock Proxy(“ServiceConnectionPoint”)

The key’s server binding information will be set to <service-url>. This key will be retrieved by the Forefront TMG Client and will be used to download the wspad configuration file.

Configuring an Alternative WPAD Server: An alternative configuration is to place the Wpad.dat and Wspad.dat files on another computer instead of on the TMG Server computer. For example, you can place the files on a server running IIS. In such a configuration, the DNS and DHCP entries point to the computer running IIS, and this computer acts as a dedicated redirector to provide WPAD and WSPAD information to clients. The simplest way to download the Wpad.dat and Wspad.dat files is to connect to the TMG Server computer through a Web browser and obtain the files from the following URLs:

• http://computer_name:port/wpad.dat
• http://computer_name:port/wspad.dat

Configuring Internet Explorer for Automatic Discovery in a single computer: Configure WPAD for automatic detection for DHCP delivery method as follows:

1. In Internet Explorer, click the Tools menu, and then click Internet Options.
2. On the Connections tab, click LAN Settings.
3. On the Local Area Network (LAN) Settings tab, select Automatically detect settings.

Enabling browsers for automatic detection using a static/custom configuration script

1. In Internet Explorer, click the Tools menu, and then click Internet Options.
2. On the Connections tab, click LAN Settings.
3. On the Local Area Network (LAN) Settings tab, select Use automatic configuration script. Enter the script location as http://fqdnserver:port/array.dll?Get.Routing.Script. Where fqdnserver is the fully qualified domain name (FQDN) of the Forefront TMG server. The configuration script location can be specified in each browser, or it can be set for all clients who use Group Policy.

To export the settings from your computer to an .ins file using IEM

In Group Policy, double-click Local Computer Policy, double-click User Configuration, and then double-click Windows Settings.

Right-click Internet Explorer Maintenance, and then click Export Browser Settings.

Enter the location and name of the .ins file that you want to use.

Copy this WPAD.INS file and host this in a separate IIS server.

Configure Automatic Detection through GPO for entire Windows fleet

Log on to Domain Controller as an administrator.

Open Group Policy Object Management Console, Select desired Organisational Unit, Right Click, Click on Create a GPO in this Domain and in it here

Type the Name of the GPO, Click ok

Right mouse click on newly created GPO, Click on Edit,

Expand GPO editor to User Configuration>Windows Settings>Internet Explorer Maintenance>Connections>Double Click Automatic Browser Configuration

If you decide to use DHCP as WPAD.dat delivery method then check Automatic Detect Configuration Settings.

If you decide to default Routing Script from TMG server

If you want to deliver wpad.dat through DNS server use the following option

For WPAD.INS deployment use the following option

In the automatic configure every ~ minutes, you can setup time and type 0 (zero) for auto update after restart.

Testing Automatic Detection

To test DHCP delivery method, Log on to a client machine. Open IE8 and setup IE Proxy settings as Automatically detect setting

Run GPUPDATE.exe /Force and reboot computer

Browse any websites to test proxy is detected by browser.

For a WPAD entry in DNS, you can test the automatic discovery mechanism by typing the following in the Web browser:

• http://wpad/wpad.dat
• http://wpad.wspad.dat

For a WPAD entry in DHCP, you specify the FQDN of the WPAD server. For example, if the WPAD DHCP entry is available on an TMG Server computer, type the following:

• http://ISA_Server_FQDN:Port/wpad.dat
• http://ISA_Server_FQDN:Port/wspad.dat

To test that the automatic configuration script is being retrieved as expected, type the following in the Web browser:

• http://ISA_Server_FQDN /array.dll?Get.Routing.Script

Chrome makes play for minds and hearts of administrators

Google celebrated the two-year anniversary of its Chrome web browser this month by making some changes to it designed to encourage administrators to cast a more approving eye on the software.

Generally, administrators are a tough lot when it comes to change. Their plates are usually full and it takes a compelling sell to persuade them to desert the status quo. If Microsoft has difficulties weaning many administrators from Internet Explorer 6, with its horrendous security record, to a safer version of the software, how does Google expect to induce administrators to bolt to an entirely new web browser?

One way, it appears, is to give administrators greater control over how Chrome behaves. For example, it allows administrators to cut off a feature that allows the browser to automatically update itself. Automatic updates are convenient for users. They can fix annoying problems that can have dire consequences for a computer’s operation or its data. More important, they can plug security holes in a program.

The problem for administrators, however, is that they can create unforeseen snags on a user’s system or even open up new security holes. If an administrator can evaluate the update before it’s implemented, he or she can prevent those problems from developing. Automatic updates can preempt such an evaluation and spread those potential hassles throughout an organization’s system like a virus. In addition, updates can give hackers an entry point into a network. Once a system’s defense systems are trained to accept automatic updates, they will ignore programs that behave like updates–even if those programs are malware written by hackers. What’s more, crackers can intercept requests for updates–through techniques like DNS hacking–and install older updates that will re-open old software flaws.

To turn off automatic updates for Chrome, Google recommends that the value of the following Windows registry key–HKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleUpdateAutoUpdateCheckPeriodMinutes–be set to  REG_SZ (string) value of “0″.

As part of Chrome’s new administrator-friendly attitude, registry changes need not be made manually but can be made with easy-to-use templates.

If an administrator does choose to turn off automatic updates, Google cautions him or her to keep in mind that such action means his or her organization will not receive the latest security updates for the browser.

Administrators can now also change the policies that Chrome respects. They include:

• Setting the browser’s home page.
• Determining if a new tab is created when the home page button is clicked in the browser.
• Enabling or disabling safe browser mode.
• Determining if error pages will appear in the browser.
• Activating or deactivating Google Suggest, which recommends a completed URL for a partially typed in URL in the browser’s address field.
• Determining if anonymous statistics reporting and crash information should be reported back to Google.
• Enabling or disabling DNS prefetching.
• Enabling or disabling online saving of bookmarks or other profile information through synchronization.
• Determining the manner in which Chrome determines the proxy server in use.
• Specifying the URL of the proxy server in use when a specified proxy configuration has been created manually.
• Specifying the URL of the .pac file to use when the specified proxy configuration is created manually.
• Creating a list of exceptions for when not to use a proxy.
• Overriding a system’s user interface language.
• Creating a list of disabled plug-ins.

As extensive as that policy list is, there are a few omissions that administrators may like to see in the future, according to Lee Mathews, writing for DownloadSquad. “For example, while I can choose to disable certain plug-ins, there’s no switch to disallow extension installs,” he scribbled. “I’d also like to disable Chrome’s autofill feature, but it, too, is missing.”

Getting administrators to embrace Chrome could be a key to the browser’s success and the advancement of Google’s overall goals for the Internet. “Chrome has caught on among early adopters and has tens of millions of users,” opined Stephen Shankland in his DeepTech blog on Cnet. “Getting corporate buy-in could help the browser’s prospects, and with it Google’s ambition to make the Web a more powerful foundation for applications rather than just Web pages to visit.”

“Even with easier compatibility, though, corporate IT personnel are not known for their enthusiasm for embracing new software,” he added. “They’re often naturally conservative, since change can break internal applications, confuse users, and bring other complications. Letting administrators set Chrome behavior will, though, make it more palatable.”

How to configure Windows Server Update Services (WSUS) to use BranchCache

What is branchCache? BranchCache™ is a new feature in Windows® 7 and Windows Server® 2008 R2 that can reduce wide area network (WAN) or bandwidth utilization and enhance network application responsiveness when users access content in a central office from branch office locations. When you enable BranchCache, a copy of the content that is retrieved from the Web server or file server is cached within the branch office. If another client in the branch requests the same content, the client can download it directly from the local branch network without needing to retrieve the content by using the Wide Area Network (WAN).

How Branchcache works? When a Windows 7 Client from a branch office request data such as WSUS content to a head office Server then server check authentication and authorise data to pass on to the client. This is an ordinary communication happens without branchcache also.

But with branchcache, The client uses the hashes in the metadata to search for the file in the Hosted Cache server. Because this is the first time any client has retrieved the file, it is not already cached on the local network. Therefore, the client retrieves the file directly from the content server. The Hosted Cache server connects to the client and retrieves the set of blocks that it does not have cached.

When a second Windows 7 client from the same branch requests the same WSUS content from the content server or WSUS server. The content server authorizes the user/client and returns content identifiers. The second client uses these identifiers to request the data from the Hosted Cache server residing in branch. This time, it does not retrieve data from the DFS share residing in head office.

To configure a Web server or an application server that uses the Background Intelligent Transfer Service (BITS) protocol, you must install the BranchCache feature using server manager. To configure a file server to use BranchCache, you must install the BranchCache for Network Files feature and configure the server using Group Policy. This article discuss and show how to configure WSUS to use  branchcache. The followings are the steps involve in head office and Branch Offices.

Head Office:

1. Install and configure back end SQL Server
2. Create DFS share
3. Install and configure front end WSUS Server
4. Configure GPO for WSUS client

Branch Office:

1. Install and configure Branchcache File Server
2. Configure GPO for Branchcache
3. Install and configure front end WSUS server
4. Configure GPO for WSUS client

Installing BranchCache File Server

1. Click Start, point to Administrative Tools, and then click Server Manager.

2. Right-click Roles and then click Add Roles.

3. In the Add Features Wizard, select File Server and BranchCache for network files and then click Next.

4. In the Confirm Installation Selections dialog box, click Install.

5. In the Installation Results dialog box, confirm that BranchCache installed successfully, and then click Close.

Using Group Policy to configure BranchCache

1. Open the Group Policy Management Console. Click Start, point to Administrative Tools, and then click Group Policy Management Console.

2. Select the domain in which you will apply the Group Policy object, or select Local Computer Policy.

3. Select New from the Action menu to create a new Group Policy object (GPO).

4. Choose a name for the new GPO and click OK.

5. Right-click the GPO just created and choose Edit.

6. Click Computer Configuration, point to Policies, Administrative Templates, Network, and then click Lanman Server.

7. Double-click Hash Publication for BranchCache.

8. Click Enabled.

9. Under Options, choose one of the following Hash publication actions:

a. Allow hash publication for all file shares.

b. Allow hash publication for file shares tagged with “BranchCache support.”

c. Disallow hash publication on all file shares.

10. Click OK.

Using the Registry Editor to configure disk use for stored identifiers

1. Open an elevated command prompt (click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator).

2. At the command prompt, type Regedit.exe, and then press Enter.

3. Navigate to HKLMCurrentControlSetServiceLanmanServerParameters.

4. Right-click the HashStorageLimitPercent value, and then click Modify.

5. In the Value box, type the percentage of disk space that you would like BranchCache to use. Click OK.

6. Close the Registry Editor.

Setting the BranchCache support tag on a file share

1. Click Start, point to Administrative Tools, and then click Share and Storage Management.

2. Right-click a share and then click Properties.

3. Click Advanced.

4. On the Caching tab, select Only the files and programs that users specify are available offline.

5. Select Enable BranchCache, and then click OK.

6. Click OK, and then close the Share and Storage Management Console.

To replicate cryptographic data

1. Open an elevated command prompt (click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator).2. At the command prompt, type netsh branchcache set key passphrase=“MY_PASSPHRASE”, and then press Enter. Choose a phrase known only to you. Repeat this process using the same phrase on all computers that are participating in the cluster.

Client configuration using Group Policy

1. Click Start, point to Administrative Tools, and click Group Policy Management Console.

2. In the console tree, select the domain in which you will apply the GPO.

3. Create a new GPO by selecting New from the Action menu.

4. Choose a name for the new GPO, and then click OK.

5. Right click the GPO you created and choose Edit.

6. Click Computer Configuration, point to Policies, Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine, Network, and then click BranchCache.

7. Double-click Turn on BranchCache.

8. Click Enabled, and then click OK.

9. To use Distributed Cache mode, double-click Turn on BranchCache – Distributed Caching mode, click Enabled, and then click OK.  or

To use Hosted Cache mode, double-click Turn on BranchCache – Hosted cache mode, click Enabled, and then click OK.

10. To enable BranchCache for SMB traffic, double-click BranchCache for network files, click Enabled, select a latency value under Options, and then click OK.

Configuring a Branch WSUS server to use BranchCache

In addition to enabling BranchCache in your environment, the WSUS server must be configured to store update files locally (both the update metadata and the update files are downloaded and stored locally on the WSUS server). This ensures that the clients get the update files from the WSUS server rather than directly from Microsoft Update.

Install SQL Server 2005/2008 with Management Studio Express on the back-end computer

1. Click Start, point at All Programs, point at SQL Server 2005
   >, point at Configuration Tools, and select SQL Server Surface Area Configuration.
2. Choose Surface Configuration for Services and Connections.
3. In the left window, click the Remote Connections node.
4. Select Local and remote connections and then select Using TCP/IP only.
5. Click OK to save the settings.

To ensure administrative permissions on SQL Server

1. Start SQL Server Management Studio (click Start, click Run, and then type sqlwb).
2. Connect to the SQL Engine on the server where SQL Server 2005 was installed in Step 1.
3. Select the Security node and then select Logins.
4. The right pane will show a list of the accounts that have database access. Check that the person who is going to install WSUS 3.0 on the front-end computer has an account in this list.
5. If the account does not exist, then right-click the Logins node, select New Login, and add the account.
6. Set up this account for the roles needed to set up the WSUS 3.0 database. The roles are either dbcreator plus diskadmin, or sysadmin. Accounts belonging to the local Administrators group have the sysadmin role by default.

Install Branch WSUS Server

To install WSUS on the front-end computer At the command prompt, navigate to the folder containing the WSUS Setup program, and type:

WSUSSetup.exe /q FRONTEND_SETUP=1 SQLINSTANCE_NAME=serverinstance CREATE_DATABASE=0

Here, Serverinstance is the name of the remote SQL server that is holding the instance of WSUS database. If you do not want silent installation then don’t use /q switch and follow WSUS installation link

Important! Microsoft recommend 1GB free space for Systems Partition and 30GB for WSUS contents. But this minimum recommended space will create havoc when WSUS log, database log and content grow over the years. So, I used 50GB as systems partition and 100GB as WSUS contents in DFS share.

To configure the proxy server on WSUS front-end servers

1. In the WSUS administration console, select Options, then Update Source and Proxy Server.
2. Select the Proxy Server tab, then enter the proxy server name, port, user name, domain, and password, then click OK.
3. Repeat this procedure on all the front-end WSUS servers.

To specify where updates are stored

1. In the left pane of the WSUS Administration console, click Options.
2. In Update Files and Languages, click the Update Files tab.
3. If you want to store updates in WSUS, select the Store update files locally on this server check box.

To specify whether updates are downloaded during synchronization or when the update is approved

1. In the left pane of the WSUS Administration console, click Options.
2. In Update Files and Languages, click the Update Files tab.
3. If you want to download only metadata about the updates during synchronization, select the Download updates to this server only when updates are approved check box.

To specify language options

1. In the left pane of the WSUS Administration console, click Options.
2. In Update Files and Languages, click the Update Languages tab.
3. In the Advanced Synchronization Options dialog box, under Languages, select one of the following language options, and then click OK.
4. Select Download updates only in these languages: This means that only updates targeted to the languages you select will be downloaded during synchronization.

How to configure automatic updates by using Group Policy

Log on to Domain Controller using Administrative Privilege. Open GPO management Console>Select Organisational unit>Right client>create and link a new GPO> Name it as WSUS policy>right click>Edit. Go to Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Updates

Now Specify Client target group, Intranet update server location i.e. http://servername:8530 , update schedule, installation schedule.

To set up a DFS share

Note:This DFS share will be used by all front end WSUS servers.

1. Go to Start, point at All Programs, point at Administrative Tools, and click Distributed File System.
2. You will see the Distributed File System management console. Right-click the Distributed File System node in the left pane and click New Root in the shortcut menu.
3. You will see the New Root Wizard. Click Next.
4. In the Root Type screen, select Stand-alone root as the type of root, and click Next.
5. In the Host Server screen, type the name of the host server for the DFS root or search for it with Browse, and then click Next.
6. In the Root Name screen, type the name of the DFS root, and then click Next.
7. In the Root Share screen, select the folder that will serve as the share, or create a new one. Click Next.
8. In the last screen of the wizard, review your selections before clicking Finish.
9. You will see an error message if the Distributed File System service has not yet been started on the server. You can start it at this time.
10. Make sure that the domain account of each of the front-end WSUS servers has change permissions on the root folder of this share.

Important! If you are using a DFS share, be careful when uninstalling WSUS from one but not all of the front-end servers. If you allow the WSUS content directory to be deleted, this will affect all the WSUS front-end servers.

To configure IIS for remote access on the front-end WSUS servers

1. On each of the servers,
   go to Start, point at All Programs, point at Administrative Tools, and click Internet Information Services (IIS) Manager.
2. You will see the Internet Information Services (IIS) Manager management console.
3. Click the server node, then the Web Sites node, then the node for the WSUS Web site (either Default Web Site or WSUS Administration).
4. Right-click the Content node and select Properties.
5. In the Content Properties dialog box, click the Virtual Directory tab. In the top frame you will see The content for this resource should come from:
6. Select A share located on another computer and fill in the UNC name of the share.
7. Click Connect As, and enter the user name and password that can be used to access that share.
8. Be sure to follow these steps for each of the front-end WSUS servers that are not on the same machine as the DFS share.

To move the content directories on the front-end WSUS servers

1. Open a command window.
2. Go to the WSUS tools directory on the WSUS server:cd Program FilesUpdate ServicesTools
3. Type the following command:wsusutil movecontent DFSsharename logfilenamewhere DFSsharename is the name of the DFS share to which the content should be moved, and logfilename is the name of the log file.

To configure Network Load Balancing

1. Enable Network load balancing

• a) Click Start, then Control Panel, Network Connections, Local Area Connection, and click Properties.
• b) Under This connection uses the following items, you may see an entry for Network Load Balancing. If you do not, click Install, then (on the Select Network Component Type screen) select Service, then click Add, then (on the Select Network Service screen) select Network Load Balancing, then OK.
• c) On the Local Area Connection Properties screen, select Network Load Balancing, and then click OK.

2. On the Local Area Connection Properties screen, select Network Load Balancing, and then click Properties.

3. On the Cluster Parameters tab, fill in the relevant information (the virtual IP address to be shared among the front end computers, and the subnet mask). Under Cluster operation mode, select Unicast.

4. On the Host Parameters tab, make sure that the unique host identifier is different for each member of the cluster.

5. On the Port Rules tab, make sure that there is a port rule specifying single affinity (the default). (Affinity is the term used to define how client requests are to be directed. Single affinity means that requests from the same client will always be directed to the same cluster host.)

6. Click OK, and return to the Local Area Connection Properties screen.

7. Select Internet Protocol (TCP/IP) and click Properties, and then click Advanced.

8. On the IP Settings tab, under IP addresses, add the virtual IP of the cluster (so that there will be two IP addresses). This should be done on each cluster member.

9. On the DNS tab, clear the Register this connection’s addresses in DNS checkbox. Make sure that there is no DNS entry for the IP address.

10 Core Concepts that Every Windows Network Admin Must Know

Introduction

I thought that this article might be helpful for Windows Network Admins out there who need some “brush-up tips” as well as those who are interviewing for network admins jobs to come up with a list of 10 networking concepts that every network admin should know.

So, here is my list of 10 core networking concepts that every Windows Network Admin (or those interviewing for a job as one) must know:

1.     DNS Lookup

The domain naming system (DNS) is a cornerstone of every network infrastructure. DNS maps IP addresses to names and names to IP addresses (forward and reverse respectively). Thus, when you go to a web-page like http://www.windowsnetworking.com, without DNS, that name would not be resolved to an IP address and you would not see the web page. Thus, if DNS is not working “nothing is working” for the end users.

DNS server IP addresses are either manually configured or received via DHCP. If you do an IPCONFIG /ALL in windows, you will see your PC’s DNS server IP addresses.

Figure 1: DNS Servers shown in IPCONFIG output

So, you should know what DNS is, how important it is, and how DNS servers must be configured and/or DNS servers must be working for “almost  anything” to work.

When you perform a ping, you can easily see that the domain name is resolved to an IP (shown in Figure 2).

Figure 2: DNS name resolved to an IP address

For more information on DNS servers, see Brian Posey’s article on DNS Servers.

2.     Ethernet & ARP

Ethernet is the protocol for your local area network (LAN). You have Ethernet network interface cards (NIC) connected to Ethernet cables, running to Ethernet switches which connect everything together. Without a “link light” on the NIC and the switch, nothing is going to work.

MAC addresses (or Physical addresses) are unique strings that identify Ethernet devices. ARP (address resolution protocol) is the protocol that maps Ethernet MAC addresses to IP addresses. When you go to open a web page and get a successful DNS lookup, you know the IP address. Your computer will then perform an ARP request on the network to find out what computer (identified by their Ethernet MAC address, shown in Figure 1 as the Physical address) has that IP address.

3.     IP Addressing and Subnetting

Every computer on a network must have a unique Layer 3 address called an IP address. IP addresses are 4 numbers separated by 3 periods like 1.1.1.1.

Most computers receive their IP address, subnet mask, default gateway, and DNS servers from a DHCP server. Of course, to receive that information, your computer must first have network connectivity (a link light on the NIC and switch) and must be configured for DHCP.

You can see my computer’s IP address in Figure 1 where it says IPv4 Address 10.0.1.107. You can also see that I received it via DHCP where it says DHCP Enabled YES.

Larger blocks of IP addresses are broken down into smaller blocks of IP addresses and this is called IP subnetting. I am not going to go into how to do it and you do not need to know how to do it from memory either (unless you are sitting for a certification exam) because you can use an IP subnet calculator, downloaded from the Internet, for free.

4.     Default Gateway

The default gateway, shown in Figure 3 as 10.0.1.1, is where your computer goes to talk to another computer that is not on your local LAN network. That default gateway is your local router. A default gateway address is not required but if it is not present you would not be able to talk to computers outside your network (unless you are using a proxy server).

Figure 3: Network Connection Details

5.     NAT and Private IP Addressing

Today, almost every local LAN network is using Private IP addressing (based on RFC1918) and then translating those private IPs to public IPs with NAT (network address translation). The private IP addresses always start with 192.168.x.x or 172.16-31.x.x or 10.x.x.x (those are the blocks of private IPs defined in RFC1918).

In Figure 2, you can see that we are using private IP addresses because the IP starts with “10”. It is my integrated router/wireless/firewall/switch device that is performing NAT and translating my private IP to my public Internet IP that my router was assigned from my ISP.

6.     Firewalls

Protecting your network from malicious attackers are firewalls. You have software firewalls on your Windows PC or server and you have hardware firewalls inside your router or dedicated appliances. You can think of firewalls as traffic cops that only allow certain types of traffic in that should be in.

For more information on Firewalls, checkout our Firewall articles.

7.     LAN vs WAN

Your local area network (LAN) is usually contained within your building. It may or may not be just one IP subnet. Your LAN is connected by Ethernet switches and you do not need a router for the LAN to function. So, remember, your LAN is “local”.

Your wide area network (WAN) is a “big network” that your LAN is attached to. The Internet is a humongous global WAN. However, most large companies have their own private WAN. WANs span multiple cities, states, countries, and continents. WANs are connected by routers.

8.     Routers

Routers route traffic between different IP subnets. Router work at Layer 3 of the OSI model. Typically, routers route traffic from the LAN to the WAN but, in larger enterprises or campus environments, routers route traffic between multiple IP subnets on the same large LAN.

On small home networks, you can have an integrated router that also offers firewall, multi-port switch, and wireless access point.

For more information on Routers, see Brian Posey’s Network Basics article on Routers.

9.     Switches

Switches work at layer 2 of the OSI model and connect all the devices on the LAN. Switches switch frames based on the destination MAC address for that frame. Switches come in all sizes from small home integrated router/switch/firewall/wireless devices, all the way to very large Cisco Catalyst 6500 series switches.

10. OSI Model encapsulation

One of the core networking concepts is the OSI Model. This is a theoretical model that defines how the various networking protocols, which work at different layers of the model, work together to accomplish communication across a network (like the Internet).

Unlike most of the other concepts above, the OSI model isn’t something that network admins use every day. The OSI model is for those seeking certifications like the Cisco CCNA or when taking some of the Microsoft networking certification tests. OR, if you have an over-zealous interviewer who really wants to quiz you.

To fulfill those wanting to quiz you, here is the OSI model:

• Application – layer 7 – any application using the network, examples include FTP and your web browser
• Presentation – layer 6 – how the data sent is presented, examples include JPG graphics, ASCII, and XML
• Session – layer 5 – for applications that keep track of sessions, examples are applications that use Remote Procedure Calls (RPC) like SQL and Exchange
• Transport – layer 4 -provides reliable communication over the network to make sure that your data actually “gets there” with TCP being the most common transport layer protocol
• Network – layer 3 -takes care of addressing on the network that helps to route the packets with IP being the most common network layer protocol. Routers function at Layer 3.
• Data Link – layer 2 -transfers frames over the network using protocols like Ethernet and PPP. Switches function at layer 2.
• Physical – layer 1 -controls the actual electrical signals sent over the network and includes cables, hubs, and actual network links.

At this point, let me stop degrading the value of the OSI model because, even though it is theoretical, it is critical that network admins understand and be able to visualize how every piece of data on the network travels down, then back up this model. And how, at every layer of the OSI model, all the data from the layer above is encapsulated by the layer below with the additional data from that layer. And, in reverse, as the data travels back up the layer, the data is de-encapsulated.

By understanding this model and how the hardware and software fit together to make a network (like the Internet or your local LAN) work, you can much more efficiently troubleshoot any network. For more information on using the OSI model to troubleshoot a network, see my articles Choose a network troubleshooting methodology and How to use the OSI Model to Troubleshoot Networks.

Summary

I can’t stress enough that if you are interviewing for any job in IT, you should be prepared to answer networking questions. Even if you are not interviewing to be a network admin, you never know when they will send a senior network admin to ask you a few quiz questions to test your knowledge. I can tell you first hand, the questions above are going to be the go-to topics for most network admins to ask you about during a job interview. And, if you are already a windows network admin, hopefully this article serves as an excellent overview of the core networking concepts that you should know. While you may not use these every day, knowledge of these concepts is are going to help you troubleshoot networking problems faster.

Get Rid of Microsoft Security Essentials Alert Fake Trojan Installing Red Cross, Peak Protection 2010, Pest Detector, Major Defense Kit

Get Rid of Microsoft Security Essentials Alert Fake Trojan Installing Red Cross, Peak Protection 2010, Pest Detector, Major Defense Kit

Get Rid of Microsoft Security Essentials Alert a Fake Trojan Installing Fake Antivirus programs like Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit and AntiSpy Safeguard

The fake “Microsoft Security Essentials Alert” is actually a Trojan that looks very similar to real alert from legitimate Microsoft Security Essentials.

This trojan will try to trick you into thinking that your computer is infected. It will show the warning below

“Microsoft Security Essentials Alert Potential threat details

Microsoft Security Essentials detected potential threats that might compromise your privacy or damage your computer. Your access to these items may be suspended until you take an action. Click ‘Show details’ to learn more

Unknown Win32/Trojan Severe”

When you click ‘Show details’ It will then prompt you to clean your computer using the program in order to remove it. When you click on the ‘Clean Computer’ or ‘Apply actions’ button, it will state that it was unable to remove it and then prompt you to scan online.

“Unable to remove threat. Click “Scan online” to remove this threat”

If you click on the Scan Online button it will list 35 different anti-virus programs, 30 of which are legitimate anti-virus programs and 5 that are rogues that the Trojan is distributing.

These five rogue programs are:

•Red Cross Antivirus
•Peak Protection 2010
•Pest Detector 4.1
•Major Defense Kit
•AntiSpySafeguard or AntiSpy Safeguard

So that you will then ‘Free Install’ and purchase one of 5 rogue anti-virus programs that this Fake Microsoft Security Essentials Alert Trojan is distributing.

During this fake online scan only the 5 fake anti-virus programs listed above will state that this supposed Microsoft Security Essentials Alert Trojan as an infection like ‘Unknown Trojan, Trojan Horse or Rootkit’.

It does this to scare you into clicking the Free Install button next to them that will install the rogue program onto your computer and then reboot your computer. It should be noted that Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard or AntiSpy Safeguard theTrojan is distributing are exactly the same. They just have different names and different (GUI) graphical user interfaces. You can see images of each of the above rogues below.

After your computer is rebooted, the rogue that was selected will automatically start and perform a fake scan on your computer. When it has finished it will state that it was able to clean numerous files, but was not able to clean some files, such as iexplore.exe, until the program is purchased. While running, this program will also terminate many programs when you attempt to run them and display a message stating that they are infected. This message is:

The application taskmgr.exe was launched successfully but it was forced to shut down due to security reasons.

This happened because the application was infected by a malicious program which might pose a threat for the OS.

It is highly recommended to install the necessary heuristic module and perform a full scan of your computer to exterminate malicious programs from it.

Furthermore, these rogues will also display security alerts from your Windows taskbar that display messages such as:

Warning! Database updated failed!
Database update failed!
Outdated viruses database are not effective can’t guarantee adequate protection and security for your PC! Click here to get the full version of the product and update the database!

Warning! Running trial version!
The security of your computer has been compromised! Now running trial version of the software! Click here to purchase the full version of the software and get full protection for your PC!

Of course, all of above warnings and alerts nothing more but a scam and like false scan results should be ignored!

As you can see Microsoft Security Essentials Fake Alert, is a scam that is designed with one purpose to trick you into purchasing the so-called full version of the programs Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard, or AntiSpy Safeguard. Do not fall for these virus creators bait into buying the Rogueware and if you already have, you should contact your credit card company and dispute the charges.

And now coming back on How to Get Rid of Microsoft Security Essentials Fake Alert, you need a solid program to fix the damages, the rogue has caused. It alters files, folders,permissions and registry keys.

So you need something as good as Reimage, to fix all the damages that was left behind, to delete all the traces completely….to revive your PC from malicious trojans that may still reside and make your PC slow and to stop from getting re-infected.

When you try to fix this rogue, by running legitimate antivirus you encounter that app cannot be executed warning, task manager disabled, registry editing disabled etc..

So, in order to get rid of Microsoft Security Essentials Fake Alert completely, start your PC in safe mode with networking, If you can`t run the IE, then you should repair the proxy settings of Internet Explorer.

Steps for successful Microsoft Security Essentials Fake Alert Removal. Run Internet Explorer, Click Tools –>Internet Options as as shown in the screen below.

Internet Explorer – Tools menu

You will see window similar to the one below.

Internet Explorer – Internet options

Select Connections Tab and click to Lan Settings button. You will see an image similar as shown below.

Internet Explorer – Lan settings

Click Advanced button to open Proxy settings. Copy and paste the following text into “Do not use proxy server for addresses beginning with:” go.trendmicro.com;pcfixeasy.blogspot.com;reimagepcrepair.com;

When you finished, you will see a screen similar below:

Internet Explorer – Proxy settings

Click OK to save Proxy settings, then Click OK to close Lan Settings and Click OK to close Internet Explorer settings.

Go to http://reimagepcrepair.com/and run scan to fix Microsoft Security Essentials Fake Alert

Reimage works by comparing each and every OS system files with the correct files from a web repository of 25 million Windows components. (since Reimage works by comparing with correct file, it can easily find the hiding rootkit, infact this is what a rootkit remover do……dumps a list of files from your hard disk drive and compares it with the list from the recovery console in order to find a hiding virus) This is the sole reason you can get a PC as good as new once you run Reimage, all other antivirus and antimalware programs just delete the virus….but they don’t correct the damage…which results in re-infection and slow performing PC.

Reimage first scans your computer thoroughly; all the files, folders, registry keys and values, drivers, softwares, stacks and then either repair or remove those stuffs that should be there. But it’s not just that it does. They have an enormous web repository of application, drivers, system objects, etc. from where they compare your PC’s files and if corrupted replace it with the healthy ones.

Visit Reimage For a Complete Scan Now to Get Rid of Microsoft Security Essentials Fake Alert Fake Antivirus Completely

Tom Parks works for Microsoft. He is currently researching on PC optimization and system security. He is also an avid gamer and owns xbox, PS3, Nintendo Wii, Dsi and PSP.