Silicon Shecky

Infosec Practitioner

Connect

Assumptions, the bitter enemy

By Leave a Comment

The Public folder issue with the Exchange 2010 migration has been solved. An old lesson was reconfirmed. Then the chewing out of myself commenced.

Many years ago, when I was first learning to fix and build PC’s, I would go to the local monthly computer show. Each month would mean some new part for upgrading or replacing. It was fun to learn about these things, see what I could do with them, even cause the parts to eventually die out because of my own stupidity. It was a glorious time.

Eventually though I ran into a problem that took forever to solve. I had replaced something in my computer, and straightened up the cables connecting the PC to everything. I fired up the machine, and… no sound. Checked the settings in windows, checked the driver, pulled the card out, tried a different card, all still with no sound. 6 months I kept dealing with this problem, checked everything I could, tried new cards and still no sound. Well I checked almost everything I could. In month 6 of this issue, I went to do another cable cleanup, and that is when I found that I, for 6 months, had the microphone plugged into the speaker jack and the speakers plugged into the microphone jack. This was before they color coded everything, and for 6 months I swore that they were plugged in right. I assumed they were is more like it.

For many years I have told this tale to friends, and colleagues to exercise the point of the KISS (Keep It Simple Stupid) method. Always check and double check the simplest things before moving on to the more complex reasons. Sometimes though, even I need a swift kick in the rear to remember this.

I had been struggling this week with the public folder migration from Exchange 2007 to 2010. The Mailbox migration had worked fine. The public folders though had been beating me up. The hierarchy was not propagating, let alone the folders communicating. I did some research, and found that the replication was done over email, basically emailing the folders between servers. So I started checking SMTP settings, telnetting between machines, even remembered that there was a problem with mailboxes on the 2007 server sending e-mail to the mailboxes on the 2010 server, but not vice versa.

All the symptoms were there, right in my face as to the main portion of the answer. I still didn’t see the simple thing though, instead looking up every way I could think of describing the issue in Google, with no fix. Then, on day 4 of this madness, while starting to look at yet another site’s solution, the answer hit me in the face. I logged into the Domain Controller, opened up DNS, and yep, there it was. Actually, there it wasn’t. When I set up DNS for the new server, I had forgotten to put in an MX record for the new server. All they years of dealing with DNS and MX records, I had forgotten the simplest thing, yet for 3 day had assumed I had put it in. I was elated and angry with myself all at the same time, especially when I saw the hierarchy start to show up on the Exchange 2010 server (the rest of the solution was cleaning up the old security certs on the exchange 2007 server, and getting a new self signed cert on it).

So once again, I get reminded of the 6 months of no sound from the speakers, and why one really does need to double check the simplest things even more thoroughly than the complicated thing.

March Patch Tuesday

By Leave a Comment

So here it is, the second Tuesday of March and we all know what that means. Yep Microsoft Patch Tuesday! So lets ee what good old Microsoft has patched up for us this month.

The only Critical is a Windows Kernel update, which is patching a hole that, “could allow an attacker to take complete control of your computer if you view a website, email, or document that contains an evil graphic or picture,” according to Eric Schultze of Shavlik Technologies.

Now we all know that a hole in the kernel is bad, and the way this is made to sound this hole can be even worse than other kernel hole, but still I would recommend installing the patch in a test environment first if possible, or at least on a non-mission critical machine. Something about making changes to the Kernel always make me a little leary.

Then there is a series of 4 patches for DNS. Not surprisingly these are for lesser used holes along the Kaminsky DNS attack lines. Definitely get these installed especially with some of the odd ways some viruses seem to be showing up from spoofed DNS.

Finally a patch related to SSL spoofing. Again important, but like the DNS patches, not listed as critical.

Personally, all the patches seem to adress some very serious issues. How SSL and DNS spoofing are not thought of as critical for patching is beyond my comprehension though. At least Microsoft did patch them. Now where is the Excel patch for a major hole in that program?

Mike

And the hole never ends…

By Leave a Comment

You know, I love my job. I love being able to work on things and learn new thoughts and ideas as I work. It is so fulfilling to see a project finished and working right. The only problem is they never are really finished.

So after the big file migration, and the corrections to the AD Users/OUs/Groups was down to a tweak here or there, I decided to see if I could figure out why some things with Exchange and DNS seemed to be so damn slow. They say that curiosity killed the cat and satisfaction brought him back, well we shall see how this ends.

Between finding that AD/DNS integration was set to a legacy standard, even though we use Server 2003, to find that we had only 1 Global Catalog, even though we have 5 DCs 4 of them at other sites, only one DC as a Global Catalog. Replication for AD was set to 4 hours, and all other sorts of small errors in the DNS server have been found. Its the sort of stuff that should have been thought through when the original migration from 2000 to 2003 happened.

Well, at least its keeping me busy, and who knows when any of this stuff will come in handy, but I know it will at some point.