TCP/IP Filtering is a “cheap” way to close off or open up certain ports to the outside world. Filtering was never meant to be an all-encompasing security approach, and should never be treated as such. It is an often overlooked but extremely easy security measure to implement. A couple notes of caution when using TCP/IP Filtering:
1. It applies to ALL network adapters on the computer, so adjust accordingly. If you have two adapters and they both need certain ports open/closed, the filtering policy will be applied to both.
2. You will need to restart your computer when changes are applied. In a server environment, sometimes this is an issue.
Steps:
Start Menu –> Control Panel –> Network and Internet Connections –> Right-Click (on the Adapter you want) and select Properties
The Following Properties box comes up: Select Internet Protocol (TCP/IP) and select Properties.
Select Advanced under the General Tab in TCP/IP Properties.
Under the Advanced Settings, select the Options tab, select TCP/IP filtering and select Properties.
In the TCP/IP Filtering dialog box, check Enable TCP/IP Filtering (All Adapters) and select Permit Only under TCP Ports or UDP Ports depending on your particular needs. Click here for a list of common ports and their uses.
Windows 2003 has a very aggressive password policy in place (well, sort of). Most websites that spout password tips typically list the first 4 of the following groups of character classes as options for a strong password. Many do not realize that you can also use Unicode Characters in the password. Windows 2003 passwords can be up to 128 characters long. Try memorizing a password that long! You may also include blank spaces (although most password “strength” testers do not consider a blank space a particularly strong element).
The character classes that can be used in a Windows 2003 password are as follows:
Classes
Examples
Lowercase letters
a, b, c, …
Uppercase letters
A, B, C, …
Numbers
0, 1, 2, 3, …
Symbols
% ^ & * – + = | \ {, …
Unicode characters
€, Γ, λ, …
A strong password should contain at least 3 of the preceding groups and hopefully all 5.
A few of the most common “mistakes” in making a password are:
· Including dictionary words.
· Including your username.
· Including common sequences (ex. abc, 123, 7890), keyboard sequences, or repeated characters.
· Your birthday, name, pet’s name, spouse, etc. All of these can easily be found out by a determined person.
Of course, I say “mistakes” lightly because sometimes a strong password can encompass these elements. Many security experts would say “No Way!” But consider that you need to memorize the password, so by taking the longest/strongest possible password you can remember and then throwing a name or other element in addition to that will certainly make it stronger. But DO NOT use ONLY those.
To understand what makes a strong password, you need to understand how passwords are most commonly cracked.
1. Someone you know trying to get into your account: This type of person will likely hinge on things like birthdays, names, etc to help crack your password.
2. Unknown Person/Random Cracker: This person will be less likely to know your personal information. For example, if the administrator can only memorize 7 characters, he/she may be better off using those 7 characters with many personal strings, which is just as easy to memorize. These types of people will typically use dictionary or brute force attacks. Dictionary attacks run all combinations of the dictionary on a password (many crackers only use their own language dictionary though). Brute force attacks will take a long time, but they also start with the shortest possible text strings, so in those cases a shorter password will absolutely be cracked sooner. Even if a password is not complex, a long password will help protect against brute force attacks.
Finally, the best password is the one you will remember. I know of many people who forget their passwords and sometimes the only solution is long, tiring, and costly.
Ever notice when you are shutting down a server that has Exchange Server running, it takes ~15 minutes? Exchange server relies on Active Directory and therefore DSAccess to provide a cache of AD information. When the server shuts down, LSAS is stopped before DSAccess can shut down cleanly and goes into a timeout mode, which is 10 minutes by default. Other processes experience similar timeouts when they are not shut down cleanly or in an effecient order. The quickest way to get around this is to create a .bat file to shut down the Exchange processes and run it before you shut down the server. Open up a text editor, put in the following code and save it as “shutdown.bat” – Doubleclick it before you shutdown. This will cut shutdown time to a few minutes or less.
net stop MSExchangeES /yes
net stop MSExchangeIS /yes
net stop MSExchangeMTA /yes
net stop MSExchangeSA /yes
net stop iisadmin /yes
The post below talks about processor affinity and setting IIS to use only one processor to increase stability of certain applications (PHP ISAPI anyone?).
You can set the affinity by opening Task Manager and selecting w3svc.exe or inetinfo.exe on the Processes tab. Right click and choose Set Affinity. Uncheck the processors which should not execute the application.
This is a temporary solution since it is reset once you restart Windows or IIS. Some people often disregard setting processor affinity as a fix since it never seems to work…but this is because they don’t set it permanently. Below is how to set the processor affinity permanently.
Grab the Imagecfg.exe tool from the \support\debug\i386 folder of a Windows NT 4.0, or the Imagecfg.exe tool from the Windows 2000/2003 Server Resource Kit.
Open a CMD prompt and type:
imagecfg -a 0xn drive:\Path\program.exe
where 0xn is the affinity mask and drive:\Path\program.exe is the program you wish to set. The mask indicates which processor is to run the desired application. On a dual-core system, you use CPUs 0 and 1 (not 1 and 2).
In my relentless efforts to squash the ever increasing spam problem within our organization, I have added ORF Enterprise Anti-Spam by Vamsoft to our anti-spam arsenal.
ORF is not meant for Exchange Server only, it binds to any SMTP server and filters before/after arrival of messages. It seems any Exchange Server specific anti-spam product is much more expensive than it has to be. Perhaps it is because the cost of Exchange Server implies the owner has the money to buy an expensive anti-spam product? Maybe.
To the side are the stats from a typical day. 68% of all email received and tested is spam. By far the most effective feature is the DNS blacklist.
Loading ...
Contact
RSS Feed