Sunday, April 19, 2015

Whitelist Domains for Exchange 2010 Content Filter

Our standard antispam solution for clients is Symantec Mail Security. The main benefit of this software is a very low number of false positives. However, we've been having issues at a few clients where more spam gets through than they'd like. For these clients, we've added the built-in Exchange 2010 content filtering as another layer.

With the Exchange 2010 content filter, we've run into issues where some domains are not able send pdf attachments. It seems that most of these senders are hosting their domains using Google mail where you can't blame the content filter for being a bit overly sensitive.

To resolve this, we add the domain to the whitelist for the content filter with the following command:
Set-ContentFilterConfig -BypassedSenderDomains "",""

When you use this command, it overwrites the existing list of domains. If this is a long list, rather than risk making a typo, you can use these few commands to add a new domain to the existing list:
$domains = (Get-ContentFilterConfig).BypassedSenderDomains
Set-ContentFilterConfig -BypassedSenderDomains $domains
To simplify this process and make it less likely that a typo wipes out your whitelist of domains, you can use the following script:
$newDom = Read-Host "Domain to add"
$domains = (Get-ContentFilterConfig).BypassedSenderDomains
Set-ContentFilterConfig -BypassedSenderDomains $domains

Friday, April 17, 2015

Critical Update for Windows Web Servers

Most of the security updates released by Microsoft fall in the category of apply them soon. This week Microsoft released an update that falls in the category of apply NOW!

There is a flaw in http.sys for Windows Server 2008 R2 and later that allows a malformed packet to crash your server and perhaps remotely execute code. Since the patch was released Tuesday, the details of the flaw are widely known and trivial to implement. This means that anyone that can access your web server can crash it at will.

Two common scenarios I work with that are cause for concern:
  • Exchange servers. Exchange servers use the Windows web server (IIS) to provide services. This means that your Exchange servers are vulnerable.
  • Small Business Server. Organizations with SBS typically provide both remote access and Exchange web services. Both done with IIS and vulnerable to this flaw.
Best practice is install the patch (which requires a restart) from here:
If you can't do that because of testing then you can disable kernel caching in IIS. That mitigates the flaw but also reduces performance. It's a reasonable workaround in the short term.

To disable kernel caching in IIS:
  1. Open IIS Manager.
  2. In IIS Manager, select the server node and double-click Output Caching.
  3. On the Output Caching page, in the Actions pane, click Edit Feature Settings.
  4. In the Edit Output Cache Settings window, shown below, uncheck the Enable kernel cache check box and click OK.
  5. Close IIS Manager.

If you have a reverse proxy server in front of your web server, it may protect you from this flaw. However, you would need to test to be sure. This article provides a command-line to Curl utility to send the malformed packet:
You can download Curl here:

Saturday, April 11, 2015

Disk2VHD for Dynamic Disks

I was virtualizing an old server for a customer today and ran into an issue I've never had before. The server has a C: drive for the operating systems and a D: drive for data. Like I've done before, we used Disk2VHD to perform the conversion.

After creating the virtual machine and starting it, the D: drive was showing as Dynamic and Offline. So, it appears that the D: drive was a dynamic disk rather than a basic disk. I suspect that at some point it was configured to use mirroring functionality in Windows which requires dynamic disks.

Ok, fair enough. How do we properly import this disk? According to several searches, I should be able to reactivate the disk. However, this didn't work in my case.

At this point, I'm a bit annoyed. An obvious solution is to do a simple file copy from the old D: drive in the original server, but I'm doing this conversion remotely and have already shut down the original server. I would need to abort the conversion for the weekend if I can't figure this out.

While I was searching for potential ways to repair the disk, I ran into a few articles about converting a dynamic disk to a basic disk without data loss. When you convert a dynamic disk to a basic disk in Disk Management, or by using diskpart, you lose all of the data. What wizardry is this that they're trying to sell me?

I'm not into low level disk stuff and likely never will be, but here is my overall understanding. The disk configuration for dynamic disks vs basic disks is pretty close. Close enough that you can use a hex editor and edit the disk to make it a functional basic disk without losing your data. There are a few utilities that do this for you (for $$ of course), or you can do it yourself.

Here are the basic instructions:
  1. Download a hex editor for the disk. I used this one:
  2. In the hex editor, rows are labeled as Offset and columns are labelled 0 to F. The first partition for a dynamic disk has a value of 42 for Offset 00000001C0 and column 2. Change this value to 07. The value 07 is used for basic disks with NTFS partitions.
  3. If your disk has multiple partitions, then you need to go down to the next row and make the same change. Note that basic disks can have a maximum of 4 partitions. Dynamic disks do not have this limitation.
  4. After modifying all the neccessary values, save the changes.
  5. At this point, I rescanned the drives and was able to see a basic disk, but not do anything with it. So, I restarted the VM.
  6. After the restart I was able to assign a drive letter to the modified disk, but it had no data. To recover the data I needed to repair the disk. You can use chkdsk /f, but I used the disk repair option available in Windows Explorer.
  7. The repair completed very quickly and I was able to see all of the data.
  8. After a final reboot the applications using the data on D: drive started properly and appear to be functional.
Some additional resources:

Tuesday, April 7, 2015

Free Online Technical Conference

On May 14-15, 2015 the MVP Virtual Conference is free online for all that register. The sessions are open to anyone, but presented by Microsoft MVPs.

It looks pretty cool with topics such as:
  • Migrating to Office 365
  • Windows Azure
  • Ransomeware - prevention and recovery

Check it out here:

Friday, April 3, 2015

IE Compatibility View Woes

Many organizations have web-based applications that require Compatibility View in Internet Explorer to work properly. In cases where there are only a few computer or users, it's quite easy to add a specific web site to the list of sites for Compatibility View from the IE user interface.

We ran into a hiccup recently where several computers were not keeping a site in the Compatibility View list. You could add the site, but when you restarted Internet Explorer, it was gone. This was caused because the option Delete browsing history on exit was enabled. This is a known issue and has been known since IE 8. This client is using IE 11.

Internet Explorer - Internet Options
To accommodate having this option on, I pushed out the Compatibility View site through Group Policy. Which is probably what I should have done before. The Group Policy setting exists for both Computer configuration and User configuration in:
  • Policies\Administrative Templates\Windows Components\Internet Explorer\Compatibility View\Use Policy List of Internet Explorer 7 sites
When you enable this policy and provide a domain then all sites in that domain are rendered in IE 7 mode (Compatibility View).  Note that the required format is to provide a domain name an not a URL. So, works, but does not work.

GP Setting for List of Compatibility View Sites
After the Group Policy has been applied to the computers, you cannot verify application of it by looking at the list of Compatibility View sites. Even though the setting is applied for the sites, you cannot see them in the IE user interface. To verify that the setting is effective, you can use the Developer Tools option in IE.

To use the Developer Tools option in IE, press F12. This opens a pane at the bottom of the IE window. Select the Emulation tab and read the value listed for Document mode. If this value is 7 (Default) then it is using Compatibility View.

IE 11 - Developer Tools