Exchange Ideas, December 2006

Exchange FAQs
How can I modify the Exchange Server 2003 Outlook Web Access (OWA) timeout that's applied when OWA has forms-based authentication enabled?
By default, when OWA has forms-based authentication enabled, sessions have a 15-minute inactivity timeout for public or shared computers and 24 hours for a private computer. If you're using a public computer to compose a long email message that takes more than 15 minutes to write, the session will time out and you won't be able to send the message. You can change this timeout value (which is the cookie lifetime) by using this procedure:

1. Log on to the Exchange server as an Administrator.
2. Start the registry editor (regedit.exe).
3. Navigate to the HKEY_LOCAL _MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\OWA subkey.
4. From the Edit menu, select New, DWORD value.
5. Enter a name of "PublicClient Timeout" and press Enter.
6. Double-click the new entry and set it to the desired number of minutes before a timeout (1 to 4320), set the type to decimal, and click OK.
7. To set the timeout period for a private client, repeat the process of creating a DWORD value, but this time enter a name of "TrustedClient Timeout" and again set the value to the number of minutes before a timeout. (The value for private computers should be significantly higher than for public computers.)
8. Stop and restart the World Wide Web (WWW) Publishing service by using these commands at the command line:

net stop w3svc net start w3svc 

John Savill

What does the Microsoft Antigen product family do?
The first round of Microsoft-branded Sybari products—Microsoft Forefront Security for Exchange Server, Antigen for SMTP Gateways, Antigen Spam Manager, and Antigen Enterprise Manager—are ready to hit the market. Eventually, all these products will be included in the Microsoft Forefront line of security products, but the current versions offer a compelling solution for Microsoft Exchange Server email infrastructures. Here's what you need to know about the Antigen family of products.

Spam protection at the server level. The Antigen products are designed to protect Exchange email servers, although Antigen for SMTP Gateways also supports the SMTP server function in Windows servers. (Microsoft is also working on Antigen products for Windows SharePoint Services and IM.) An Antigen for Exchange product has existed for roughly 10 years, and it has always focused solely on managed enterprise servers, not consumer or desktop products. Customers have always applauded Antigen because it only minimally affects performance and easily integrates with Microsoft's management technologies.

Unlike some antivirus solutions, Antigen doesn't rely on just one antivirus engine. Instead, administrators can install and enable multiple antivirus engines, as the situation demands, to obtain the best antivirus protection possible. Sybari never saw itself as an antivirus engine lab, so it partnered with several antivirus engine companies, and Microsoft continues to benefit from these established relationships. Antigen also includes a new antivirus engine designed by Microsoft that's based on its experience protecting millions of MSN and Hotmail accounts.

The Antigen email-protection products come with five antivirus scanning engines: Microsoft, Sophos, CA Vet, CA InoculateIT, and Norman. If you buy the Antigen Messaging Security Suite, which includes Forefront Security for Exchange Server, Antigen for SMTP Gateways, and Antigen Spam Manager, you also get Kaspersky, AhnLab, Authentium, and VirusBuster engines. You can use any combination of engines to get the best protection, but Microsoft recommends activating no more than five antivirus scanning engines per installation.

Why would you need multiple engines? When a virus appears, companies that make antivirus scanning engines race to be the first to market with new signatures. By using multiple engines, you're more likely to quickly receive signatures for all new viruses than you are if you rely on just one vendor.

What's new in Antigen. Antigen underwent Microsoft's grueling Security Development Lifecycle code review to ensure that it uses the lowest possible security privileges and ships with the most secure out-of-the-box configuration. These precautions are important because hackers often use antivirus products as an attack vector. Antigen also provides greatly enhanced support for Exchange clusters.

Recommendations. If you're already a Sybari customer, there probably aren't enough improvements in Antigen to warrant an upgrade. But if you're still looking for an antivirus solution that offers superior protection and deep integration with Active Directory (AD) and other Microsoft management tools, consider Antigen. Future versions will benefit from integration with other Forefront solutions and Exchange Server 2007's roles-based infrastructure.
Paul Thurrott

SharePoint FAQs
How can I use Microsoft Front-Page to back up or restore a Windows SharePoint Services site?
FrontPage lets you create archives of SharePoint sites for backup and restore purposes. To do so, perform the following steps:

1. Use Microsoft Internet Explorer (IE) to open the SharePoint site.
2. From the File menu, select Edit with Microsoft Office FrontPage.
3. In FrontPage, select Tools, Server, Backup.
4. Check the Include subsites in archive option and click OK.
5. Select a folder and filename for the Web-site archive file (.fwp) and click Save.
6. After the backup is done, click OK in the Backup completed dialog box.

To restore a site, perform the following steps:

1. Create a new site (to which the archive will be restored). When the wizard asks you to select a template, close IE so that no template is applied.
2. In FrontPage, open the site that you just created (Click File, Open Site, and enter the URL of the site you just created).
3. In FrontPage, select Server, Restore Web Site, from the Tools menu.
4. Select the name of the archive file and click Open.
5. Click OK to restore the Web site.

John Savill

How can I make links in Microsoft SharePoint technologies open in a new browser window?
By default, SharePoint links open in the existing browser window. You can find several solutions for this behavior on the Web (some listed at the end of this FAQ), but I found the following solution to be the easiest:

1. Use Microsoft Internet Explorer (IE) to open the SharePoint page containing the links.
2. From the File menu, select Edit with Microsoft Office FrontPage.
3. In Microsoft FrontPage, rightclick the section with the links, and from the displayed context menu select Convert to XSLT Data View.
4. Right-click one of the links and select Hyperlink Properties.
5. From the displayed dialog box, click the Target Frame button.
6. Select New Windows and click OK for all dialog boxes.
7. Save the page changes.

Now, when someone clicks a link, the page will open in a new window. You can find other solutions for this behavior at http://mindsharpblogs.com/todd/archive/2005/08/16/654.aspx and http://andrewconnell.com/blog/articles/SharepointLinksListOpenIn NewWindow.aspx.
John Savill

What's Sunbelt Messaging Ninja?
Sunbelt Software's Sunbelt Messaging Ninja offers spam, virus, and attachment filtering for Microsoft Exchange 2000 Server and later. Ninja's policy-based approach lets you create different rules for users and groups and enforce policies according to destination, source, and direction (e.g., incoming, outgoing). You can set antispam policies to allow or block senders according to attributes in any message field. Ninja can even flag messages according to the character set used (e.g., quarantining messages that use the Russian Cyrillic alphabet).

Ninja uses Authentium and BitDefender antivirus engines and Cloudmark's signature-based spam filter as well as Sunbelt's own heuristic engine. Ninja also supports Realtime Blackhole Lists and Sender Policy Framework. The product runs on your Exchange servers and has the unique ability to scan internal email. The trade-off, however, is that Ninja uses processor resources and can increase the server load by up to 20 percent.

Installation is a 20-minute process that requires restarting the Exchange service. After installation, I quickly created policies and administered them without resorting to the documentation. You control Ninja through Microsoft Management Console (MMC). Managing multiple servers requires opening multiple MMC instances, which might be a hassle for multiple-site organizations. A replication feature maintains consistency among clusters or multiple servers.

Comparable solutions offer similar functionality at a lower price. Because they typically run on the gateway, however, such products can't filter internal email or provide Ninja's granular configuration options. Ninja's flexibility makes it a useful application for organizations that don't require management from a remote installation.
Joel B. Barker

What approach should I take in developing an email-security strategy?
Because of the danger of viruses, Trojan horses, and spyware and because email is now the main attack vector, most organizations rely on multiple layers of defense. Those layers can include a packet-filtering firewall, an email firewall, and a demilitarized zone (DMZ) mail server.

The first layer of defense—and the layer that best protects the underlying network and provides a crucial level of protection for network-oriented applications—is the packet-filtering firewall. A packet-filtering firewall understands networks at the TCP/IP layer, including such matters as TCP, UDP, and ports. This type of firewall is configured to let only certain types of incoming packets through to specifically allowed ports on the internal hosts that the firewall protects. For example, a firewall might allow incoming packets on TCP port 25 on the DMZ mail server and TCP port 80 or TCP port 443 on the DMZ Web mail server.

The second layer of defense is an email firewall, one example of an application-level firewall. This type of firewall works at a higher level in the protocol stack. It not only understands SMTP but can scan the content of mail envelopes and mail content to detect spam, phishing attacks, and viruses. The email firewall is usually hardened against SMTP-based attacks (e.g., buffer-overflow attacks), so the DMZ mail server is less susceptible to such attacks. An email firewall protects email systems (i.e., computer systems that provide mail service) as well as providing a layer of protection for internal users from dangerous email messages in their mailboxes.

Note that email firewalls must provide comprehensive antivirus capabilities to properly defend against both known and unknown viruses. Much antivirus software has been reactive. However, because of how quickly viruses now spread and because many viruses are polymorphic, a reactive approach is no longer enough. Antivirus software must also provide predictive scanning, meaning that it should be able to perform heuristic scanning to detect key characteristics that identify a virus rather than needing to know an exact signature. Reactive scanning still has a place in virus defense, but real-time defense against zero-day threats requires predictive scanning from antivirus software.

The third layer of defense is a well-configured DMZ mail server. This server accepts only mail destined for the domains that it owns—that is, for internal users. This approach prevents spammers from using this mail server for relaying spam. The DMZ mail server is also hardened so that attacks that jump to it from the email firewall (e.g., invalid input that the email firewall accepts and passes on to the DMZ mail server) don't compromise it.

Finally, additional layers of defense can be beneficial, such as an intrusion detection system and a separate DMZ Web mail server. (Because Web mail servers usually run complex Web applications, they often provide an avenue for an attack that can compromise internal systems.)
Dustin Puryear

GET MORE ONLINE Follow these links to access the resources mentioned in this month's Exchange Ideas. Exchange FAQs John Savill's FAQ for Windows, http://www.windowsitpro.com/windowsnt20002003faq Microsoft's Antigen products "What You Need to Know About Microsoft Antigen," InstantDoc ID 92861 SharePoint FAQs John Savill's FAQ for Windows, http://www.windowsitpro.com/windowsnt20002003faq Product Review: Sunbelt Messaging Ninja "Sunbelt Messaging Ninja," InstantDoc ID 93582 Developing an email-security strategy Excerpted from Spam Fighting and Email Security for the 21st Century (Windows IT Pro eBooks). Download this eBook for free at http://www.windowsitpro.com/ebooks.