IT

Office 365 Chat on The Register

Posted on by Adam Fowler

Hi,

I was invited by Trevor Pott @cakeis_not alie to be involved in an event on The Register to discuss Office 365. I’ve had a 1 year’s subscription thanks to Microsoft, so decided to accept. It was quite interesting to do, but also nice to see we all had similar ideas on the questions raised.

The feed of the live chat is available here:

http://www.theregister.co.uk/2013/06/18/office_365_livechat_promo/

Phoummala Schmitt @PhoummalaSchmit and Aaron Milne @wigginsix were also in on the chat. Hopefully more come up in the future!

 

How to set up Lync to Skype Federation

Posted on by Adam Fowler

Hi,

Microsoft Lync can now federate to Skype! This means that users can communicate between each system, which is awesome. This was launched 29th May 2013 as per this post http://blogs.skype.com/2013/05/29/skype-and-lync-connecting-the-living-room-to-the-board-room/#fbid=WXSmsIxTDGt

It’s a fairly easy process to request, assuming that you’ve already got standard federation up and running with edge servers. It doesn’t just magically work though, the Lync administrator needs to apply with Microsoft for the Skype to Lync federation to occur. I’d recommend starting with the “Provisioning Guide for Lync-Skype Connectivity: Lync Server 2013 and Lync Online” (which also works for Lync 2010) Microsoft have made available here: http://www.microsoft.com/en-sg/download/details.aspx?id=39071

This guide mentions that you need to go to https://pic.lync.com to sign up, which I did, but going through the process resulted in the error at the bottom of this post*. @ScottBreen on twitter directed me to send an email to [email protected] asking for Lync to Skype federation.

The information they require are your Enterprise Name, Agreement Number. Access Proxy, Domain, Public IM Networks,  and Main Contact (Name, Email Address, Phone #).

After sending this off, overnight they had quoted 3-5 days to make it happen, but had set it up in less than 6 hours. There was nothing else at my end, I was able to immediately add my own Skype contact to my Lync contact, and communicate between the two.

I then tested with @nickstugr but couldn’t add him (no errors, just appeared as ‘presence unknown’ and he didn’t receive any request). After getting him to add my Lync email address it worked, I set out to find out why (i.e. I googled it).

I found this KB article http://support.microsoft.com/kb/2566829 which matched exactly. He was using a non Hotmail/Outlook/MSN email address for his Microsoft account which Microsft call an EASI (email as sign in)domain, and annoyingly you can’t just add those via Lync. You can add them by using this format: skypeguy(customdomain.com)@hotmail.com which is rather confusing for an end user, so my recommendation is to get the Skype user to add the Lync user.

lync

After you’ve added a Skype user to Lync, you’ll see the little Skype logo next to their name in an active chat window. Skype users will see the word ‘Lync’ below the Lync contact’s name.

The last caveat is that you can’t add a pure skype user. Yes, this is a big one, the user at the Skype end needs to be signed in to Skype using their Microsoft account rather than their Skype account.

Apart from that, it does seem to work quite well. Functions such as pasting pictures into chat or video are currently not available, and the video part will be mid 2014,  according to Microsoft http://www.zdnet.com/microsoft-delivers-first-phase-of-lync-skype-integration-7000016045/

Good luck!
Continue reading

An Email Conversation Regarding Domain Names and Aliases

Posted on by Adam Fowler

Hi,

Just sharing some correspondence I had with a company that I signed up with to purchase some goods online. Details have been changed for privacy and a few extra lines in the emails deleted that were irrelevant.

From: Mr Website Owner <[email protected]>

Hello Mr Adam Fowler,

Recently you registered on our site using the email address of [email protected]

We are not sure why you have chosen our registered business name and web address as an email address.
We would hope that this is not for any misrepresentation. Therefore we request that you cancel this name registration immediately.

We would not like to have to report this to the authorities, ASIC or Planet Domain for a breach of any company laws or internet protocol related issues.

Thanking you in advance for your assistance.

Kind Regards,

Mr Website Owner

From: Adam Fowler <[email protected]>

Hi Mr Website Owner,

I’d recommend you have a chat with someone that knows I.T. to back up what I’m about to tell you, but this isn’t a name registration.
I own the domain mydomain.com and can have any email address @mydomainname.com, just like you can have anything @yourdomainname.com
That’s also why I’m replying from [email protected]
When I sign up for any service, I use a specialised email address solely for use with that business. Nobody sees this but you.
You can make up any word or phrase before @mydomainname.com and the email will get to me.
I also do not own any business, and do not have an ABN.

Threatening me with incorrect information, and being reported to the authorities isn’t the best way to deal with someone who’s planning to order XXXX from you.

Thanks

From: Mr Website Owner <[email protected]>

CC: Mr Website’s Lawyer

Thank you for your speedy reply.

It is unfortunate that your reply seems to contain a little more aggression that my email intended but that is the down side with the written word. Doesn’t contain emotion.

As you would be aware in owning a domain, which is just like any business, you need to protect it.

In today’s day and age, with Spammers, Hackers etc. doing enormous amounts of damage to all businesses, everyone needs to be vigilant.

We have competitors daily copying our business names (yes we have a few) registering and using names so close it’s confusing to our existing customers. Even down to having their office staff say they have the same name as our staff.

I accept your assurance that we are the only ones who will see this address, but I’m sure you would agree that it can be concerning to see initially.

I can assure you when I make a statement I have no intention of giving incorrect information.

When it comes to Misrepresentation I meant:

An assertion or manifestation by words or conduct that is not in accord with the facts.
Misrepresentation is a tort, or a civil wrong.

Many small businesses will have [email protected] as the email address for their business name of ‘My Big Pies’ because they don’t own a domain or have a web site. It’s any easy way to have a personalised email. Some of my friends have their business emails setup this way.

Just because you own a domain or even a printing press for that matter, doesn’t allow you to print a business card containing an email address of say [email protected] and be running an Electronics Service Business. The effect is confusion from Apple product owners who may think you work for or are an Authorised agent for Apple when this is not the case. I’m not here to lecture. I am asking in this case for some professional courtesy and refrain from using our business name just like any other business would.

If you are not happy with my explanation or request, please feel free to contact our Solicitor (I’m sure he is better with his words than I am):

<Lawyers Details Here>

If you choose not to purchase from us that is purely up to you. We can’t force you.  We do try to please every customer in the same way we fight to protect our business…with a passion.

Thanks again for your understanding and reply.

All the best,

Kind Regards,

Mr Website Owner

From: Adam Fowler <[email protected]>

CC: Mr Website’s Lawyer

Hi Mr Website Owner,
The reason for shortness on my last email is that I don’t like to be threatened, regardless if there is any emotion behind it.
To keep things short, are you confirming that you accept my explanation and that no action is required from myself? I have no interest in using your name for anything apart from an account I signed up to your website with, which now I would request that it be terminated and removed from any databases and mailouts.

Thanks

Mr Website Owner <[email protected]>

CC: Mr Website’s Lawyer

Thank you Adam,

Yes I accepted your explanation behind the creation of the email address. You must have quite a few if you deal with many businesses.

I will of course remove your account if you no longer require it.

Please accept my apology if I have caused any upset. It was not my intention. I am just very protective of my business as I’m sure you are with your domain.

Also I hope we haven’t sent you any unsolicited marketing emails in the past. We definitely don’t operate that way.

Consider it all closed.

Thanks again,

Kind Regards,

Mr Website Owner

From: Adam Fowler <[email protected]>

 

Thank you Mr Website Owner, I’ll consider the issue closed from my end too.

Anywhere I need to sign up for any service gets it’s own email address, you’d be suprised how many online companies seem to get hacked and their customer list starts to get spammed. There’s actually quite a few people who do the same, so you may see others sign up similar to how I did.

Not a problem either, I understand where you were coming from on it, which is why I took the time to explain.

Good luck with your ventures.

Thanks

That’s where it ended, apart from a week later I received a gift from the website owner of some of the products I was considering purchasing! Well done to him for turning the situation around in the end.

LinkedIn Security/Information Risks with Exchange

Posted on by Adam Fowler

Hi,

Today after logging on to LinkedIn, I was greeted with a new screen I found rather worrying. It is commonplace for services like LinkedIn and Facebook to scan through your address book, and ask for credentials to do so (which is rather concerning already), but a new option has popped up:

 

linkedin

 

This is asking for your work username and password. No 3rd party should be asking for corporate credentials like this, even more so a company that’s been hacked before http://www.pcworld.com/article/257045/6_5m_linkedin_passwords_posted_online_after_apparent_hack.html . I tried this with a test account, entering the username and temporary password. It then asked for further information, which was the address for the Outlook webmail link and then connected and started showing contacts.

LinkedIn on this page says “We’ll import your address book to suggest connections and help you manage your contacts. And we won’t store your password or email anyone without your permission.” which is a start, but it’s just such a bad practise to get into, and encouraging people to do this is irresponsible of LinkedIn in my opinion. On top of this, it’s providing an easy mechanism for staff to mass extract their contacts outside the company, which many companies frown upon or even have strict policies in place.

You can’t stop people from entering in these details of course, but you can block the connection from working at the Exchange end, as long as you have at least Exchange 2010 SP1.

There are a few settings to check. First, under the Set-OrganizationConfig area, you’ll need to check that EwsApplicationAccessPolicy is set to ‘EnforceBlockList’. If it’s not, it’s going to be “EnforceAllowList” and you’re probably OK, as it’s using a whitelist for access to only what’s listed rather than a blacklist, to only block what’s listed.

Next, you need to add LinkedIn into the BlockList. This is done with the command “Set-OrganizationConfig -EwsBlockList LinkedInEWS

How do we know it’s the string “LinkedInEWS” to block? The IIS log files from Exchange will reveal this. After doing your test of trying LinkedIn (or any other Exchange Web Services connection) there will be a log entry. You can read this blog post from Microsoft for some great details http://blogs.technet.com/b/matabra/archive/2012/08/23/block-mobile-apps-that-use-exchange-web-services.aspx but the abbreviated version is to look at what’s connecting fir POST /EWS/Exchange.asmx, and you’ll see the username you used to test, then the named connection. Here’s an example (with domain, username and IP changed):

2013-06-02 10:37:48 192.1.1.135 POST /EWS/Exchange.asmx – 443 domain\testusername 192.168.1.1 LinkedInEWS+(ExchangeServicesClient/0.0.0.0) 200 0 0 296

After applying, I retested and it seemed to still connect, but couldn’t find any contacts. My guess is that it’s authenticating OK, but then refusing to do much else. If anyone else would like to test this and post the results, I’d be very happy to find out update this.

 

Funnily enough, after writing this I found that LinkedIn had posted a very short version of the above:

From: http://help.linkedin.com/app/answers/detail/a_id/5025

Disabling Contact Import Process – Corporate IT Managers Instructions

How do I disable the ability for employees at my company to import contacts from their work email account?

Last Reviewed: 10/10/2012

Report Answer Inaccuracies

If you’re a Corporate IT manager, you can disable an employee’s ability to import contacts from their work email accounts.

Use Set-OrganizationConfig cmdlet to:

  • Set the value of config parameter EwsApplicationAccessPolicy to EnforceBlockList.
  • Add value LinkedInEWS to config parameter EwsBlockList.

For more information on using Set-OrganizationConfig cmdlet, please refer to Microsoft’s Managing Access for EWS Managed API Applications.

 

Further reading is available here:

http://thoughtsofanidlemind.wordpress.com/2010/08/12/controlling-ews-access-in-exchange-2010-sp1/

http://security.stackexchange.com/questions/36560/how-do-i-block-linkedin-from-extracting-data-from-microsoft-exchange-server

 

Update:

Paul Cunningham has done a great writeup about this with some extra investigation and details, have a read: http://exchangeserverpro.com/blocking-linkedin-access-to-your-exchange-server-organization/

 

Update 2:

This story had now been picked up by The Register, have a read here: http://www.theregister.co.uk/2013/06/06/linkedin_snarfing_contacts_from_exchange/

 

Update 3:

Seems to be getting picked up all over the place, so I’ll just keep updating this point as I find other articles. There’s some good discussion and opinions on this out there, such as why is Exchange configured to allow everything by default?

http://securencrypt.com/blog/linkedin-has-major-privacy-issue/

http://webwereld.nl/beveiliging/78036-linkedin-slurpt-data-van-zakelijke-exchange-servers

Unable to Map Drives from Windows 8 and Server 2012

Posted on by Adam Fowler

Hi,

Came across this issue recently and thought it was worth sharing. From a Windows 8 machine, trying to map drives to either Windows Server 2003 or Windows Server 2008 and failing. It was just the generic ‘Windows cannot access *blah*” but the details had ‘System error 2148073478’. Some googling found this Microsoft Support article: http://support.microsoft.com/kb/2686098

First, this only talks about 3rd party SMB v2 file servers which is a bit strange, but applying this client fix fixed it on an individual basis:

  • Disable “Secure Negotiate” on the client. 
    You can do this using PowerShell on a Windows Server 2012 or Windows 8 client, using the command:

    Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters” RequireSecureNegotiate -Value 0 -Force
  • Note: If you get a long access denied error, try running Windows PowerShell as an Administrator.

Fixes it, but not ideal. A better solution may be to disable SMB signing on the particular server you’re connecting to. The next set of instructions are fromExinda: http://support.exinda.com/topic/how-to-disable-smb-signing-on-windows-servers-to-improve-smb-performance

To disable SMB signing on the Windows Server 2000 and 2003 perform the following:

  1. Start the Registry Editor (regedit.exe).
  2. Move to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters.
  3. From the Edit menu select New – DWORD value.
  4. Add the following two values EnableSecuritySignature and RequireSecuritySignature if they do not exist.
  5. You should set to 0 for disable (the default) or 1 to enable. Enabling EnableSecuritySignature means if the client also has SMB signing enabled then that is the preferred communication method, but setting RequireSecuritySignature to enabled means SMB signing MUST be used and so if the client is not SMB signature enabled then communication will fail.
  6. Close the registry editor.
  7. Shut down and restart Windows NT.

In addition, default Domain Controller Security Policies may also force these values to “enabled” on Windows Servers. 

On Windows 2003 Servers, open Domain Controller Security Policy under Administritive Tools. Expand the Local Policies tree, then expand the Security Options tree and look for:Set both of these values to “Disabled”.

  • – Microsoft network server: Digitally sign communications (always)
  • – Microsoft network server: Digitally sign communications (if client agrees)

To disable SMB signing on the Windows Server 2008 and 2008 R2 perform the following: 

Changes need to be applied in the Group Policy management console. 
      Start –> Administrative Tools –> Group Policy Management 
Configure the Default Domain and Default Domain Controller Policies. The settings you are looking for are under: 
      Computer Configuration –> Policies –> Windows Settings –> Security Settings –> LocalPolicies –> Security

 Turning off SMB signing isn’t a best practise security thing to do, but if you need to get out of trouble and it’s only on your internal network then the risk of someone modifying SMB packets in transit is rather low, plus you’ll get a 15% boost due to losing the overhead of SMB signing. This is still a preferred option to just completely disabling it on the client, because at least the client can still do secure SMB to other servers.
Update: Trying this from Windows 8 PC to a Windows 7 PC had a similar issue, but the error code was 0x80004005. Another workaround is running the powershell command Set-SmbClientConfiguration -RequireSecuritySignature $true on the Windows 8 client. This may break other stuff again, if you try to connect to something that doesn’t have a Security Signature. Investigate this for yourself :)
All of the above should apply to Windows Server 2012 too.