Saturday, December 24, 2011

Recommended Exchange Deployments are Multi-role Now

At the last free "Tech Ed style" event in NYC held at the Microsoft Offices, we had Ross Smith IV present on

Exchange 2010 High Availability/Database Availability Groups. If you don't know Ross, he's a VERY senior Microsoft employee who wrote the Exchange Storage and Server Role Calculator. He knows Exchange, period. End of story. So, when he said that everyone should deploy Exchange 2010 in a multi-role configuration to improve performance and not break apart the roles, you need to take his recommendation seriously. This was the 1st time I had heard this. I had a long conversation with him about this in NYC, and he explained that for performance and the ability for leveraging failover capacity it is better to keep all the roles together. In theory, you could deploy less. Since if you were going to deploy 2 CAS and 2 Mailbox, you could in theory just deploy 3 consolidated roles. Well, Microsoft TechNet finally released some guidance on this. That only took 6 months. Don't forget to use a hardware/VM load balancer when deploy your multi-role Exchange Servers.


TechNet article title: Understanding Multiple Server Role Configurations in Capacity Planning
http://technet.microsoft.com/en-us/library/dd298121.aspx

-Ben

Hackers & Malware - Dangers Everywhere - Not Just Scare Tactics

Hackers and malware were busy this week at clients of REEF Solutions.

Good news first, we identified a serious denial of service vulnerability during a network infrastructure review for a financial firm. So bad, a simple command would reboot a core network device. That was a highlight of the review. And this was not even a security audit, I am sure it'll be only worse.

Bad news now
  • A client's system was infected with TDSS, one of the nasty [known] malware products  (think encryption, p2p command and control, http/https tunneling, malware competition removal, and MBR infection). Malware vendors even offer a Firefox plug-in to allow paying customers to surf via infected machines to provide anonymous cover. To summarize, TDSS is extremely dangerous. More technical details here. As of now, the only tool that can remove it or most of it is Kaspersky. Ideally, we should have wiped the system, but the client would not permit this.
  • A hacker attacked via RDP and compromised a system. We detected the compromise and took immediate action to isolate and remediate the attack. If we had not caught it faster, this could have been a serious issue. The key is to have an Intrusion Detection System in place, even if it's just a firewall based solution. You need to be aware of what is happening on your network. I recommend additional policies such as resetting all administrator passwords, not permitting  "administrator" usernames, requiring 15+ characters passwords, email alerting w/3rd party logging tool on administrator level logins, and layered security products (firewall based scanning, servers based, proxy based, DNS scanning, etc).

Sadly, malware and attackers are not sitting idly by. There are some real threats out there. Stay safe...

-Ben