Last Minute Items Before Cisco Live!

Things I’ve done this week to prep for Cisco Live:

  • Read up on each of the speakers that will be presenting for CEWN (Cisco Empowered Women’s Network). I looked for video clips on each of them. I’m such a visual learner so I will feel more of a connection when I see them speak at the CEWN event. Like this 2 min video on Kevin Bandy where he shares what he loves about working at Cisco or this TEDx Talks with Tania Katan.
  • Downloaded the Cisco Events app. You have done that already right? You’ll find great features like the ability to search for attendees, map your sessions, join in on the social contests, and take surveys. CiscoEvents1
  • Downloaded the MGM Resorts app so I can have a super smooth check-in and check-out experience while I’m staying at the Delano.
  • Check my emails for any special invites such as the one I received today for the The West Heroes at CiscoLive 2017 Spark room connection!
  • Check Twitter and LinkedIn for anything that CLUS is tagged in. I was cruising through the posts the other day and found out that ExtraHop is having a VIP event.
  • Map out which vendors I’d like to visit at the World of Solutions. 
  • Check the News Flash page on the Cisco live website for any new updates. 
  • Study for my exam (you know the exam voucher comes free with your fall conference pass right?). 
  • Pick out my outfit for the Bruno Mars concert. What what!

Women in Technology

picture of woman coding

Somehow, in my adventures through the land of technology, I haven’t let it get under my skin that Computer Technology is still a male dominated field (which I think is loosely defined as having 25% or less women). According to this great infographic published by the National Center for Women & Information Technology (NCWIT) women make up 26% of the computing workforce. I’m not sure if it’s luck, good karma, or my outlook on life as a whole that’s made it an enjoyable field to work in. I can’t lie. Yes I’ve been addressed as “sir” or part of “gentlemen” in an email salutation. Yes I’ve gotten blank stares from men who are introduced to me as being a Systems Administrator. And of course I’ve seen some of the sexism that radiates from some men that I’ve met throughout my career but I feel like a portion of those men would have that behavior no matter where they work or who they work for. That being said, I do believe that the culture that is developed in a company does have a great influence on how the women employed there are treated. I work for a healthcare company. Nursing is a highly woman dominated field, so we have a high percentage of women that work here. Maybe that’s why the culture where I work is such that women are respected on a level equal to men. And to top that off, I live in a part of the US that promotes equality. I feel blessed to be here. So maybe because of that it should be my duty to promote women in technology.

Coincidentally as I’m writing this, I received a newsletter from Tech Republic titled The top 8 companies for women in tech, as ranked by female employees. After reading this article (and many other articles I stumbled on while writing this blog post) I am reminded that people are talking about the subject of women in technology. That alone is a catalyst for change.

So then I wondered what type of resources are available to women in my town today? I attended college over 10 years ago so i’m sure things have changed. A quick search on the Internet resulted in few findings.  Maybe it’s time that I get involved. Last year I sat in on a panel of information technology professionals at Olympic college to help answer real world questions that students might have. I’m not sure how impressed the students were with the panel but it felt great being able to express a little bit of my passion for technology and share some lessons learned. Our local community college (which is where I graduated from) recently had a Women in STEM Careers panel discussion. I’m a little bummed that they didn’t reach out to me considering I was on a similar panel last year. But as I read through the description it seemed it was more geared towards sciences and mathematics. There was a Women in STEM Town Hall in 2015 as well. I think I will reach out to OC and find out if they’re interested in more of a Computer Sciences panel for women. If I remember correctly, all of the people who organized the panel that I was on last year were women!

A couple of Seattle-based Women in IT organizations:
Microsoft DigiGirlz Camp

Seattle Girls in Tech

This year when I go to Cisco Live, I’ll be attending the Cisco Empowered Womens Network event. I got a taste of it when I attended CLUS 2015. I wasn’t able to attend the event that year but they had a session the next day titled Reinvigorate Your Career. It was great! Topics included office politics, salary negotiation, networking for the introverted and taking charge of your development. I remember leaving the session thinking, “Wow I can do this. I can reinvigorate my career!”. That session is actually what encouraged me to finally start my technical blog. I had been thinking about it for a year or so and that was what gave me the extra motivation that I needed.

I was explaining to a colleague of mine (she works in clinical informatics) that I was going to a women’s mini conference at Cisco Live. She said that when she attended Greenway’s ENGAGE conference that they had a session geared towards women. She said it was good and about an hour long. I mentioned that CEWN has a 4 hour event so I deem it as a mini conference. I started thinking to myself… How many women’s tech conferences are there out there? So I jumped on Google, typed in the keywords, women’s technology conference, and perused through the results. I was pleasantly surprised. Conferences range from super casual, uber formal and downright quirky.

Some of the blogs I ran across that touched on the same subject:

Women In Technology Conferences: The Ultimate Event Directory

Top 7 Must-Attend Conferences for Women in Technology

So I’m hoping that after attending the Cisco Empowered Women’s Network this year I leave even more pumped than ever! BUT… I don’t take for granted, my male peers. Sometimes I feel like I have the advantage because I’m a “minority” in the field. However, I work my butt off! So I don’t take myself for granted either!

My takeaway from this is that, there are areas of the USA that are lacking in motivation for women in technology and there are areas that are promoting and cheering them on. But no matter where you live, it’s all about how you truly feel about yourself, how you present yourself and how you treat those around you (even if they don’t treat you as you wish they would). Brains is only half the battle in many industries. You can be a master at a technology but if you don’t have the guts to prove it or the mannerism to collaborate and educate those that you work with then you may not get anywhere.

What are your experiences as woman in IT or a man who works with (or has observed) women in IT? What do you think most influences the change of culture in this area?

What Superhero Are You?

This year Cisco Live has conjured up a new theme. IT Superheros. When I attended Cisco Live in 2015 I thought it would be fun to participate in their social media gatherings, contests, etc. I found it helped to keep me and other attendees pumped up and allowed us to network with peers that we may not have had the guts to walk over and talk to. It probably also helped to keep the Cisco employees pumped about being there too. I can only imagine that going to the same conference year after year might get a little stale. But Cisco really knows how to shake things up. Whether it’s with a 40GB throughput super server, a wicked Spark board or a bringing big acts like Aerosmith, Maroon 5, and Bruno Mars to it’s customers, Cisco delivers.

And this year, they remind us that we are superheros!

To quote Cisco Live… “As vital as oxygen; as indispensable as nourishment—you’re the ones who hold IT all together; who keep IT running; the ones who will transform IT into a future that will truly amaze.”

Will you be attending? Have you taken the superhero quiz?

I did. I’m an IgnITor. Defined as an “innovator, the superhero who inspires collaboration with everyone and everything, ultimately bringing amazing solutions to light where once there was nothing.” So now I’m pumped! I’m ready to go. Cisco Live! here I come!

Click here to find out what superhero you are. Haven’t registered to attend? Why not? Need help convincing your boss? Here’s a template to help you out.

image

So You’re Blocking Facebook at Work…

Holy Facebook Batman!

(to add to the list of Robin’s famous outbursts).

You may have heard or read that Facebook will soon have a FREE standard version of their new product called Workplace. Or maybe you’ve never even heard of Workplace. Here’s an intro video if you’re unfamiliar with it. And you can sign up for your Workplace at https://workplace.fb.com.

But what if you’re blocking Facebook for your company? My compnay is. It was a request from management and approved by the executive board when Facebook popularity really started ramping up. Employees were abusing time on the clock with their social habits. So what about Workplace by Facebook? Should we proactively block this or do you think we should embrace it if people start using it?

Facebook states that “security is their top priority” and they’re backing that up with SCO2 and SOC3 detailed reports with regular 3rd party auditing. But do you want your employees to go rogue and start a Workplace without your knowledge? Will you be blocking Workplace? Or will you embrace your employees appetite for a socialized collaboration utility?

A Showdown with Ransomware

In my career I’ve had encounters with Ransomware a few times. A few months ago we were attacked again. And rather than just recover from the effects, I decided to do some more investigation as to how the virus got into our network. The strain we were faced with this time is the ODIN Locky Ransomware.

First we were notified by one of our end users that several folders on our shared drive have missing files that were replaced with a strange looking file with the .odin extension. I was not familiar with the ODIN extension but as soon as I saw the files, I knew exactly what they were. Ransomware.

image

You may notice the first file listed is an html file. This is the ransom note. Typically it would also be displayed on the users desktop wallpaper but since this is on a network drive, we are unsure who the exact user that triggered the virus. The ransom HOWDO_ HTML looks like this:

image

By investigating the security permissions on the folders and files, you should be able to figure out who the end user is that triggered the virus. However, in our case, there was a security group that had access with a large member base so it would take forever to track down who caused it.

I did a little research on the ODIN extension and found some great articles

Information on the Ransomware variants that caused this:

Steps Taken to recover:

  • Deleted all affected folders/files
  • If you have identified the computer that spawned the ransomeware, then it’d be a good idea to wipe it because there’s a good chance that some of the OS files have been corrupted.
  • Restored from backup
  • Performed a Full antivirus scan on the storage server

In our case we received a help desk call a day later from an end user that couldn’t access some of their files. I remoted into their PC and found she was referring to her local My Documents folder. They were all encrypted by the Locky virus. I ran a search of the C: drive to see whereelse the virus had touched. The ODIN file extension was in several directories. My Documents, ProgramData, etc. I noticed the time stamp on the files was one minute prior to the infected files on our storage server. So her workstation is very likely the root of the ransomware infection.

I found this in the registry. I didn’t get a screenshot of the command key value but I looked at it and it was calling Word.exe.

image

I then decided to see how it got into our network. I searched our IPS for events with her computers IP address during the time frame of the infection. And lo and behold I found it. There was a botnet that was allowed from URL logwudorlghdou.info/apache_handler.php

Google searches on the URL logwudorlghdou.info came up with nothing. However, google search on apache_handler.php resulted in the top results being blogs talking about ODIN Locky Ransomware. Here’s an example.

If this was a “High Risk” reputation with URL Category “Bot Nets” then why was it allowed?? We found we had several URL categories blocked but Bot Nets was not on the list. So, we added Bot Nets and another one that looked like a good idea to block named Keyloggers and Monitoring.

I ran a search on the our email archiver and spam firewall. The only message I see sent to our end uers that is questionable is one that has an xls attachment. The from address is dionne.simcoe.195@sunshinecash.com.au so I googled sunshinecash.com.au and found it is some website and has various other websites with the same company name in it (ie. Facebook page) but I was scared to click on it. So then I ran a search for emails sent from that domain. Nothing. So then I ran another serach of emails to anyone but with that subject line. Bam! We received several with the same subject pattern. The emails all contain xls attachments but are from completely different domains. I also looked at the body of the email and all of them have the same body “Sent with Genius Scan for iOS”.

Moral of the story? Education is so important. Train your end users NOT to click on links in emails they don’t recognize! And add as many layers of security that you can. Antivirus, antispam, antimalware, intrusion prevention, firewall, dns protection, and the list goes on.

Migrating Exchange 2007 to 2013–Phase 2

This second phase of my Exchange Migration includes the actual installation of Exchange, configuring our Spam Firewall, Message Archiver, Load balancer and testing. I did this all last fall but just now got around to blogging. Bah! Who has time to blog? But blogs to me are soooooo important to the existence of my IT knowledge so I take this opportunity to pay it forward.

Resources:

  1. Verified we don’t have an existing SPF record by using the Microsoft Sender ID Framework SPF Record Wizard.image
  2. Added my AD account to Enterprise Admins and Schema Admins groups temporarily for Exchange installation. will remove at end of project.
  3. Installed prerequisites on new server
    • Media Foundation service
    • Unified Communications Managed API 4.0
  4. Started Microsoft Exchange 2013 installation wizard to complete remaining prerequisites. Rebooted. Ran Microsoft Updates and installed 9 new updates. Rebooted.
  5. Started installation. It warned that no Exchange 2010 servers were found in the environment so once it preps AD and extends the schema, we will not be able to install a 2010 server.
  6. Setup completed in about 30 minutes.                                                                                                
  7. To access the new Exchange Control Panel browse to https://<servername>/ecp/?exchclientver=15
  8. You can now see that both servers are listed in the servers tab.                                             image
  9. Generated CSR from the new server to upload to Digicert.                                 image
  10. Used it to add new domains to the DigiCert so now the following exist. 
    •    mail.mydomain.com
    •    activesync.mydomain.com
    •    owa.mydomain.com
  11. Uploaded the cert to the Exchange server. Exported it and saved it in a safe location.
  12. Added the Exchange server to Basic > Services with a new VIP that we selected. Used the Microsoft Exchange Server 2013 Deployment document for Barracuda Load Balancer to aid us in creating an http redirect to https because the way we had our old exchange server performing a redirect to HTTPS for owa access is not secure and not supported in Exchange 2013. We will be adding a redirect on the Load balancer cause it has this capability. We ended up having to create two new services. image
  13. Added DNS entry for mail.mydomain.com
  14. renamed default database from “Mailbox Database GUID”  to Admin.
  15. moved Admin database to new location on M: and L: drives by running these commands:
    • Move-DatabasePath –identity admin –EdibFilePath “M:\ExchangeFiles\Databases\Admin” –LogFolderPath “L:\ExchangeFiles\Logs\Admin”
  16. Created new databases to migrate mailboxes to. We decided to keep the existing three databases and just prepend the db names with Exch13_ .
  17. Migrated a test mailbox from 2007 to 2013. Successfully sent mail from the mailbox after migration from internally and externally and received.
  18. Created two new Receive connectors:
    1. Internal Relay – this is for relaying messages from devices (ie. printers) to our internal mail recipients. It has the following security settings:                                                            image
    2. Internet Receive – this is for receiving mail from the Barracuda Spam Firewall which was received from the outside. It has the IP address of the spam firewall on the scoping tab and the following security settings: image
  19. Ran this script to change the activesync virtual directory:
  20. I added activesync.mydomain.com to our internal DNS and pointed it to the internal VIP.
  21. Then added the activesync and mail addresses to our public DNS records:
  22. Also added a new SPF record using the TXT option in our public DNS records. We used this wizard to help us generate a string. 
  23. Message Archiver connection:
    • In Mail Sources > SMTP/IM we added the IP address of the new exchange server in Trusted SMTP servers.
    • On the new server I ran the following PowerShell scripts to create a remote domain:

        Execute the following command to create the remote domain; this command ensures TNEF encoding is disabled:

        New-RemoteDomain -DomainName bma.int -Name “Message Archiver Domain”

        2c. Next, execute the following command to enable auto-forwarding:

        Get-RemoteDomain | Where {$_.DomainName -eq “bma.int”} | Set-RemoteDomain -TNEFEnabled $false -AutoForwardEnabled $true

        2d. Enter the following command to verify the settings:

        Get-RemoteDomain | Where {$_.DomainName -eq “bma.int”} |Format-table Name, DomainName, TNEFEnabled, AutoForwardEnabled

      • In the Exchange Control Panel under Servers > Databases in the properties for each database, on the maintenance tab I added the BMA Journaling account “BMA Journaling”.
      • Created an account in AD to be used as a service account to give the Barracuda access to the mailboxes. 
      • Ran the following powershell scripts to give the new account access:
        • Get-MailboxDatabase | Add-ADPermission -User <service account name> -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin
        • Get-MailboxDatabase | Add-ADPermission -User <service account name> -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin
      • Back on the Message Archiver, on the Mail Sources > Exchange Integration tab I clicked Start New Action, selected Folder Sync, created a new server connection with new service account to run Nightly. I did the same for Non-Email Sync.
  24. Ran the ActiveSync test from this website https://testconnectivity.microsoft.com/
  25. Attempted to install the Barracuda Antivirus for Exchange agent version 7.1.7.0. I downloaded the Exchange 2013 agent from Advanced > Exchange Antivirus. However when I install it I get this error. I tried twice and get the same error. I verified the Microsoft Exchange Transport service is running before I start the install. I can see that during the install the installer stops the service. It seems to have trouble restarting it after the install is finished.
    • Day4_1.jpg

  26. Contacted Barracuda support. They haven’t seen this before but found this Microsoft KB2938053 for me that addresses the issue. And here’s another article explaining it. I ran the powershell script and installed the antivirus agent successfully after that. Wahoo! We now see both servers under antivirus:                                                                                                  image
  27. Created new services on the Load balancer under Basic > Services to allow communication to mail.mydomain.com on port 587.image
  28. Attempted to migrate my own mailbox over. It failed with error Active Directory property ‘homeMDB’ is not writeable…image
  29. Apparently this is common on accounts that were at one point Domain Admins. Checked the inherit permissions option in my AD account Security > Advanced. Started the migration again. One problem I see with the EAC is that the migration status just shows that it’s “syncing” and not what percentage it’s on. So I ran the Get-MoveRequestStatistics powershell script.image
  30. Migration completed successfully and since I had my Outlook open at the time, I tried to send a new message and got this pop up (actually it was hiding I had to find it on my task                                                                                  image
  31. Configured the limits on the databases. The defaults were preventing me from migrating any mailboxes that were already over size.
  32. Migrating Managed Folder Policies… apparently managed folder policies don’t exist in Exchange 2013. So I had to use this article to aid me in migrating. Basically I created new Retention Policy Tags, then created a new Retention Policy and applied it to the databases.
    • Old server settings:
    • image
      • Ran the following scripts to create the Retention Policy Tags:

          New-RetentionPolicyTag CompanyName-Calendar -Type Calendar -RetentionEnabled $true -AgeLimitForRetention 1095 -RetentionAction PermanentlyDelete

          New-RetentionPolicyTag CompanyName-DeletedItems -Type DeletedItems -RetentionEnabled $true -AgeLimitForRetention 30 -RetentionAction PermanentlyDelete

          New-RetentionPolicyTag CompanyName-EntireMailbox -Type All -RetentionEnabled $true -AgeLimitForRetention 365 -RetentionAction PermanentlyDelete

      • Created a new Retention Policy and assigned the new tags:
      • image
  33. Modified authentication for OWA under servers > virtual directories. Changed from “Use forms-based authentication” with “Domain\username” to “Use forms-based authentication” with “User name only
  34. performed an iisreset
  35. We’re getting this error when trying to access public folders from Outlook clients if the user has a mailbox on the new server. image
  36. In order to resolve this we made the following changes:
    • On the old 2007 server we changed the authentication from Basic to NTLM.               image
    • On the new 2013 server we changed the authentication from Negotiate to NTLM. We should change it back to Negotiate once we remove the 2007 server from our environment though. Old settings in first screenshot and new ones in second screenshot. image
    • image
    • It was resolved after I rebooted the 2007 server over the weekend.
  37. We also added the new server to the Barracuda Outbound send connector. image
  38. We also added the IP address of the new server to the Trusted IP’s under Basic > Outbound on the Barracuda Spam Firewall
  39. The C: drive on the new Exchange server was already getting pretty full. So to prevent future problems, I shutdown the VM, increased the C: volume from 60 GB to 120 GB, turned back on the VM and extended the disk in Windows Disk management. ​
  40. Upgraded to Exchange 2013 CU9 and rebooted for good measure.
  41. Imported Transport Rules – I was alerted by a user that their scanned in email was going to their junk folder. I remember this happened quite a bit a long time ago and I created a Hub Transport Rule to avoid this. This made me wonder if transport rules were being used on the mailboxes migrated to new server. I tested this by sending an email to my external personal account. I noticed our “external notation” disclosure on the footer of the email was missing. So I knew for sure that transport rules aren’t being used. Rather than recreate them all on the new server, I performed the steps found in Microsoft KB 2846555 to import them.
  42. On the 2007 server, I ran the following Powershell script:

    Export-TransportRuleCollection -FileName c:\ExportedRules.xml

    On the 2013 server, I copied the exported file and ran the following Powershell scripts:

    [Byte[]]$Data = Get-Content -Path “C:\ExportedRules.xml” -Encoding Byte -ReadCount 0
    Import-TransportRuleCollection -FileData $Data

  43. We later found that even though I imported the transport rules, our annotation wasn’t being added to the outbound emails. Our consultant helped me  out and found that the Remote Domain named “Default” had the “IsInternal” property set to “True”. He ran this script and now it shows False. We tested and the annotation is being appended now. Yay!     Set-RemoteDomain –Identity default –IsInternal $false
  44. Final Stuff:
    • Removed the old 2007 server from the send connector named Barracuda Outbound.
    • Our consultant noticed there was an error I the event log that indicated there was an authentication issue (forgot to document the event entry). He added Authenticated Users in the ASDI Edit to the Client Proxy and the errors went away. image
      • I realized I hadn’t migrated the resource mailboxes to the new server. So I tried to move them via the Exchange Admin Center.

        I kept getting this when I tried to select a Resource mailbox in Exchange 2013. I just want to migrate these to the new server. So I tried just running the command shell and it worked. Used this: New-moverequest –identity “ResourceMailboxName” –targetdatabase “Exch13_General” –baditemlimit 10image

      • Under Server Configuration > Mailbox, we right-clicked each of the the OLD databases and removed the old 2007 server name. Then right-clicked each OLD storage group and removed them. There’s only one remaining and that is public folders. Once we are ready to remove all we can remove the storage group for it.
      • We set the Offline Address Book to the new one through the ECP under Servers > Databases. Edited each database, under Client Settings we set the Offline address book to “Default Offline Address Book (Ex2013)”.
      • We then went to Exchange 2007 EMC under Organization Configuration > Mailbox > Offline Address Book, right-clicked the “Default Offline Address book” and deleted it.

       

      Remaining Steps to decommission the old server:

      • Delete all of the public folder data. Then go into ADSI Edit and delete Public Folder SG found under Configuration > Services > Microsoft Exchange > <DomainName> > Administrative Groups > Exchange Administrative Group > Servers > <Exchange2007servername> > InformationStore.
      • Get rid of dependencies on Send Connectors
      • Get rid of dependencies on Receive Connectors
      • Change DNS records (internal and external) for OWA.
      • Uninstall Exchange 2007 using Add/Remove Programs on old server.

DONE!!

Well… pretty much. The remainder of the adventure included getting all the applications utilizing SMTP to point to the new server.

     

Exchange 2013 Log Files

Okay, so I’ve been totally slacking on my posts. Especially regarding Exchange 2013. I haven’t even written my “Migration Part 2” post. I’ll try to get that done soon. In the mean time…

Running a new Exchange 2013 server? Are you finding that your C: drive is filling up and it’s not apparent what is the cause? Me too! For years I’ve been using this handy dandy tool called WinDirStat that helps me find what files are consuming drive space on my servers. I’ve been using WinDirStat on our Exchange 2013 server for three months cause I knew space was creeping up to 80% consumed so I wanted to see what was causing this. At the beginning of my search I found that C:\Program Files\Microsoft\Exchange Server\V15\Logging was pretty large and seemed to be growing. After some light reading I learned that it should plateau and it did at just over 20GB and has been stead for the last two months. But my C: drive keeps filling but WinDirStat isn’t reporting any new large amounts of data. Hmmm… interesting.

I decided to look at WinDirStat and see if there’s some setting for viewing hidden files or some other setting that might reveal the culprit. I noticed there’s an option to view “Unknown” files. So I selected this option. Voila! There it is! 37GB of <Unknown> data. Well, what the heck is that? So I did some searching and found this article on the WinDirStat blog. And after reading it, I got to thinking… have I ever tried running the program as Administrator (you know, right-click > Run as Administrator). No, I don’t think I have. Why not? I don’t know. I’m in the habit of installing Setup files with run as admin but I guess it’s not everyday that I run application exe’s with run as admin. So, I try it… double voila!

Mystery solved. What are the unknown files that are consuming the C: drive? Yup, you guessed it (or maybe you didn’t), C:\inetpub\logs\LogFiles. Geez. I feel like a doofus. I should have guessed this because I have other servers that I run scripts occasionally to cleanup this old data. But I wasn’t sure if there were any precautions I needed to take prior to purging so I found this article titled Exchange 2013 Logging: Clear out the log files. I manually deleted all but the current month’s log files and will create a script to clean up on a regular basis.