Outlook Spy 2.15 is Outlook 2010-compatible

Didn't notice earlier— one of my favorite Outlook/Exchange tools is now compatible with Outlook 2010. Outlook Spy is primarily a tool for Outlook/Exchange developers, but Exchange administrators also find it useful. It allows you to look under the hood of mailboxes and messages. Created by Dmitry Streblechenko, an Outlook MVP, Outlook Spy has been on my list of "must have Exchange tools" for as long as I can remember. Released in November 2009, the latest version of Outlook Spy (v2.15) adds Outlook 2010 compatibility.

You can download Outlook Spy 2.15 from Dmitry's web site. Registration for a single user license is $49.99. It's been worth every penny and more for me.

I also like the free MFCMapi tool on Codeplex - Microsoft's open source community site where you'll find a lot of useful tools and apps along with the source code. MFCMapi is a compact executable (760-873K) and doesn't require installation. It was created by Microsoft's Stephen Griffin. It's available in both 32-bit and 64-bit versions.

How did it feel to beat Google?

Every time I pass the Microsoft Silicon Valley campus in Mountain View, I'm amused and amazed that a Microsoft campus is in close proximity to Yahoo, Google, and other Silicon Valley bellwethers. The talent here is amazing!

If you haven't done so already, check out BingTweets, which fuses Bing's search results and real-time content from Twitter.

The San Jose Mercury News carried an interesting story over the weekend about how Bing's Silicon Valley-based team beat search engine giant Google to real-time search. Interestingly, Microsoft engineers Chad Carson and Eric Scheel, and their boss Sean Suchter— formerly VP of Search at Yahoo, planned it all aboard Alaska Airlines Flight 321 enroute to Seattle. The new search team at the Silicon Valley campus includes heavyweights like database expert and former IBMer Ashok K. Chandra— "a professorial presence who sounds like a poet when he compares creating computer algorithms to the view from the summit of Mount Whitney", and Shubha Nabar, a "newly-minted" Ph. D. from Stanford.

Excerpt:

By the time Flight 321 was over Oregon, the group in Row 6 had evolved from a technology klatch to a cabal of plotters who scrawled a schematic tangle of boxes on a sheet of paper to map out something no big Internet search engine had yet achieved. The three members of Microsoft's new Silicon Valley search team would try to make their company's Bing a window into America's stream of consciousness, serving up the chatter on Twitter and blog posts, with the latest updates on everything from celebrity gossip to breaking news.

Another interesting factoid many here in Silicon Valley may relate to— the plan didn't involve a PowerPoint.

The afternoon of the Seattle flight, Suchter stood before his boss in Redmond, Harry Shum, and pulled the dog-eared sheet of paper from his back pocket. This, Suchter told Shum, handing him the marked-up page, is what the team wants to do.

"I know I've got to get worried when you're giving me your plans drawn on a piece of paper and not in PowerPoint," Shum said. But he approved the effort.

When asked how it felt to beat Google, Suchter responds:

That was fun— retroactively. We didn't know we were going to catch them. We kind of though we would, but who knew?

More in Microsoft's Challenge: 90 days to beat Google on mercurynews.com.

More Browsers, More Browser Woes

In an increasingly web-centric world where cloud services are supposed to replace all our desktop apps, the web browser has become an important tool. Although new browsers have been introduced and old ones mature, the browser experience continues to degrade, alarmingly so!

Browsers, including the "smaller", "faster", "nimbler" ones, increasingly consume large amounts of system resources. I'm alarmed by the memory consumption record of FireFox (and although I haven't done any strictly comparative tests, it seems IE 8 is more well-behaved in this respect). More importantly, browser crashes are up to annoying levels, and again - I see these happening with FireFox more often than IE or Chrome.

InfoWorld's J. Peter Buzzese beat me to this post, and he echoes my thoughts very closely on the subject. So, rather than repeat what he's already written, let me simply point to his latest— Enough! What to do about browser piggishness.

Gmail discovers benefits of SSL, defaults to HTTPS

Google seems to have discovered the benefits of using SSL to encrypt HTTP traffic. In a blog post on the Gmail blog, Engineering Director Sam Schillace explains that Google has finally started valuing security over latency, and enabled HTTPS by default.

Gmail has always been using SSL to encrypt the authentication credentials sent from the login page. However, past the login page and accessing messages, all communication has been in the clear. Users have been accessing their messages over an unencrypted session. Users could choose to use SSL for the entire session, but since encryption would make Gmail slower, Gmail did not use it by default.

The latest change means the entire session will be encrypted by default.

If you haven't enabled SSL for the entire session before, you may see more latency when accessing Gmail. Encrypting data requires more resources. As Schillace comments in the post:

Over the last few months, we've been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do.

To Gmail's credit, it's the only free web email provider that appears to be offering the use of SSL for the entire session. Microsoft's Live Mail and Yahoo Mail offer SSL-encrypted login pages, but there's no option to use SSL for the entire session. It's about time they follow suit.

Connected, as never before

I spent last week thinking about couple of blog posts I wanted to finish, but it seems this year the holiday spirit took over a little sooner than it normally does (for me). It's been a busy year with Exchange 2010, and now that it's released and getting rave reviews, it's time to take a break.

Seth Godin has put together What Matters Now - a collection of thoughts strung together in an ebook that's available as a free download on his blog. I found parts of the book echoed my thoughts closely as 2009 makes an exit. Interesting passage from Howard Mann:

Connected

There are tens of thousands of businesses making many millions a year in profits and still haven't ever heard of twitter, blogs, or facebook. Are they all wrong? Have they missed out or is the joke on us? They do business through personal relationships, by delivering great customer service and it's working for them. They're more successful than most of those businesses who spend hours pontificating about how others lose out by missing social media and the latest wave. And yet they're doing business. Great business. Not writing about it. Doing it.

I'm continually amazed by the number of people on Twitter and blogs , and the growth of people (and brands) on facebook. But I'm also amazed by how so many of us are spending our time. The echo chamber we're building is getting larger and louder.

More megaphones don't equal a better dialogue. We've become slaves to our mobile devices and the glow of our screens. It used to be much more simple and, somewhere, simple turned into slow.

We walk the streets with our heads down staring into 3-inch screens while the world whisks by doing the same. And yet we're convinced we are more connected to each other than ever before. Multi-tasking has become a badge of honor. I want to know why.

I don't have all the answers to these questions but I find myself thinking about them more and more. In between tweets, blog posts and facebook updates.

Howard Mann is a speaker, entrepreneur, and the author of Your Business Brickyard.

What Matters Now is completely worth reading, and the above passage makes one think about the changes 2009 brought and accelerated. The number of Facebook users is higher than the U.S. population. YouTube has served more than a billion videos. And an ever-increasing mass of mankind is forever tied to 3-inch screens. Blogging, tweeting, and Facebooking.

For the first time in a long while my holiday reading list doesn't include anything about Exchange Server or security or technology in general.

Microsoft and Research in Motion announce full BES support for Exchange 2010

Microsoft and Research in Motion have just announced full BlackBerry Enterprise Server (BES) support for Exchange 2010 - the earliest customers have been able to deploy BlackBerry smartphones with a new Exchange release— ever.

You'll need the just-released Update Rollup 1 for Exchange 2010, Exchange Server MAPI Client v6.5.8147, and BlackBerry Enterprise Server 5.01 Maintenance Release 1 (MR1).

More from Paul Bowden in BlackBerry Enterprise Server fully supported on Exchange 2010 on the Exchange team blog.

cc:Betty: A cool web app you may want to block

If you haven't looked at Palo Alto-based cc:Betty yet, perhaps you should. cc:Betty promises to keep everyone on the same page. Still in beta, it's a useful web app that helps users organize their email communication, collects email content, catalogs attachments and files, and also maintains your contacts.

It's also amazingly simple to use. Besides adding content on the cc:Betty web site, users can simply add betty@ccbetty.com as an additional recipient (To/Cc/Bcc) to email they send, and it shows up in their cc:Betty account - email content, attachments, et al. With the click of a button, users can publish the discussion to their Facebook feed.


Figure 1:With the click of a button, cc:Betty posts your discussion to your Facebook profile

And therein lies the threat to your data!

Although it's an impressive tool for personal use (the usual caveats about personal information and privacy apply), organizations and IT departments must consider the consequences carefully. Many small businesses and organizations operating in unregulated industries or locales may not consider themselves to be at risk and actually welcome such services.

If your organization isn't one of them, consider that simply adding another recipient to all email messages results in data leakage. How's this any different from adding any other recipient to an email? Unlike other recipients, the sole purpose of cc:Betty is to facilitate further sharing of email content outside an organization. Email can contain sensitive information— including high business impact (HBI) data or personally identifiable information (PII). Transmitting and storing such information outside the organization, with no control over the content or its security, could expose your organization to multiple risks.

Content scanning and privacy
It's important to consider what services such as cc:Betty do with your information. cc:Betty's privacy policy is not very different from Gmail's privacy policy— email content is scanned to display relevant ads. Some would argue that similar content scanning is also performed by antispam and antivirus software and services, and that this isn't something to be concerned about.

Regardless of whether you find content scanning by an automated process acceptable or not, the bigger threat is data leakage.

If usage of cc:Betty and other such services is in violation of your organization's policies, your users must be informed. If your organization's policies don't address such services and usage, perhaps it's time to consider a policy review. You may also want to consider blocking outbound mail to domains offering such services.You can easily block outbound mail to a domain using transport rules or a Send Connector. Exchange 2010's Information Rights Management (IRM) features can also help you prevent data leakage.

What can cc:Betty do to help organizations?
How can cc:Betty help organizations protect themselves from unauthorized use of its service? As a web-based service its success lies in widespread adoption of its app. More users, more user content accumulated, more sticky the service proves to be, and more pageviews it racks up. As such, there's no incentive to actually stop users from joining or posting information. In fact, it may directly impact its success.

However, cc:Betty and other such services may gain a lot of goodwill and more acceptance if they work with organizations to help prevent data leakage. One way of doing this may be to block email from organizations that register with it. When a user signs up for an account using your organization's email address, he/she gets a polite message about your company not allowing use of the service. Email sent from your domain can also be bounced back with a polite NDR.

Some organizations may choose to allow their users to use the service, but with appropriate policy guidelines and controls in place. [Update: According to cc:Betty, an enterprise version of the service is in the works.]

Does your organization allow the use of cc:Betty.com or similar services?

Cloned machines and duplicate SIDs

It's been over 4 years since I wrote about the duplicate SID issue in SID error on cloned Virtual Server / VPC / VMWare OSes. I recommended using the NewSID utility from Sysinternals to fix the cloned machine.

Hyper-V wasn't around back then, and looking back it seems incredible that many of us survived without it (or your virtualization platform of choice).

Since then, I've only used sysprepped images, and the increasing reliance on virtual machines has translated into a time-saving and efficient method of creating cloned VMs at short notice. Using a sysprepped base image and differencing drives makes life incredibly simple, and even if you don't using differencing drive it works quite well. I highly recommend making at least one more copy of the base image and making the file read-only.

As far as the NewSID utility goes, Mark Russinovich recently posted about retiring it. More in The Machine SID Duplicate Myth.

Prevx Apologizes: So-Called Windows 'Black Screen' not caused by Windows Update

Interestingly, after reporting last Friday 'Black Screen woes could affect millions on Windows 7, Vista and XP', and causing a furor amongst IT pros, users and the media, Prevx apologized for claiming a patch applied by Windows Update was the cause of the so-called 'Black Screen of Death'.

In last week's post, Prevx stated:

If you Google Black Screen then you will find a whopping 80 Million plus results, mostly dominated by people searching for a fix to this problem. Thousands of users have resorted to reloading Windows as a last ditch effort to fix the problem, avoid that at all cost. We hope we can help a good many of you avoid the need to reload.

Clicking on the link provided in Prevx's blog post, and the search results are nowhere close to the "whopping 80 Million plus results" Prevx claimed in its blog post. In fact, the number is inflated by almost 100%, and there's a good chance it's not 40 million users facing the issue, or even 20, 10, or 1 million.



On Monday (11/30), Microsoft said it is investigating the issue. A Microsoft representative also said:

Based on our investigation so far we can say that we're not seeing this as an issue from our support organization. The issues as described also do not match any known issues that have been documented in the security bulletins or (knowledge base) articles."

On Tuesday (12/1), Microsoft's Security Response Communications lead Chris Budd said in a statement:

The company has found those reports to be inaccurate and our comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports.

Microsoft also said it had not been contacted by Prevx before going public with the issue. More in Microsoft: November security updates are fine on News.com.

Prevx backtracked in a follow-up post yesterday (12/1):

Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches including KB976098 and KB915597 as referred to in our previous blog. Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor.

Prevx apologized for the faux pax. However, its original post and the follow-up apology says nothing about informing Microsoft about a potential issue caused by a patch.

Tempting as it is to rush to blog and tweet about a critical bug or security issue one may have discovered, the responsible behavior is to contact the vendor, report the issue and request or even demand an investigation and a fix. As a customer you have every right to do so, and depending on the severity and impact of an issue, expect a fix within a reasonable time frame. If the vendor does not investigate or provide any explanation, go public.

This is not to say that the "black screen" issue many users may have been facing isn't real, but it's no excuse for insufficient testing, irresponsible reporting, and inflating the impact (quite dramatically in this case).

Office 2010 Beta: Outlook 2010 Shines

Now that Office 2010 Beta is officially available for download to TechNet and MSDN subscribers, here's a quick shout out to the Outlook team for what's shaping up to be an excellent, super-impressive, fabulous new release of Microsoft Outlook!

I've always preferred web-based apps, including Outlook Web Access (OWA) in the past, and Outlook Web App (still OWA!) in Exchange 2010. Like most IT pros, I use many different computers during the course of a day - laptops, desktops, servers, virtual machines, and RDP sessions. OWA is a natural fit for this type of usage.

But Outlook 2010 has won me over for its user experience, features, and user experience (in that order). Web-based e-mail apps/providers, with the exception of OWA 2010 of course, do not provide a comparable experience, and although a lot of emailing is now done on "Exchange ActiveSync-capable" mobile devices, if you have to use email on a real computer, there's no better way to email than Outlook 2010.

Want to check out how cool Outlook 2010 is? There's a video for that. Play it full screen to clearly see Outlook 2010 quick demos.

Bulk mailbox creation: Import passwords from a file

Automating bulk mailbox creation required fairly advanced scripting skills in Exchange 2003/2000. Thanks to the Exchange Management Shell (aka "the shell") in Exchange 2010 and 2007, this task is greatly simplified. It doesn't require any advanced scripting skills and it can be accomplished by relative newcomers to Exchange Server with very little knowledge of the shell.

Exchange Server 2007: Bulk creation of mailboxes using Exchange Management Shell shows you how to create bulk mailboxes using user data imported from a CSV file. A related post— Bulk mailbox creation revisited: Adding Active Directory attributes shows you how additional Active Directory attributes not included in the New-Mailbox/Set-Mailbox cmdlets can be populated.

When creating mailboxes using the New-Mailbox cmdlet, Exchange Shell requires the password to be of type System.Security.SecureString, derived from the SecureString class in the dot net framework. In the example in Exchange Server 2007: Bulk creation of mailboxes using Exchange Management Shell, we use the same password for all accounts. We also prompt the admin to enter that password using the Read-Host cmdlet, as shown below:

$Password=Read-Host "Enter Password" -AsSecureString

When the admin running the command or script enters the password, powershell masks the password by displaying a * for each character entered.

One frequently asked question when discussing bulk mailbox creation is: how do I import passwords from a text file? Of course, saving passwords in a text file isn't very secure, but there may be cases where you need to do this temporarily— particularly when you want to create mailboxes/user accounts in bulk and don't want to assign the same password to all accounts. When doing so, it's recommend to set the account to change password on next logon. There may also be other scenarios where you need to import passwords from a text file, so I'll leave the security aspect of this up to you.

The first step to importing passwords from the text file is to add it as an additional column or field in the file. For example:

Alias,Name,UPN,Password
User_One,User One,userone@yourUPNsuffix.com,P@ssw0rd1
User_Two,User Two,usertwo@yourUPNsuffix.com,P@ssw0rd2
User_Three,User Three,userthree@yourUPNsuffix.com,P@ssw0rd3

If you try to use the same command as shown in the previous post, and simply add the parameter -password and the value $_.password in the code block, it'll fail.

Import-CSV CreateRecipients.csv | foreach {new-mailbox -alias $_.alias -name $_.name -userPrincipalName $_.UPN -database "Mailbox Database" -org Users -Password $_.password}
Cannot process argument transformation on parameter 'Password'. Cannot convert the "P@ssw0rd1" value of type "System.String" to type "System.Security.SecureString".
+ CategoryInfo : InvalidData: (:) [New-Mailbox], ParameterBindin...mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,New-Mailbox

Converting a string to a SecureString
To use the password field imported from the CSV file, you must first convert it to a SecureString. You can convert a string to a SecureString using the ConvertTo-SecureString cmdlet. When using the ConvertTo-SecureString cmdlet, you must specify that the source string is provided as cleartext by using the AsPlainText switch (not to be confused with the plaintext message format). The cmdlet also requires that you specify the Force switch to confirm you really want to do this— yes, you've just provided your consent to convert a plaintext string to a SecureString!

The modified command looks something like this:

Import-CSV CreateRecipients.csv | foreach {New-Mailbox -Alias $_.alias -Name $_.name -UserPrincipalName $_.UPN -Database "Mailbox Database" -Org Users -Password (ConvertTo-SecureString $_.password -AsPlainText -Force)}

To enforce a password change on next logon, add the ResetPasswordOnNextLogon parameter to the command:

Import-CSV CreateRecipients.csv | foreach {New-Mailbox -Alias $_.alias -Name $_.name -UserPrincipalName $_.UPN -Database "Mailbox Database" -Org Users -Password (ConvertTo-SecureString $_.password -AsPlainText -Force) -ResetPasswordOnNextLogon $true}