Archive by Author

Solving “Big Problems” in Security by Building a Service Model

Remediating strategic security concerns can be very difficult, particularly in large organizations with diverse and rapidly evolving product lines. While security is critically important for every part of an organization, individual security risks are not necessarily the most urgent problem to solve for all teams at the same time.

That means our ability to effect widespread change on a reasonable (to us) timetable can be a real struggle. Oftentimes, security teams will fail because they tried to solve all of the world’s problems at once.

At first brush, it makes sense to go after the problem everywhere it exists, considering economies of scale and all. Unfortunately, that doesn’t translate so well when attempting to push work on teams with competing priorities. “Fix this now” is not really an effective motivator.There is another way though that works particularly well for the “BIG” problems, and that’s developing a service model that teams can take advantage of on a timetable that works well for them.

Metrics Develop Interest

If you can’t measure it, you can’t sell it. Regardless if your “big problem” is log management, threat management, or identity access management you can measure it specifically for every team in your organization. Some may be successful, others may struggle, but if you start measuring it regularly and effectively you can demonstrate a problem that can be solved.

Capabilities Solve Problems

Tools are not solutions (no matter how much your vendors may insist otherwise). Solutions are principally capabilities an organization must develop to evolve. Other teams in your organization have no idea what any particular tool does for them, and they have no reason to retain that information if you explain it to them.

Instead, develop a story around the capabilities you want to deliver as a service that addresses the specific problem your organization has. Remember your metrics? Those are now riding shotgun on the road to risk remediation. Keep them handy and keep them coming, month after month. Trending data is beautiful thing!

Service Models Are Tangible

A service needs to be a tangible thing. Would you buy a service from Amazon, Google, or Microsoft if you they couldn’t demonstrate it to you? Neither would others in your organization you are trying to sell to. You must be able to clearly show how the capabilities your are proposing will not only directly affect the metrics you are delivering (i.e. reduce risk), but also show how it will improve the management of that team’s solution. Good security practices often result in big operational wins.

Operationalization is key. There should be a clear path (in the form of a process flow) from service request to service fulfillment. You should also be able to demonstrate how the management of the service will be maintained over time.

That also means clearly understanding the financials. Gaining executive approval to deliver a service in this way is largely dependent on demonstrating a firm understanding of what it will cost to establish the service and maintain the service, as well as a pricing model to calculate how much it will cost to onboard typical use cases. You can demonstrate a positive cost/benefit ratio by highlighting the operational benefits.

….and keep it simple! Your target audience needs to know what you are doing for them, not how you are doing it for them. Keep it high level.

Market the Solution

At this point, you have trending metrics creating market demand and a very consumable solution with a clear cost model. The marketing is practically done for you, but there is still real work to be done. The most effective thing you can do is begin to socialize the solution across the organization in a very positive way and ensure your new capabilities are already on roadmaps around the organization.

Developing a service model like moves Information Security from being a source of unwelcome work to a solution provider that can demonstrate real, tangible value to the organization in a very consumable way.

Best of all, taking a measured approach such as this generally leads to teams taking a fresh look what caused this “big problem” with their solution in the first place. Typically, this will result in the streamlining of accounts, systems, or processes in order to reduce the cost of on-boarding the capabilities you are offering.

This is a BIG security win, a BIG operational win, and a BIG financial win!

Was this interesting or helpful? Like, Comment, or Share and I’ll write more.

The Fatal Flaw of the Apple Pencil

I’m not an artist.

I’m a highly mobile business user. I use my iPad Pro several hours a day, and absolutely love the Apple’s Smart Keyboard that goes along with it. It’s the primary way I interface with my tablet. Coupled with Office 365 and a handful of apps, I can pretty much do anything I need to do.

I also bought the $99 Apple Pencil because I’m a sucker for good marketing… and it is very handy to use. It’s especially useful with apps like PDF Expert so that I can mark up documents to provide feedback to my team. I only need to use the Pencil a couple of times a week though at most, and therein lies the problem.

When Apple created the Pencil, they designed it so it was always ready at a moments notice. I suspect if you’re an artist that uses it frequently throughout the day that’s a great thing. To facilitate that capability though, the Pencil holds an active Bluetooth connection open to the iPad, slowly draining the battery.

Since I carry it around in my backpack with my iPad, it holds that connection open and is generally dead and when I grab it. It takes less than a minute to get a very usable charge (kudos to Apple for that), but it interrupts my workflow so much that I’ve gotten in the habit of not using it.

The only way to prevent that from happening, is by either unpairing the Pencil or turning off Bluetooth. Both actions sever the connection and put the Pencil to sleep. Neither of those are solutions though, they’re workarounds, and I don’t believe in workarounds.

A better solution would be to design the Pencil so that a simple quarter twist of the cap would turn it on. That would be a very simple action that would put the user back in charge (pardon the pun) of their device, giving them the freedom to use it however they see fit. Artists could leave it on all day, and casual users like me to could turn it on at will.

I know Apple’s not a fan of anything that adds even a hint of complexity, but sometimes it’s important to account for multiple use cases.

Was this interesting or helpful? Like, Comment, or Share and I’ll write more.

Closing Open Doors by Bringing Vulnerabilities to Resolution – Six Essential Questions

New vulnerabilities are discovered every day,Vulnerabilities and they are an intruders’ best friend. It’s a bit like a burglar finding the door
unlocked and wide open; he’s going to have a really easy day at work and you’ll be wondering for a long time why you left it open.

Therefore, it is absolutely critical to resolve them as soon as possible before they are exploited.

A vulnerability report can be a bit daunting though, especially for a complex solution which relies on many different technologies.  Over the years, I‘ve found that asking these six questions can help bring even the most obscure vulnerability to resolution.

Question #1: Can I remove/upgrade the vulnerable software?
Many times we find a solution is installed with supporting software components that may no longer be required. If this is the case, the easiest way to resolve the vulnerability is to completely remove that component. Best of all, once removed, you no longer have to worr
y about new vulnerabilities presenting themselves in the future for this piece of software.

There are also times that version upgrades may be available for these software components. Upgrading those components to the latest version not only resolves the vulnerability, but also ensures you are working with the latest and fully supported version of that software.

Question #2: Would a configuration change resolve this vulnerability?
Some vulnerability’s cannot be patched, and can only be corrected with a configuration change to the system.

A good example of this is SSL 3.0, an encryption standard used by many web services that has recently been found to be insecure. Changing the configuration of the web service to use TLS 1.2 not only resolves the vulnerability, but also brings the solution in to compliance with PCI and other security standards.

Question #3: Can a security patch be applied?
If the affected software is still supported by the developer, a security patch may be required. If this is the case, submit a request to have the patch installed after testing it thoroughly with your solution.

Question #4: Is the supporting data accurate?
Vulnerability scanners are not perfect, and false positives are a real possibility. Fortunately, the vulnerability report will contain supporting data that was used to determine the presence of a vulnerability. If you suspect a false positive, validate it by performing a manual inspection to invalidate the results the vulnerability scanner provided. If you confirm that it is indeed a false positive, submit evidence to your vulnerability management team to have the finding removed from the report.

Question #5: Can the vulnerability be mitigated?
If the software is current, and the developer does not have an expected release date for a security patch, an alternative method may be required to bring this vulnerability to resolution. This may involve firewall rules to restrict access, or the disablement of non-essential services that would be required for an attacker to take advantage of the vulnerability. Once mitigated, submit evidence of the mitigation to your vulnerability management team to have the finding removed from the report.

Question #6: Is an exception warranted?
There are rare circumstances where a vulnerability must be accepted.  It may be a business process that relies on an end-of-life solution, or the vendor is unable/unwilling to supply a security patch. Whatever the case, when a vulnerability must be accepted it is essential to raise awareness through your vulnerability governance processes. The appropriate security teams can then work to determine what other defenses could be leveraged in to limit exposure. This may involve segmenting the solution from the rest of the network or increasing the visibility of anomalous activity on the solution.

Buy The Book: “How to Hire A-Players” by Eric Herrenkohl

Recruiting IT professionals has never been more challenging. The demand for solid performers is increasing while the skill set becomes more difficult for an individual to acquire, leading to a serious deficit of available talent.

As managers, we are judged largely on the success of our team, which means hiring and leading exceptional individuals. In an industry as fast paced as IT though, taking the right approach and ensuring we bring in the right individual, not just an available individual, is essential.

Last week I received approval to add an additional four resources to my team. I quickly finished up the job descriptions for our outstanding recruiting team, and sent them off to my manager for review.

Over the weekend, I needed to spend a significant amount of time at dance practice for my daughter. Since I knew I would be waiting around in the wings for a while, I grabbed “How to Hire A-Players” off the bookshelf and read it as I waited on my over-achieving daughter.

I finished it up this morning, and promptly sat down at my computer and deleted all four job descriptions I had written, determined to spend my Sunday getting them right. Any book that can motivate you to do that is worth reading… probably more than once.

“How to Hire A-Players” isn’t focused on the IT industry at all, in fact Eric spends much of the book examining hiring strategies for sales professionals & executives. However, that doesn’t mean it isn’t relatable to IT. I found the majority of the book insightful and very relevant.

This 200 page book can be broken down into four sections:

  1. Establish what an A-Player is for your business
  2. Building an effective job description
  3. How to find an A-Player
  4. How to recruit an A-Player

For me, new recruits are not just people I’m hiring for a job, but ideally motivated professionals I’m bringing in to further their careers.

Reading through Eric’s book (which is actually a really good companion to “Good to Great” by Jim Collins), he places significant emphasis on efforts before you ever begin interviewing. I think that’s the real key to the genius of his book. It forces you to take a hard look at what your team really needs to succeed, take the time to develop a job description around that, and spend some quality time preparing to interview candidates. By the time you get to an actual interview, you should have already whittled down the candidate list to a select group of individuals. With a well-planned & organized interviewing strategy, you can quickly find the A-Players that will contribute and provide immeasurable value to your teams’ success.

“How to Hire A-Players” is available from most book sellers (it’s an Amazon bestseller), and his website (www.HowToHireAPlayers.com) is worth checking out as well.

Internet Security @ Home: How to Protect Your Kids Online

CB102240Protecting our children is one of the most important things we are charged with as a parent, and for thousands of years parents have used their own experiences growing up in order to know what to protect their own kids from. It only took three summers of burnt fingertips in the 80’s for me to learn that, when it comes to my own children, they probably shouldn’t try to throw a lit firecracker.

Fast forward to the new millennia, and parents are faced with an interesting challenge. Our children are growing up with an amazing array of technology and communication options way beyond anything we ever had available to us. For instance, Nintendo’s “Duck Hunt” wasn’t a very good reference point for me to know how to protect my kids on Facebook.

Nevertheless, it’s our job to protect our kids, and as an IT professional with a strong background in securing Microsoft-based systems, I thought I would provide some tips and tricks to make your household a little bit safer.

Tip 1: Have a Household “Acceptable Use Policy”

OK, don’t call it an acceptable use policy, but that’s really what it is and you really, really want to keep it short, simple, and to the point. If you think your boss has a short attention span, your kids’ will be even shorter. So, next to every computer in the household post a one page set of rules for using the computer. Also, don’t forget to laminate it, kids tend to spill stuff (at least in my house).

Here are some items from mine:

  1. Use of this computer is a privilege, not a right
  2. When asked to leave the computer, you have 15 seconds to do so
  3. All activities on this computer are monitored*
  4. Computer time is limited to ## minutes per day
  5. If a stranger contacts you anywhere online (Facebook, Instant Messenger, or email)… tell mom or dad right away
  6. If you see anything inappropriate… tell mom or dad right away
  7. If anyone, even one of your friends, upsets you…. tell mom or dad right away

I put the * at the end of #3 because, although there is software to do so, it’s actually pretty impractical to actively monitor everything your child does online… if you’re going to do that, you might as well just sit there with them. However, your child doesn’t need to know that. 😉

Tip 2: Understand the Threats

When thinking about threats, we tend to focus on the ones that make the news…. Viruses and predators. While those are certainly threats to take very seriously, it is far more likely that your child will be the target of cyber bullying at some point. Cyber bullying can occur over Facebook, Twitter, IM, Text, Phone, Skype or even in a game like Minecraft.

Understand where and how your child communicates with people he or she knows, and make sure you have a process in place to routinely check on that communication. Also, and I can’t emphasize this enough, talk to your children about bullying…. Cyber or otherwise. They need to know help is available if they are a target and they need to know it’s unacceptable target anyone else.

Tip 3: Children Should Have Their Own PC

I realize this isn’t practical for everyone, but this is one of the best pieces of advice I have heard recently. While parents certainly aren’t infallible, kids are going to do a lot of dumb things on their computer. So keeping their Internet activities limited to a separate computer than the one you use for online banking and shopping might be a really good idea.

Ideally, this computer should be located in a public space, but again I’m sure that’s not practical for everyone. If the computer must be located in their bedroom at home, insist that if the computer is powered on (even if they are not using it), their door stays open.

Additionally, if you have multiple kids using a computer, give each kid a user account of their own with their own password (make sure you know the password… snooping is the right of any parent).

Also, more than anything else, make sure the kids are not an administrator on their computer or any other computer. Just give them a standard account and keep the administrative password for yourself.

Tip 4: Use OpenDNS.com

I cannot recommend OpenDNS.com enough for home users. It is a completely free product for home use, and will protect your computer from numerous threats on the Internet simply by ensuring your computer won’t be able to find the address of nefarious sites by filtering them out.

Their web site, OpenDNS.com, has very good instructions for the novice home user to enable their service. You will have to fill out a sign up form, but the service is completely free and highly recommended. It’s the easiest thing you can do to actively block a lot of threats against your children.

Tip 5: Charge Cell Phones/iPods Somewhere Public

Remember that the computer is not the only device you need to be concerned about in your house. Cell phones, iPods and Nintendo DS’s can be just as much of a threat to your child’s wellbeing and your sanity. By charging those devices in either the kitchen or other public location, you ensure it’s going to stay somewhere you have access to it for several hours a day. It also prevents your child from being distracted by those devices when they should be sleeping.

Tip 6: Don’t Rely on Filtering Software

Products like NetNanny are great, but they are no replacement for parental monitoring. At best, products like NetNanny protect your kids from accidentally (ok, maybe on purpose) visiting inappropriate web sites. Unfortunately though, there are a lot of sites that your children will want to visit that aren’t going to be blocked by NetNanny, but may still have inappropriate content. Sites like YouTube (which host an amazing array of videos horribly irritating to anyone over 16) contain lots of content targeted at kids, and their rating system is hardly reliable.

The point is, a product like NetNanny  can be helpful, but it can’t block content on a SmartPhone, XBOX, or iPod, and it can’t block inappropriate content being sent to your child by friends through Facebook, IM or text. It’s good for younger kids, but older kids will find a way around it.

Tip 7: Beware Grandma’s PC

Your kids are really, really smart. If you place all of these restrictions on them, they are going to start to look for ways around them to do whatever it is they want to do. While you may not be able to prevent them from doing so 100% of the time, you can minimize the damage where they are most of the time.

My mom has her PC in her office in the basement, and she is all too happy to let the grandkids go down there and play on it (it keeps them quiet). It’s down a flight of stairs and behind three doors. My kids can hear her coming a mile away and know they can get away with anything at Grandma’s anyway.

So, my advice, sit down with the grandparents and try and put in some control measures at their house as well. Or, at least restrict your little one’s use of the computer while visiting the grandparents.

Tip 8: Use Security Software

Trend Micro, Symantec and McAfee all make great commercial products to protect your Home PC from different types of malware such as viruses and worms. Most of those products will cost between $50-100 annually though, which may not fit in everyone’s budget. However, some banks provide the software at a sharp discount, and I’ve also seen really good deals on Amazon as well.

Microsoft has an excellent product called Microsoft Security Essentials. It is free for XP, Vista and Windows 7 and works surprisingly well. It can be downloaded for free from Microsoft.com/Security. It’s not nearly as good as the paid options, but it’s certainly better than nothing.

Tip 9: Educate Yourself

The very best thing you can do is educate yourself on the threats that exist and the methods available to you to mitigate them. Microsoft & Symantec both have free products to help you protect & monitor your children online as well.

Microsoft Safety & Security Center

Facebook Family Safety Center 

Symantec Online Family

Finally…

Make sure your children understand that what they say or post online will likely never go away. Even if they delete something, there are all kinds of archival sites on the web that may still keep a copy or one of their friends may “Share” or “Retweet” what they said or posted.

Colleges and employers are getting more and more aggressive in their searches of social media while screening applicants and they are not always straight forward about it. Ever “like” a business or your school? That action alone gives those schools and businesses visibility into your profile.

Ever “friend” someone you didn’t quite remember meeting? Maybe not, but I’m sure your teenager with 900+ “friends” and applying to college wouldn’t think twice about it… though it could actually be the college or business they are applying to.

So, the rule of thumb in our house is to never say, do, or post anything online you wouldn’t want Grandma to see.

How to Explain Virtual Desktop Infrastructure (VDI) to Management, Executives, Etc

I recently had a need to explain what exactly VDI is to a group of executives without getting technical, which is pretty difficult because VDI has a lot of technical complexities. This did a pretty good job of not only giving a good idea of “what” it is, but “why” we need it.

To understand exactly what Virtual Desktop Infrastructure (VDI) is, we first need to take a look at why we need VDI.

Back in the 80’s and 90’s, work was a place we all went to everyday. We had a desk in a cubicle, and on that desk we had a big beige box with an even bigger beige monitor… maybe even a mouse with wheels!

Pen and paper dominated meeting rooms, and “working at home” meant taking a cardboard box full of files with you.

Over time, laptops evolved and became more popular. Instead of being tied to a desk, technology started moving around with people. Dialing-in became “a thing” and laptops allowed people to work from anywhere with a phone line and a calling card.

The Internet evolved as broadband became widely available, everyone bought a computer, and suddenly people were working at home with VPN’s and Terminal Servers.

Then the iPhone happened, followed shortly by the iPad. Suddenly “smart” devices were ubiquitous; desktops gave way to laptops and WiFi availability absolutely exploded. People were connected almost everywhere, and needed the ability to work just as effectively wherever they chose to be. They also wanted choice… the ability to choose what device they were going to use and where they were going to use it from.

Meanwhile…. Windows was still the operating system of choice for business. Thousands of critical applications wouldn’t run on anything else, and IT needed to find a way to deliver those applications to any device, anytime, and anywhere. No more beige boxes on desks, we needed to provide Windows to whatever device our customer chose.

That’s why we need something like VDI. VDI is simply delivering Windows from “The Cloud,” that nebulous buzz word we in IT like to throw around. By using cloud technology, we’re able to present Windows to any device with an Internet connection. More than that, we’re able to present your Windows, so that you get all of the same personalization and software as you would otherwise.

In short, VDI enables a personalized computing experience regardless if you are working from home, office, or somewhere else with WiFi. It’s a very effective and secure way of allowing you to work wherever you need to, with the applications and tools you require. No beige box required!

Buy The Book: “The Exceptional Presenter” by Timothy J. Koegel

The Exceptional Presenter“Every time you open your mouth to speak in public, you are a public speaker.” – Koegel

It’s easy to forget how often we really present at work. It’s not just those rare occasions where we are asked to stand up in front of a large group of people. It’s every time we are speaking with our co-workers, regardless if it’s one-on-one in the hallway or with a small group in bona fide meeting room. In short, it’s every single day.

I was a Communications & Marketing double major in college, and an IT consultant for 13 years before moving into corporate IT three years ago. So, presenting has always been something I’ve strived to be better at. After all, no matter how good you are, you can always be better. So when an instructor of mine recommended this book to our class as “essential,” I ordered it the same day, and I am so very glad I did.

In 165 pages, Koegel walks the reader through every aspect of presenting, from basic presentation structure to posture and voice control. I learned more about proper presentation skills from that book than I did in four years of college and nearly two decades of practical experience.

Koegel devotes the first two chapters to selling the reader on why it is important to be an exceptional presenter, and he does a darn good job of it. Most people probably don’t consider the cost of “average” presentation skills to not only their career, but also to the business. To move forward and affect change, you must be able to sell your ideas to your audience. Good presentation skills drive our groups, departments, organizations and ultimately our business forward.

“Those who practice improve. Those who don’t, don’t.” – Koegel

Koegel spends chapter nine, “Practice,” convincing the reader on the importance of practicing their presentation skills. Unfortunately, practicing our presentation skills is probably not the first thing that comes to mind when we get home in the evening, unless we are scheduled to present to a particularly large audience in the near future.

I decided to do the next best thing, and have been working on “fixing” at least one poor habit of mine each week while at work. For instance, I have a habit of keeping my hands in my lap while in a meeting (that’s bad… page 66). Generally, I do that because I’m freezing and I’m just trying to stay warm. Keeping your hands on the table though makes you appear more engaged in the conversation and interested in what others have to say. It’s that subtle body language nobody ever thinks about until you read it in black and white and think “…oh yeah, I do that.”

“Keep it short. Keep it focused. Keep it relevant.” – Koegel

In chapter four, “Organized: Structuring Your Story,” Koegel  instructs the reader on how to design a presentation so that it not only conveys the necessary information, but also keeps the audience’s attention throughout. Sometimes, that means being brief and not speaking any longer than absolutely necessary to drive home your point.

Koegel provides an excellent idea in the book, encouraging the reader to write down the key points of their presentation, and then compare that with how much time you have been allotted. If you have only two points to make, do you really need thirty minutes to do so? Attention spans are short, so efficiency in communicating your message can be much more effective. If you have extra time, engaging the audience in a discussion will do wonders for their retention of the information you are trying to convey.

I think that idea can be extended to the use of PowerPoint in a presentation. Sometimes I wish PowerPoint had a 140 character limit like Twitter… any more than that and you might as well send everyone an email to read later.

The goal of any good PowerPoint slide should be instant recognition. That is, the second the audience sees the slide they should be able to quickly discern what the speaker is going to be discussing. That way they stop paying attention to the slide and focus on the speaker instead. Slides are a great tool when they are used to recapture attention as you walk through a presentation, but distracting if they try to convey too much information.

“Do not accept average when you can be exceptional.” – Koegel

Koegel starts and finishes his book by encouraging the reader to be exceptional. The effective socialization of ideas is critical to success in any large organization. Exceptional presentation skills are a key part of that and certainly beneficial to your own personal brand as well.

There is certainly a substantial amount of information in his book to absorb, so putting it all in to practice overnight is probably unreasonable even for the best of us. If you take just a few pointers from the book though, and incrementally improve your presentation skills, you’ll be well on your way becoming “The Exceptional Presenter.”

Footnote
After reading “The Exceptional Presenter,” I figured I could apply some of those same techniques to being an “Active Attendee” as well, and tried something new during a leadership meeting. Looking around the room I saw 12+ managers staring at 12+ laptop screens (I was one of them). I decided that, much like texting while driving, “it could wait.” I closed my laptop lid to focus on those that were presenting. Though I wasn’t one of the managers presenting that day, I felt I could at least provide a source of eye contact for those that were. Sometimes being an “Active Attendee” is just as important as being an “Exceptional Presenter.”

Why Is An SMTP Address Displayed on the “TO” Line for Some Addressee’s and Not Others in Outlook?

Ever wonder why some addressees in the “TO” line of an Outlook email show the actual email address next to the contact name, and others just show the contact name without an email address? Like this:

Image

It all has to do with where you originally chose the addressee from. If you chose them from your personal Outlook Contacts, it will show the contact display name as well as the email address. If you chose them from the Global Address List, it will just show the display name.

Here’s why… with an Outlook Contact, you can store up to three email addresses for each contact, so Outlook displays the email address you will be sending to (as specified in the “Display As” field, which is customizable for each stored email address). That way, you know if you’re sending to someone’s work, home, or super-secret email address.

If you chose a contact from the Global Address List though, you do not get a choice of which email address you want to send to. Since you cannot choose the address, it doesn’t bother showing you what it is.

From then on, AutoComplete remembers where the address was originally selected from. So even if the selected contact exists in both your Outlook Contacts and the Global Address List, the AutoComplete object will be displayed from the originally selected location.

Just another Microsoft Outlook behavioral quirk!

Event ID 5003 Generated When Starting Exchange 2010 Information Store Service (Even With Correct Server Time)

I ran across an interesting issue with an Exchange 2010 Mailbox Server (SP1 RU6) recently where the Information Store service would not start on a DAG member after a reboot. Every time I tried, even after additional reboots, I got this error message:

Source: MSExchangeIS
Event ID: 5003
Description: Unable to initialize the Information Store service because the clocks on the client and server are skewed. This may be caused by a time change either in the client or the server, and may require a reboot of that computer. Verify that your domain is properly configured and is currently online.

I checked the clock and compared it to the domain controllers in the site as well as the other DAG members, they all matched within a second of each other (technically you should not receive an error like this unless the difference is greater than five minutes).

As we run an NTP server on our domain, all of the clocks are automatically synchronized everywhere so it was a bit puzzling whywe woudl receive such an error.

Finally, I caught on to what was going on. When the server was booting, it was initially setting its clock according to the BIOS (which in this case was provided by the VMWare ESX host) before synchronizing with the domain. After consulting with the engineering team that manages the ESX farm here, the host this particular Exchange server was on did not have time synchronization configured, and it had fallen out of sync with the rest of the network by seven minutes.

Moments after booting up, the clock on the Exchange server would be reset to the domain time, but by then the Information Store service had already tried, and failed, to start. It appears there is some sort of “feature” that then prevents it from starting even after the time is corrected.

The fix was simply to fix the time on the ESX host (as well as configure NTP on that host) so that the time would be correct on boot up. After rebooting the Exchange server again, the Information Store service started up without any problems.

How to Append Outlook 2010 Safe Senders List via Group Policy Object

I recently wrote an article about using the Exchange Management Shell to quickly add/remove addresses in the Outlook Safe Sender’s list. However, it’s dependent upon Exchange 2007/2010 and while it gets the job done for current users (or a subset of users), it doesn’t solve the problem for future users.

Fortunately, we can use a Group Policy Object (GPO) to do the same thing. Our GPO will point Outlook 2010 to a text file in a common location (such as the Netlogon share) with entries to be appended to the user’s Safe Senders list. For it to work, we’ll need the Office 2010 Administrative Template Files as well as a way to enforce Registry Entires on the client OS (this is built-in to the Windows Server 2008 GPO Editor due to Microsoft’s aquisition of PolicyMaker).

First, create a simple text file named “SafeSenders.txt” (or whatever you prefer) and populate it with the entries you want to end up in Outlook’s Safe Senders list (one address/domain per line, no headers are necessary). Save this next file in a location accessible to all users such as the Netlogon share.

Second, download the Office 2010 Administrative Template files and Office Customization Tool and extract the contents. We don’t need all of it, just the .adm or admx templates for Outlook. When you have them extracted, you can add them to your Group Policy Management Editor by right-clicking on “Administrative Templates” and selecting “Add/Remove Templates.” Add the outlk14 template and you’ll be all set.

Once added, drill down to the following:

User Configuration > Administrative Templates > Microsoft Outlook 2010 > Outlook Options > Preferences > Junk Email

Open “Specify Path to Safe Senders List” and set it to “Endabled.” For the path, use \\YourDomain\netlogon\SafeSenders.txt or whatever path/filename you will be using. Hit OK and now Outlook 2010 will know where to locate the import file. However, this setting will not force Outlook to actually import it. For that, we need to modify the registry.

If you have Windows Server 2008/2008 R2 as your domain controller and Windows Vista/7 as your client, this will not require any third party utilities, it’s all built right in to the Group Policy Management Editor.

Drill down to Preferences – Windows Serttings, right click on Registry and select New > Registry Item and use the following settings:


Action: Update
Hive: HKEY_CURRENT_USER
Key Path: Software\Policies\Microsoft\Office\14.0\Outlook\Options\Mail
Value Name: JunkMailImportLists
Value Type: REG_DWORD
Value Data: 1
Base: Decimal

Hit OK and then close out of the Group Policy Management Editor and assign this new GPO to the relevant Organizational Unit (OU). Once the GPO is applied to the system, restarting Outlook 2010 will force it to import the new Safe Senders List. If a user deletes one of those entries out of Outlook, it will be imported again the next time Outlook is launched.

The same Outlook setting can be applied to Outlook 2003/2007 with their relative administrative templates, but the registry setting will still need to be applied with by another product if the client OS is not Windows Vista/7 or the domain controller is anything other than Windows Server 2008/2008 R2.

Resources
Office 2010 Administrative Template files and Office Customization Tool

2007 Office system Administrative Template files and Office Customization Tool

Office 2003 Administrative Template, OPAs, and Explain Text Update

Configure junk e-mail settings in Outlook 2010