How to Send Windows Events to Syslog Server

Once we have our Syslog server up and running we can easily configure all our network devices and Linux/Unix like servers to send their events to the Syslog server but this is not true for Microsoft Windows Servers as Microsoft do not support Syslog.
There are free softwares to convert Microsoft Windows Event Viewer logs into Syslog format and send it over to our Syslog server though.
I am going to introduce three different windows to Syslog forwarders here.
I have introduced the first one before and still insist on using the first one since it has more flexibility over the others like filtering out any messages we don't like to be forwarded or adding other applications log files and its development team is more active:
1- Datagram SyslogAgent
2- Eventlog to Syslog (Purdue University)
One of my visitors noted this one and I ran an initial test on it and it seems to be working fine and it is worth to see what he/she has commented:

"Purdue University has an outstanding Eventlog to Syslog utility. It's lightweight and completely free. It also runs on Win2k3, Vista, 32-bit and 64-bit systems.
I use it to forward event logs from about 160 servers, and have had no issues whatsoever."

3- NTSyslog
I had some issues with this one last time I tried to set it up so I gave up on this one.

Secure Your Apache

Once you start searching for a topic like "Securing Apache" or "Hardening Apache" you will get hundreds of results and everyone tries to set out his own security concerns. The fact is that not every recommendation applies to our environment but we need to study and take into consideration all possible approaches to secure our web server. Some of these guides are too much complicated and strict and some too mild!
The following is a very basic and reasonable list of things we have to do to bring minimum security to our Apache server. Of course, Server Hardening comes first!

1. Hide the Apache Version number, and other sensitive information.
2. Make sure Apache is running under its own user account and group.
3. Ensure that files outside the web root are not served.
4. Turn off directory browsing.
5. Turn off server side includes.
6. Turn off CGI execution.
7. Don't allow apache to follow symbolic links.
8. Turn off support for .htaccess files.
9. Run mod_security.
10. Disable any unnecessary modules.
11. Make sure only root has read access to apache's config and binaries.

For technical details on these and more steps follow the bellow link:
20 ways to Secure your Apache Configuration

JPGraph Error

I asked a colleague of mine to set up a PHP-Syslog-NG (http://code.google.com/p/php-syslog-ng/) as the central logging system of all our devices and servers. He did this on a FreeBSD 7.0 and everything started working fine but the "Graph" section which works with JPGraph couldn't draw any Graphs and it came up with this message: "JpGraph Error Font file "/usr/share/fonts/truetype/msttcorefonts/verdana.ttf" is not readable or does not exist..
After some digging into the codes and configs I got over the problem following the bellow steps:

1. Install TrueType font on FreeBSD (XfStt).
2. Fetch the "verdana.ttf" font and place it in the directory that XfStt created for TrueType fonts.
3. Change the default "TTF_DIR" parameter.

Step 1:
An easy way to use TrueType fonts in BSD is to install XfStt which is available through ports collection at "/usr/ports/x11-servers/Xfstt/".
After the installation a directory will be created for TrueType fonts at "/usr/local/lib/X11/fonts/TrueType/".
Step 2:
downloading verdana.ttf and placing it in "/usr/local/lib/X11/fonts/TrueType/".
I fetched my copy from "http://www.afosteo.org/Download/Fonts/"
Step 3:
The final step is to point JPgraph TTF_DIR parameter inside the jpg-config.inc configuration file to to proper location.
jpg-config.inc is located at "/usr/svr/php-syslog-ng/html/includes/jpgraph"

Email Security Vocabulary!

Improve your email security Terminology:

• Domainkeys (http://en.wikipedia.org/wiki/DomainKeys)
• DKIM (http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail)
• SenderID (http://en.wikipedia.org/wiki/Sender_ID)
• SPF (http://en.wikipedia.org/wiki/Sender_Policy_Framework)
• BATV (http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation)
• DNSBL (http://en.wikipedia.org/wiki/DNSBL)
• Spamtrap (http://en.wikipedia.org/wiki/Spamtrap)
• DCC (http://en.wikipedia.org/wiki/Distributed_Checksum_Clearinghouse)
• Greylisting (http://en.wikipedia.org/wiki/Greylisting)
• Nolisting (http://en.wikipedia.org/wiki/Nolisting)
• Callback Verification (http://en.wikipedia.org/wiki/Callback_verification)
• Spamassassin (http://en.wikipedia.org/wiki/SpamAssassin)
• Bayesian Filtering (http://en.wikipedia.org/wiki/Bayesian_filter)
  
• Backscatter (http://en.wikipedia.org/wiki/Backscatter_(e-mail))
• Hashcash (http://en.wikipedia.org/wiki/Hashcash)
• Tarpitting (http://en.wikipedia.org/wiki/Tarpitting)

TCPDUMP Tutorial

TCPDUMP is a wonderful command line tool which helps analyzing and troubleshooting network traffic on a Linux host.

The tcpdump options I use the most are:

• -n : Don't resolve hostnames.

• -nn : Don't resolve hostnames or port names.

• -v, -vv, -vvv : Increase the amount of packet information you get back.

The followings are the most tcpdump expressions I use:

Display any traffic souring and destining a specific host:

• tcpdump host "Host Address"

Display any traffic sourcing a specific host:

• tcpdump src "Host-address"

Display any traffic destining a specific host:

• tcpdump dst "Host-address"

Display any ICMP traffic:

• tcpdump icmp

Display traffic sourced or destined a specific network:

• tcpdump net "net-address"

Display any traffic sourcing or destining a specific port:

• tcpdump port "port-number"

Display any traffic sourcing a specific port:

• tcpdump src port "port-number"

Display any traffic destining a specific port:

• tcpdump dst port "port-number"

It is also possible to use "AND", "OR", and "Excpet":

You can learn more about tcpdump options and expressions with great examples at this location: http://dmiessler.com/study/tcpdump/

GFI Endpoint Security

For those who are very concerned over host security in terms of information theft or malicious code infections through CD/DVD, USB Storages,Tape Devices, Serial and Parallell ports, Printers, etc. GFI Endpoint will be the solution.
It works in a client/Server manner which the Endpoint Server controls hosts by deploying an agent to every desired host. (GFI also provides its agent in .msi file which is very good for large Active Directory Deployments.)
Endpoint makes it possible to block or put restrictions on each device type (Read-Only or Full-Access) based on users or groups and provides great reporting on all events.
If someone has Full-Access permission over any kind of available devices it will log all applications which were used and the filenames which were transfered or printed.
If you are wondering how to block access to USB and CD drives try GFI Endpoint.
For more info check GFI EndpointSecurity Here!

Perl and Regular Expressions

I have been drawn into an exciting area called "Perl scripting!". It is a great fun and until I started studying Perl I didn't know how much I was lost in system and network administration!
Currently, what I mostly need to do with Perl is text processing.
In my first project I needed to telnet into a Fortigate firewall, send a couple of commands, fetch the output, process and reorder the output which was the main purpose of the job and store it in a file and trigger an action if specific pattern observed in the output.
All these required complex text processing which could not have been accomplished without "Regular Expressions".
The following are the references I found very useful for me to get a grasp on "Regular Expressions" in Perl.

Regular expressions in Perl
Perl regular expressions tutorial
Steve Litt's Perls of Wisdom: Perl Regular Expression

Fighting Spam with Barracuda Spam Firewall

It's been a couple of weeks since I started working on a dedicated solution to fight incoming spam and I did some study on the history and mechanisms available to block spam and which methods are efficient for an Internet Data Center. I was thinking of implementing Spamassassin using Qmail as MTA, but our company policy has changed and now I am considering an Anti-spam Appliance. There are many appliances available and most of them have other security features like Firewalling, Virus scanning and DoS protection.
Spam Firewall from Barracuda Networks seems a great option to me with different mechanisms including Bayesian and great control over what should be considered spam and non-spam (ham) and provides a good visibility to what is happening on the box by its statistics. Its control panel has got a lot of screens which might bring complexity but it also gives great control and make any policy enforcement possible!
I am really impressed with the administration options and I like to get my hands on it!
Spam Firewall is actually a Linux platform running spamassassin in its core.

Route Policy With Linux

In one of our premises I have two firewalls; A Linux iptable and a Microsoft ISA Server.
I got two Internet connections, each connected to one firewall and the plan is to remove the ISA server and add the Internet connection (currently servicing ISA server users) to the Linux box which makes two internet connections on the same server. I got around 20 VLANs and I want to split Internet traffic between these two connections based on the source address. This can easily be done by iproute2 suite. I have not done this before but I am studying it and it seems easy and straightforward. I will post more on this later.

Hardening Linux: Service Shutdown!

I am developing a security guide to provide recommendation to harden a Linux box after a base installation. One of the basic steps to harden a Linux box is to evaluate all Services and shutdown anything that is not necessary for the operation of the operating system and services it offers to its clients. Shutting down Services provides the following benefits:

• Decreases boot up process resulting in higher uptime
• Less system resources are consumed which increase the overall performance of server
• Removes / reduces the risk of any Service vulnerability or abuse

To accomplish this you should know about the functions of each and every Service. There are different documents available to explain this. Here I have found something that helped me a lot because my document is based on Redhat I have found this matching my requirements the best:
Understanding Your Redhat Enterprise Linux Daemons

The Best Practices For Network Security In 2007

I got many Draft posts in blogger and when I feel like posting something new and I got nothing in mind I just go and review my drafts and today I came across a topic highlighting Best practices for network security in 2007.
In this topic 7 practices are mentioned in order of importance:

1. Roll out corporate security policies
2. Deliver corporate security awareness and training
3. Run frequent information security self-assessments
4. Perform regulatory compliance self-assessments
5. Deploy corporate-wide encryption
6. Value, protect, track and manage all corporate assets
7. Test business continuity and disaster recovery planning

For the complete article click bellow. If you interested in security from the management perspective don't miss the link. You will find lots of interesting links to valuable resources you can not find in one place.

Computerworld - The best practices for network security in 2007

Started CCSP Path with SNPA

After a relatively long time I took the 642-522 exam known as "Securing Networks with PIX and ASA - SNPA" today and passed smoothly. I could achieve this by studying Cisco Press SNPA official certification study guide and hands on experience on cisco PIX devices.
SND is the next stop...

A Complimentary to PHP-Syslog-NG

Its been a long time since I ran my php-syslog-ng server and I did a tough job to monitor, troubleshoot and make improvements to the logging system so that it makes more sense and acts more effectively. Since I was dealing with more than 150 devices sending their log messages down to my syslog-ng server a top task was to filter all unnecessary logs which is only possible with Syslog-ng and this great feature helped a lot to block thousands of logs.

Current statistics show around 400,000 logs per month which is great improvement against the over 5,000,000 logs from the very early months and I hope with stricter monitoring on redundant logs this number can still be reduced.

I am thinking of a Complimentary GUI to my PHP-Syslog-NG interface presenting analytical reports and I have already documented the requirements and asked a PHP developer in. I like it to provide a lot of different statistical reports and charts so that I can easily track and address issues.

How To Set Up A Linux Syslog Server

Any network administrator in charge of a few network devices would like to keep a record of the events on these devices like:

• who logged into devices (or tried to connect to network devices)
• when does he/she try to login
• what did she/he do after login
• what changes and events have been announced on the device (like interface status change)

And lots of other information that might give a clue about a policy violation or tracking a series of events that led to a network disruption incident.
What I am talking about is to have a simple SYSLOG server in place to collect all log messages to a central location.
If you need to setup a quick and easy syslog server just follow the link bellow. It is meant for Debian but will work on almost all Linux distributions :
Linux Syslog Server - How To Set Up A Debian Linux Syslog Server

Monitoring in a Data Center

I was thinking what we need to consider for a thorough monitoring strategy in an IT environment like a Data Center. There are various areas that should be monitored to meet High Availability. Monitoring can be categorized as follow:

• Physical Access
• Environmental Parameters
• Hardwares
• Bandwidth Usage
• Server Connectivity
• Server Resources Usage
• Service Availability
• Traffic Analyzing
• Log Analyzing

For each monitoring category there are many tools available both commercial and free (Mainly Open Source) that can be obtained and implemented. Some tools might cover more than one of the above categories and some just limited to a single category.
Having all of these monitoring services and procedures in place might be too expensive for some organizations and based on priorities and needs one or some of the above might be picked up.
I will post more about monitoring later.

RFC 4732 - Internet DoS Consideration

I came across RFC 4732 which is titled as "Internet Denial-of-Service Consideration". In the abstract it says "The aim (of this document) is to encourage protocol designers and network engineers towards designs that are more robust".
This is an appetizing topic for every network administrator.

Internet Denial-of-Service Considerations

The Challenges of a Firewall Administrator

A firewall administrator must have a good understanding of the applications and the way they work behind the scenes. Some protocols are unruly in their communication pattern and some put layer 3 and layer 4 addressing in payload which adds another twist to the problem. at last, sometimes the direction which the protocol is initiated is unclear!
When working with firewalls to provide access to services and applications the following must be considered carefully :

1. Some protocols are untruly in their communication (FTP)
   
2. Some put addressing in payload (FTP, SIP, PPTP)
   
3. Some confuse us about the direction of the communication (SNMP, SNMPTrap)

So anyone who is in complete charge of a firewall needs to know how the communication of protocols happens.
Do we need an inbound or outbound connection? (Where will the traffic be initiated?)
Is it TCP or UDP or do we need to put a protocol number?
Do we also need to handle address translation in payload?

All this brings up a great challenge to a firewall administrator which makes him to get to know applications and protocols well enough to tackle the problems.

Firewalling Windows Servers with IPFW

For some time I spent thinking of an IPTable like firewall for host protection on windows servers and I didn't know whether there is one available until I gave it a try and surprisingly found WIPFW. I find it very cool to have a unix based firewall on my windows boxes!
WIPFW is the Windows version of FreeBSD IPFW firewal and It can be used on any version of windows, starting with windows 2000.
It gives a lot of flexibility in the way rules can be applied to different sort of traffic and it can also keep track of the states of packets as well. There are a lot of great features that comes with it and it can be checked through its online documentation. Any IPTable administrator can figure it out quickly.

Some missing features in its current release(0.2.8) are as follow:

• Unable to change packet contents
• No traffic shaping capabilities
• Does not support SNAT and DNAT

Check here for documentation and product download:
WIPFW: Windows Operable Version of BSD IPFW

Check also here for more info on WIPFW:
Jameser's Tech Tips: Stateful Packet Filter for Windows

Learn more about the original IPFW:
ONLamp - BSD Firewalls: IPFW
IPFW How-To

GRE Tunnel Problem

I have got two GRE tunnels from NOC to two remote sites and since I set these tunnels up, I got problem with one of the management softwares. It happens that it stops responding and generates "Time Out" messages when it is left idle for about 10 minutes and after 2 or 3 unsuccessful tries it comes back to life. All other connections (RDP, FTP, SSH) through these tunnels function smoothly at any given time but our NGN department engineers are getting annoyed once a customer calls, since they need to send their commands a couple of times until their software responds!
One GRE tunnel is setup between two Huawei Eudemon firewalls and another between a Huawei Access Router and an Eudemon firewall.
My studies show that this behaviour is due to over sized packets as a result of added tunneling headers.
I will be posting more on this issue once any progress made.

Response Splitting and Cross Site Scripting Attacks?

I was doing some study on "HTTP Response Splitting" and "Cross Site Scripting (css/xss)" and found some great articles which is worth sharing it:

• Divide and Conquer; HTTP Response Splitting, Web Cache Poisoning Attacks and Related Topics
• What is HTTP Response Splitting?
• What is Cross Site Scripting (css/xss) ?

RFCs and Best Practices

I have found it amusing browsing the list of RFCs in my spare time. It is really entertaining to me and good to learn how tech stuff work. But there is more into RFCs than Defining standards and Protocols. Some of them provide Best Current Practices (BCP) and information for the information community. Here are three of them:
RFC2196 - Site Security Handbook
RFC2504 - Users' Security Handbook
RFC2505 -Anti-Spam Recommendations for SMTP MTAs

Nessus a handy tool for attackers!!!

The most significant incidents on my IDS/IPS sensor in the past two weeks were the logs which showed someone is trying to find out about any vulnerability on our corporate website and portal and more interestingly, this guy didn't care about any customer websites and was seriously working on our corporate webserver which has many meanings to me.
He/She was using NESSUS to scan our server and find out about any vulnerability on our operarting system, web server and Email System.
When fronting yourself with these cases the worst part is that you can not take any legal action against these guys! You may block their source IP address temporarily but at the end you can only carefully watch their activity and pray!!!

Anti-Spam and Exchange 2003 SP2

Exchange 2003 Server Service Pack 2 (SP2) Anti-Spam Framework

NetDefend: D-Link Firewall/VPN Solution

NetDefend series are D-Link firewall and VPN solution products. unfortunately D-Link is not a trusted brand in my country but I have received unexpected feedbacks on D-Link firewalls expressing satisfaction. A couple of days ago one of these customers told me that he is experiencing a better performance on their DFL-1500 firewall comparing with their Cisco PIX firewall! I couldn't take this serious but he meant it.
Personally I don't believe that D-Link firewalls deserve to get a better rating than Cisco PIX firewalls but this is a good message for those unfairly underestimating D-Link products.

Publishing Web Server on ISA 2004

A couple of weeks ago I was working at a customer site who wanted to publish their POP3 and SMTP server as well as their web server. Publishing the SMTP and POP3 server was as simple as going through the mail server publishing wizard but it took me two days to find out out why the web publishing wizard didn't work as expected! It was nothing wrong with the the rules created by the wizard, Something was grabbing the traffic on port 80 so that the traffic couldn't reach the destined web server and this was the local IIS on ISA 2004 server. Stopping the "Default Web Server" and restarting IIS on the ISA 2004 server fixed the issue.

Exchange 2003 Form Based Authentication?

To activate Microsoft Exchange Server 2003 Form Based Authentication, IIS should be configured for Secured Communication (SSL), a Certificate must be created and after all Form Based Authentication should be enabled from Exchange System Manager.

NAV Corporate and ISA 2004 On The Same Server

For Scenarios that Microsoft ISA 2004 and Norton antivirus Corporate Edition are located on the same server installing NAV Clients and Communication between NAV Clients and Server becomes an issue. If installing NAV Clients will be done locally from workstations creating a UDP protocol for sending port number 38293 and 1024-4999 and creating an Access Rule for this new protocol to allow traffic from Local Host to Internal network and vice versa makes it work (Note: Two Separate Access Rules Must Be Created). An Access rule for NetBIOS traffic from Internal Network to Local Host must also be created.
Although by this approach the client installation obstacle is overcome but NAV clients can not communicate with NAV Server and Outbound TCP port 2967 and 1024-4999 should also be opened in both directions.

Lock Down Exchange Server in 10 Steps

Exchange Server: Lock it down in 10 steps

Download Security at Home Videos

Some video downloads from Microsoft to learn:
- Protecting your computer from spyware
- What you should know about phishing scams
- Dealing with spam e-mail
- Keeping your computer up to date
- Protecting your privacy online
- Security overview
- Defending against viruses and worms
Check the following link for available downloads:
Download Security at Home Videos

D-Link DI-624 Router

I do not have a broadband Internet connection at home yet but once I get it I would put D-Link's DI-624 Router in my Must Have List! DI-624 is a "Basic Firewall", "Internet Sharing Server", "802.11g Access Point with Super G (108Mbps) support", "4-port Switch" and many other great features like "MAC Filtering, URL and Domain Blocking, Scheduling, IP Filtering for more internet access control" that makes it a great residential gateway for home and small office users.

Customize, Hide and Block Access to GAL

By default all mail and mailbox enabled users in Exchange server are available for access to everyone in the organization while some large organizations may not like this default behavior that lets people have access to all names and email addresses so they may force some policies to limit users access to employee information in Global Address List. Learn how to conform your exchange GAL security to organization policy:
How to Manage Address Lists When You Host Virtual Organizations

The Pitfalls of MAC Filtering

Security is a top concern when it comes to 802.11 networking. Many are offering MAC filtering to protect small wireless networks but seems this one is not as secure as it is considered by some administrators:
"MAC filtering is the process of configuring an access point with a list of MAC addresses that will either be allowed or not allowed to gain access to the rest of the network via that WAP"

Network Sniffers

This is for those interested in security and network analyzing tools. This article from InformIT gives a touch on network sniffing concept and then starts giving a presentation on TCPDump, WinDump and Ethereal tools to sniff and analyze network traffic.
Network Sniffers: Is Open Source Right for You?

Windows 2003 RRAS & VPN

I have set up my first VPN server on a windows 2003 RRAS today and it works fine as now. A great improvement to RRAS in Windows 2003 is its built-in basic firewall which blocks every traffic coming from the WAN connection including ICMP requests and exclusions can be defined easily on ICMP traffic, applications and services to let the traffic pass the firewall. Once a client is connected to the VPN server over internet it acts as if it has locally connected to the LAN drop and all resources are accessible normally. Outlook 2003 will download headers on slow connection to retrieve data from Microsoft Exchange on requests. I tried to connect to our servers from the Remote Desktops console and this also worked fine. The PPTP VPN connection is the only concern regarding security so I will work on it to make L2TP work for us.

How A Criminal Might Infiltrate Your Network

We need to know the enemy first to learn how to fight him back!
Hacking: Fight Back: How A Criminal Might Infiltrate Your Network -- TechNet Magazine, Winter 2005

Protecting Microsoft Exchange with ISA Server 2004 Firewalls

Another great ISA Server topic from "Thomas W Shinder" telling how to protect Exchange Server by ISA 2004 and minimum changes to the current network.
Protecting Microsoft Exchange with ISA Server 2004 Firewalls

W32/Rbot-EN : Worm and Backdoor

Back in my post on Monday, August 02 I explained how I was dealing with an issue brought about by a file named "Ethernet32m.exe" sitting in registry causing serious network problems by removing server hidden share folders. Today I could finally find a report on this saying it is a Worm and Backdoor that helps a remote user access the infected system through IRC:
Sophos virus analysis: W32/Rbot-EN

What Is Dialer Trojan?

Summer Brings Mosquito-Borne Malware (Part 3 of 3): "A dialer Trojan is malware coded to secretly dial phone numbers, leaving the infected victim with a large phone bill. There are two reasons why someone might code and spread a dialer Trojan. The first reason is destructive, perhaps as tool of revenge. The second reason is for financial gain."

Download: Thinking like a hacker

Thinking like a hacker - TechRepublic: "Find out how hackers break into networks and systems and compromise software applications. By knowing more about hackers' methodology, you can beat them at their own game."

Is "Ethernet32m.exe" a Trojan Horse or what?

Around two weeks ago I received a call from a customer complaining their server is not able to send and receive emails, Workstations are experiencing problems accessing network resources, Internet connection is overloaded and obscure "Net Send" application pop-up from an unknown source apparently from outside.
Looking into the problem showed that something malicious is running in the background on the server which removes the server hidden share folders (This is why users reported "The network name can not be found")and consumes the whole internet bandwidth by sending traffic to a range of IP addresses (the kind of traffic didn't bother me as I was supposed the fix the problem ASAP). Finally after examining the registry content (like HKLM\Software\Microsoft\Windows\CurrentVersion\Run)we could find out a file named "ethernet32m.exe" is loaded by server startup and is running as a service. No reports on the web for ethernet32m.exe to be a malicious file nor we could find any resource saying this is a system file. So we carefully made backup of System State data, switched to safe mode, removed WINDY\SYSTEM32\ethernet32m.exe, searched registry for any ethernet32m.exe entry and removed them all and back to normal operation mode again... It was gone!
I am still curious to know what exactly it was and how it could reach the server while the server console was locked! The Anti Virus solution recorded many Netsky, MyDoom and Beagle on client machines which all were quarantined but no logs on the server.

Download The Antivirus Defense-in-Depth Guide

The Antivirus Defense-in-Depth Guide provides an easy to understand overview of different types of malware, or malicious software, including information about the risks they pose, malware characteristics, means of replication, and payloads. The guide details considerations for planning and implementing a comprehensive antivirus defense for your organization, and provides information on defense-in-depth planning and related tools that you can use to help reduce your risk of infection. The final chapter of the guide provides a comprehensive methodology to help you quickly and effectively respond to and recover from malware outbreaks or incidents (More)

Download the complete solution in PDF here:
Download details: The Antivirus Defense-in-Depth Guide

Spyware and browser hijackers

I think the most important tip is to watch the freewares we download. Usually, the presence of the spyware/adware is included in the user agreement for the freeware and nearly no one reads it and many internet surfers don't even know what spyware or adware is! Fortunately some anti virus programs like Norton are detecting and removing these rubbishes these days.
5 tips for spurning spyware and browser hijackers

Windows Hidden Share Folders

When Microsoft Windows hidden folders like IPC$ (Remote IPC), ADMIN$ (Remote Admin) or C$ are removed, serious network access issues will arise... "The network name can not be found" will pop-up when trying to access resources inside Network neighborhood or My Network Places and "This server is not configured for transactions" when trying to join a workstation to a domain. The work-around is to recreate the folders by "Net Share" command:
Net share ADMIN$
Net share IPC$
Net share C$=C:
But fixing the problem gets difficult when a Trojan, Worm or Backdoor disconnects these drives as part of its process by simply issuing commands in the background like:
net share /delete IPC$ /y
net share /delete ADMIN$ /y
net share /delete C$ /y
net share D$ /delete
net share C$ /delete
net share /del IPC$ /y
net share /del e$ /y
net share /del d$ /y
net share /del C$ /y
net share /del admin$
And this is done on regular basis resulting the disappearance of system hidden shares every couple of minutes. Hard and time consuming task to find out what is really causing the disappearance of these system crucial share folders!

Configuring an Inbound and Outbound SMTP Relay

Thomas Shinder which is popular for his great "Configuring ISA Server 2000" and "ISA Server Beyond" books has started the first part of an article addressing how to configure an inbound and outbound SMTP relay to keep the mail server secure. In This part he has tried to go through the relay concept, what a relay is and why it is important. He has also pointed out to an online utility whereby you can check your relay configuration and make sure it is not open to Spammers:
Configuring an Inbound and Outbound SMTP Relay