Thursday, March 31, 2005

Using Active Directory Group Policy to Deploy SmbDeviceEnabled Registry Setting

I deployed a pair of firewall appliances onto our network using Network Address Translation (NAT). Soon after that, users start to report they encounter intermittent network problems. e.g. Corrupted word documnet, garbage data in files on file server, XP machines receive a "Write Delay Error" warning, corrupted Visual Source Safe database.

One thing in common is that the problems are all found when the connection is using Server Message Block (SMB) protocol.

Turns out there is a problem with SMB protocol running on NAT. Refer to Microsoft KB 301673 article for more detail. The work around is to change a registry setting so that NetBT protocol will be used. You can change it either on the client workstations or the servers side.

For us, since the client workstations may connect to more than one servers, and some of those servers are not managede by us (and as a result, they are outside our firewalls, we have to change the registry setting on the client side.

So, I used Active Directory Group Policy to help me to deploy the registry setting.
  • Create a custom Administrative Template as follows:

    CATEGORY "NetBT Settings"
    POLICY "SmbDeviceEnabled"
    KEYNAME "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"
    EXPLAIN "This policy configures the registry value HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\SmbDeviceEnabled. You can disable this value to solve the problem of SMB using NAT. Refers to Microsoft KB 301673 for more information."
    VALUENAME "SmbDeviceEnabled"

  • Save the file as NetBT.adm.
  • In the Group Policy Editor, go to View menu | Filtering, uncheck the "Only show policy settings that can be fully managed" checkbox.
  • Then go to Computer Configuration | Administrative Templates, and use Add/Remove Template to add this NetBT.adm custom administrative template.
  • Now, under Administrative Template, a NetBT Settings category will appear.
  • Under this NetBT Settings category, double-click on SmbDeviceEnabled and change the status to Disable.
  • Close the Group Policy Editor to finish.
  • Link this group policy to the right OU to apply onto all the machines under it. (always do it on test machines first!)
  • Within 90 minutes (default time for Active Directory Group Policy refresh), the machines will obtain the new registry value.
  • You still have to reboot the machines to make the registry change effective.
One thing you have to know is that this kind of group policy is a tattoo type policy. The registry setting would not be changed back to the original value if you later on remove this group policy. To undo the change, you will have to explicitly change this group policy NetBT Settings to Enable.

Wednesday, March 30, 2005

WSU IT Forum Presentation

The Vice President of Information Technology of our university organized the first Information Technology Forum. I was invited to co-present with the Enterprise Administrator. The topic is Active Directory: Securing the Enterprise.

Here is the slides of my part of the presentation.

Of course, it's my professional responsibility (as a systems administrator) to strip out or obscure any real server name and infrastructure details. But the essence of the presentation, the power of Active Directory and group policies, remains.

Monday, March 28, 2005

Using Active Directory Group Policy to Protect Against Adware/ Spyware Tracking Cookies

Continuing my journey to fully utilize Active Directory to streamline computer management, I found that we could use Group Policy to block adware and spyware tracking cookies.

More police powers for spyware

Here is how:
  • Start Group Policy Editor.
  • Under User Configuration | Windows Settings | Internet Explorer Maintenance | Security,
  • Right-click on Security Zones and Content Ratings.
  • Under Security Zones and Privacy, choose Import the current security zones and privacy settings.
  • Note: Before you click on Modify Settings
    It will import the Internet Explorer Security Zones and Privacy settings of the machine where you are running the Group Policy Editor. Be careful! Since Windows 2003 disables a lot of IE settings by default, you may not want to run the editor on a Windows 2003 machine and define a IE group policy for Windows XP machines.
  • Click Modify Settings.
  • Go to Privacy tab. Click Sites.
  • Add the advertisement sites/ domains that you want to block their tracking cookies.
  • Click OKs to finish.
This approach only works for Internet Explorer. Of course, it doesn't compare with a real adware/ spyware checking software, since they can do other checks, like file system, registry. I call this a poor man's version. It doesn't cost you anything, other than the time it takes to configure the group policy, and then link it to the right Organization Unit (OU) for deployment.

Thursday, March 24, 2005

Exchange/ Outlook Rules Handling

For current (non-Exchanged) Outlook users that is getting onto Exchange, beware!
Exchange/ Outlook rules handling can bite you in many ways.

Before you proceed, export all your current rules into a file.
You will need it!

Read the following article to have a better idea about Exchange server-based and client-based rules

This talks about the Exchange rules storage limit of 32K:

Some workarounds for this 32K storage limit problem

For the advanced,
Bruse Heimbigner has a suggestion of using some programming technique to workaround the 32K storage limit problem:

Wednesday, March 23, 2005

Exchange Outlook Rules 32K Limit - Frustrating!

I signed up as a WSU Exchange early tester. After two days of using it, I get really frustrated.

I use my emails as a filing system. I have a place/ category/ folder for everything.
In my non-Exchanged Outlook, I have 115 filtering rules to automatically sort my incoming emails.

But once "Exchanged"... Outlook allows me to have only 27 of my rules (all the remaining 88 are being disabled). Reason is they exceed the Exchange server rules storage limit of 32K...... yes...32K only!

There are two types of filtering rules in Exchange - server-only, and client-only rules.
  • Server-only rules are executed on the Exchange server directly. There is no need to have any email client. One can use it to automatically sort email out of the default Inbox, and keeping the Inbox clean and small. It is especially useful when one checks email a lot using mobile device.
  • Client-only rules are executed on the client side (in my case, Outlook). One can use it to sort email onto different Personal Folders on the local machine.

All my existing rules are client-only. So, why would Outlook ever need to upload those rules to the Exchange server? and subsequently be counted into the 32K Exchange server rule storage limit? A bad design, or integration on the two Microsoft products.

I then removed the Exchange server connection from my Outlook. It shocked me to find that all my rules were removed as well. Another bad product design (should I call it a bug?) in Outlook - client-only rules should always stay with the email client, and not be affected by whether there is an Exchange server configuration or not.

There is a Microsoft KB that talks about some workarounds on the Exchange 32K rules storage limit problem. Basically, rename your rules to shorter names, merge some of your rules, change your local folders to shorter names, move your Outlook data files to another location on the file system that has a shorter path, etc.

It costs me an entire afternoon and I'm finally able to cut down my number of rules to 65. Exchange is still complaining that I can only enable 64 of them. :-(