Internal E-Mail Button: Comprehensive Review of Attachment Problem.

Since August we have observed a series of issues affecting the ability to send documents using the "Internal E-Mail" button from TrialWorks.   This e-mail/blog is re-stating some of the known items as well as introduces the impacts of Microsoft Exchange on the issue.    This article summarizes existing information and introduces new sources of conflict into the mix.

 

PROBLEM:

When users send links via the "Internal E-Mail" button, or any other operation that performs the same function, the recipients may see the following behaviors:

·         Missing attachment and message "Outlook blocked access to the following potentially unsafe attachments:<filename>".

·         Present attachment with a failed open attempt that reads: "Operation Failed".  This specific cause must be confirmed as the issue by attempting to open the sent message from the TrialWorks E-Mail Tab, and then opening the attachment.  If the e-mail from the e-mail tab lists the error in bullet-1, than the problem is relevant to this article.   Outlook "Operation Failed" messages have many other causes.

 

CAUSES & OPTIONS:

The causes of this issue include four scenarios:

1.       Client-Side Microsoft Updates.  Updates labeled KB980373 for Microsoft Outlook 2003, and labeled as KB980376 for Microsoft Outlook 2007.   They can be manually removed from the affected computers, and blocked from being reintroduced.  In addition, the referenced articles provide "alternative solutions" such as modifying the registry.  However, the remaining causes outlined will influence the success of any operation.

2.       More Client-Side Microsoft Updates. Microsoft Outlook Security Updates that prevent access to "shortcut" attachments.  Updates labeled as KB2293428 for Outlook 2003, and KB2288953 Outlook 2007.  Removing these items, in conjunction with Cause #1, may resolve the issue unless the remaining factors listed here are present.

3.       Microsoft Outlook 2010.   The 2010 version of Outlook natively blocks shortcuts to network files.  The Microsoft documentation indicates that Outlook 2010 is not affected by the updates, which is technically true.   Outlook 2010 prevents access to those files.  However, the "alternative solution" registry edits published by Microsoft may overcome the security issues if Exchange 2007 or lower is present.

4.       Exchange 2010 Mailbox Store.  Adds additional complexity to the situation, as mailboxes which use Outlook 2007/2010 remain restricted from opening shortcut attachments. In these cases, the "operation failed" messages are more common.

 

TRIALWORKS UPGRADE 10.08E.

TrialWorks 10.08e was designed to address Cause #1 in this article.    In many cases, it works through Cause #2 & #3.  The upgrade manually adjusts the registry settings to permit the "newly disallowed" attachments in Outlook 2003 and 2007. However, Outlook 2010's native behavior is questionable. In some cases, the registry edits work and no further steps are necessary.    The upgrade does not address these issues under Exchange 2010; the root security settings responsible for the restriction are currently being examined.  We currently do not have a recommendation for making changes to your Exchange environment.

 

FUTURE DEVELOPMENT.

The update and registry edit are temporary solutions.  Our development team is working aggressively to re-develop the attachment system in ways that are more compliant with new Microsoft security recommendations for Outlook and Exchange. 

 

-KJ

New round of MS Updates blocks shortcut links again

New round of updates blocks shortcut links again:

http://www.microsoft.com/technet/security/bulletin/ms10-064.mspx

 

KB2293428 Outlook 2003

KB2288953 Outlook 2007

 

These updates will install even if the previous updates have been affirmatively blocked. Please see our previous post for more details about how security updates block shortcut links and what to do about it:

 

http://trialworks.blogspot.com/2010/07/internal-email-and-fileit-links-are.html

Internal Email and FileIt Links are blocked by Outlook after Office Update

After this week's Office Update users have began to report problems opening links sent from TrialWorks. These links, sometimes believed to be attachments, are generated using FileIT and the "Internal Email" button. The actual links are blocked on computers running Outlook XP (2002), Outlook 2003, Outlook 2007, and Outlook 2010.

Users see the following:

Outlook blocked access to the following potentially unsafe attachments: filename.

From http://support.microsoft.com/kb/2271150/en-US/

"The attachments that are affected by this issue are fairly uncommon. They are typically created by custom solutions by using Extended MAPI or the Outlook object model to add functionality to a Microsoft Exchange mailbox or to a local set of Outlook folders."

WORK AROUND:

Currently only fix is to remove the referenced update. You will need to:

• Go to Control Panel, Add/Remove Programs OR Control Panel, Programs and Features
  

(Office 2003) Locate the office update "Outlook Security Update.... KB980373"
(Office 2007) Locate the office update "Outlook Security Update.... KB980376"

• Remove It

ADDITIONAL NOTES:

This issue occurs because, by default, Outlook 2010 does not allow linked file attachments to be opened.

Also, a July 2010 security update http://www.microsoft.com/technet/security/bulletin/MS10-045.mspx made a change to:

• Outlook 2002, http://support.microsoft.com/kb/980371

• Outlook 2003, http://support.microsoft.com/kb/980373

• and Outlook 2007 http://support.microsoft.com/kb/980376 to include this behavior.

-KJ

Check Your Backups!

When your business depends on computers, you use them to store data. That data (information, documents, emails, pictures, etc) belongs to you, and losing it would be disastrous. If you have a server environment, you also need to protect the network structure, which complicates your backup and recovery plans. In most cases, copying files is not enough - so you run some special software.

The only way to make sure that your data is protected is to take ownership over the backups. Believing that the backups are running without your direct involvement is short of delusional. If you are a principal of a business, it is your job to make sure your data is safe. Here are some methods for verifying your backups:

• ShadowProtect: Most agree it is the best imaging software on the market. It is also extremely easy to use. More important, it has superior restore capabilities, but only if your backup sets are present.
  
  
  1. Log-on to your server
  2. Launch ShadowProtect
  3. Click the Backup History Tab
  4. Scroll to the bottom. There should be backups in the last 24 hours with a "COMPLETED" status. Yellow or Red icons are BAD!
  5. Re-check to make sure all volumes (C:\, and/or D:\, and/or E:\ etc have a log entry).
     
     Every WEEK you should perform a manual backup you will take off-site using a Scheduled/Manual jobs that should be pre-configured:
     
     
  6. Log-on to the server
  7. Pause the Scheduled Job
  8. Execute the MANUAL job to a different destination.
  9. Verify it completes
  10. Un-Pause the Scheduled Job.
      
      
• Windows Small Business Server Backup: the free option. You get what you pay for. In this case, restoring data - in a disaster - can be cumbersome. Exchange Server restores are additionally complex. Regardless, it is still a backup.
  
  
  1. Log-on to server
  2. Open Server Manager or the Windows SBS Console
  3. Click on Backup
  4. View Backup History. You have two choices, SUCCESS or FAILED. FAILED is BAD.
     
     
• Lastly, it is not enough to just look at the logs. Proper backup procedures involve RESTORING files to verify everything works. Monthly, or quarterly, you should restore a file from your backup. You can do this by yourself or with your IT on the phone, but get it done.
  

In the end, backups are not self-maintaining. You can pay for these services, but ultimately your best bet is to spend 1 hour of your time learning about them and a few minutes a month making sure they work. Computers, servers, storage systems, etc... ultimately fail: it is never a question of "if", but rather "when". Do not put it off, do not delegate it out, take ownership of it - after all, this is your business.

Sophos finds Windows 7 UAC is largely ineffective

Sophos Labs, the threat testing division of Sophos, has recently reviewed the effectiveness of UAC (User Account Control) in Windows 7 in protecting against viruses, trojans, and worms. Their tests showed that some of the most potent viruses will break through the UAC.

The results of this study suggest that UAC offers little protection for your computer and you still need a good anti-virus to protect your system. TrialWorks began using Sophos products last summer and we have been thrilled with their effectiveness.

Most of our sites, that are managed by our networking team, operate the Sophos Security Suite for SMB. http://www.sophos.com/products/small-business/sophos-security-suite/ . It offers in depth messaging protection, anti-spam, anti-virus, application control, and firewall. We have been especially pleased with how well the anti-spam systems work.

In addition to deploying Sophos at our client sites, we also completed an extensive roll-out of Sophos on our own networks. Our environment is far more complex and includes dozens of servers. We are pleased not only with how easy it is to deploy and manage, but also how well it interacts with our virtual infrastructure.

http://www.sophos.com/blogs/chetw/g/2009/11/03/windows-7-vulnerable-8-10-viruses/

BlackBerry Internet Services and "Cannot connect to email server or invalid server name"

I just had to setup BIS for a customer and had a few problems. Proved to be a valuable learning experience.

When setting up BIS there is basically one error it will give, "Cannot connect to email server or invalid server name"

This error, however, can mean several different things.

Invalid address: check your address, it's generally https://mail.domain.com/exchange (for 2003) or /owa for exchange 2007.

Invalid logon name: it is generally DOMAIN\UserName

Invalid Mailbox name: this one is tricky... It's generally the same as user name, not necessarily what you find in System Manager. It has to be exact match to active directory. This setting is what got me today.

Email address must match the server address. So if you try to use karl@domain111.com when the server address is https://mail.domain222.com; it will fail.

Oh, and last but not least, invalid password.