Presentation from Bleedingedge 2011

by Miha Pihler 29. September 2011 20:30

My presentation on "Analyzing Infected Server" can be fownloaded here.

BleedingEdge Miha Pihler 2011.ppt (1.59 mb)


If you are interested in TMG and how to publish Exchange...

by Miha Pihler 26. September 2011 08:00

... you can check out this video where I present exactly how to do it... 



Planning, Deploying and Managing Microsoft Forefront Threat Management Gateway 2010

by Miha Pihler 1. June 2011 19:10

The course "Planning, Deploying and Managing Microsoft Forefront Threat Management Gateway 2010" that I co-authored is now officially available for orders.

For more information visit or send me an e-mail.



Troubleshooting infected server Part 1.

by Miha Pihler 16. May 2011 15:05
Recently I was troubleshooting an infected server. Some of the malware was removed beforehand. After malware was removed RDP was still not working on this server. When I tried to telnet to TCP port 3389 (RDP TCP port) there was an unknown service listening and responding.
Checking this with netsat.exe (netstat -ano | findstr :3389) confirmed it. I was now able to see PID (Process ID) of the process that was listening on TCP 3389.
Using tasklist.exe (tasklist | findstr 2304) revealed the service (tcpsvcs.exe) that was listening on TCP 3389. This is highly unusual. RDP service runs in svchost.exe.
Using Process Explorer and looking for tcpsvcs.exe revealed two processes running with that name. Checking the signature of files revealed that one of the signatures cannot be verified. Also note the purple coloration of the process. Process Explorer will mark "Packed Images" in purple. Packed images are often used by malware authors (but can also be used by legitimate software).
   The suspicious file was located in folder C:\Windows\System32\wbem 

Using sigcheck.exe (sigcheck.exe -u -e c:\windows\system32\wbem) to check the folder for all unsigned files revealed two such files. One was the one we already identified (tcpsvcs.exe) and sc.exe.
Both files actually exist on windows operating system but not in "wbem" folder and both are digitally signed by Microsoft. You can also note the difference in size. 
Looking at the malware files, malware authors tried to hide the fact that the file is a malware by entering the Microsoft and other information from the real files that can be found on the server. Of course the failure of digital signature verification quickly gave them away. 
In part 2, I will talk about removing this malware from the server.



by Miha Pihler 11. May 2011 13:30
In December 2009 I reported a bug in TMG GUI to Microsoft.
If you wanted to use E-mail Policy in TMG at the time there were some restrictions in e.g. "Blocked sender" GUI. More specifically the GUI didn't allow me to enter "" as blocked address. If you did TMG returned an error: "The Sender address in empty or not valid. Please enter a valid e-mail address."

Further investigation into this problem I found out that TMG would not accept the following characters ! # $ % & ' * + - / = ? ^ _ ` { | } ~ which are legal characters according to RFC.
Microsoft acknowledged the bug. Patch was released in January 2010 as part of hotfix update package for TMG 2010. They also released KB 97925


Simple Firewall Best Practices for Small and Midsize Businesses

by Miha Pihler 22. April 2011 12:00

My article on Firewall Best Practices was published on Microsoft Technet. If you are interested in this subject here is the link to the article.


Exchange 2010 -- 17.11.2009

by Miha Pihler 18. November 2009 21:26

Prezentacija s predavanja o Exchange 2010 z dne 17.11.2009 je na voljo tule:


Microsoft Exchange postavitev:

Konfiguracija storage:


Windows 2008 R2 Session -- 20.10.2009

by Miha Pihler 21. October 2009 06:25

Resources and scripts from presentation.

PowerPoint presentation.

Question from today:

Is it possible to have Windows XP boot from VHD.

The answer is no (well, at least it is not supportable). This is only supported on Windows 7 and Windows 2008 R2

More information on this can be found here.


My Bleeding edge presenation

by Miha Pihler 18. October 2009 20:06

Below you can download my presentation from this year's Bleeding edge conference.

Inside you can find link to e.g. Ste-by-Step guide to setting up NAP etc.

Bleeding Edge presentation


Creating DynamicDistributionGroup with -RecipientFilter

by Miha Pihler 6. October 2009 07:45

As any Exchange 2007 administrator knows, you get best features by using PowerShell.

In old version of Exchange (e.g. Exchange 2003), you could create dynamic distribution group where the members of the group would be users from specific Exchange server or Exchange Mailbox Store. This was very useful especially during migration since it was very easy to notify all the users in the store that their mailboxes will be moved over the night. One would only have to create a dynamic group with appropriate filter.

If you want to create dynamic group on Exchange 2007 you have very limited filters available in GUI.

To get the same results as we did on Exchange 2003 we need to use the PowerShell. The command we need to use is:

New-DynamicDistributionGroup –Name "All Users on Server Exchange" –Alias "AllonExchange" –RecipientFilter {(ServerName –eq "Exchange")}

This will actually create new dynamic distribution group named "All Users on Server Exchange" and users will be filtered by "ServerName".

If you open the dynamic group we just created in GUI you can notice it has an additional tab where you can check the filter that we created in PowerShell.

There are a lot of properties we can filter by. ServerName is just one of them. To get complete list of the properties check the Filterable Properties for the -RecipientFilter Parameter in Exchange 2007 SP1 and SP2.

Tags: , ,

Miha Pihler

Microsoft Certified Master | Exchange 2010 (MCM)
Microsoft MVP - Enterprise Security

Month List

Page List