Microsoft Security Bulletin MS09-003 - Critical

A critical security update is available for Exchange 2000, 2003 and 2007 and addresses two vulnerabilities in Exchange Server. The first vulnerability could allow remote code execution if a specially crafted TNEF message is sent to an Exchange Server. The attacker could use this to take complete control of the affected system with Exchange Server service account privileges. The second vulnerability could allow denial of service if a specially crafted MAPI command is sent to Exchange Server. A successful attacker could cause the Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding.

For more information and to download the update, visit
Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (KB 959239)

and Microsoft Security Bulletin MS09-003 - Critical
http://www.microsoft.com/technet/security/Bulletin/MS09-003.mspx 

Exchange Managed folders

An administrator recently asked how to set the 'Empty the Deleted Items folder upon exiting' option for all users.

While he could use GPO or logon scripts to set the registry key that control it, it’s better to use features included in Exchange server (all versions) to delete messages from the Deleted Items folder (and Junk Email). Emptying the deleted items on the client side can take a few minutes and create problems when shutting down to reboot. When the folder is emptied on the server side, the action is transparent to the user. I recommend keeping deleted items (and junk mail) for a couple of days or so, just in case the user accidently deleted something or needs to look for a message, and this is not possible with the Empty the Deleted Items folder setting.

To set up managed folders in Exchange 2007, open Management Console and go to Organization Configuration, Mailbox, Managed Default Folders tab. Right click on the Deleted Items folder and choose New Managed Content Settings. The wizard will guide you through the process.

Next, create a policy on the Managed Folder Mailbox Policy tab. Once the policy is created you'll need to apply it to the user accounts. From the Mailbox Settings tab on the user's account (Recipient Configuration, Mailbox), click Messaging Records Management, then Properties. Select the Managed folder mailbox policy in the Messaging Records Management dialog.

Now you need to configure the server to run the policy. Go to Server Configuration and select Mailbox. In the right pane, right-click the Mailbox server and go to Properties, Messaging Records Management tab. In the Schedule the Managed Folder Assistant box, select Use Custom Schedule. Select the times and days during which you want the managed folder assistant to run. I recommend running it overnight, 2 - 3 days a week.

These steps can be also be applied using the Management Shell. For the commands, see http://technet.microsoft.com/en-us/library/aa996359.aspx 

If you don’t use Exchange server or prefer to enable it using GPO, the registry key is HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Preferences
EmptyTrash DWORD

Using AutoArchive to empty these folders is another option, however it can't be set up using GPO. Right click on the Deleted items folder and choose Properties, AutoArchive. Set this dialog to delete items a day or two old. Click the Default AutoArchive Settings button and set it to run every day or so. Do not apply the AutoArchive to every folder, unless you want the settings on this dialog applied to all folders.

More Recurrence Pattern Annoyances

Tom has this to say: "I have a recurring item in which I can attend a function on a monthly basis either on the 3rd Monday of the month or the Wednesday following the 3rd Monday of the month. Of course, that Wednesday is sometimes the 4th Wednesday of the month and sometimes the 3rd, but it’s always the same pattern. Outlook can’t handle that but GroupWise can.

I always have wondered why Microsoft can’t add that capability. It’s not that hard. Part of me thinks that Outlook’s fundamental problem is that it was set up to be used for at home and in the office and it has to serve two masters, whereas GroupWise was and is strictly a corporate e-mail client. Obviously, Outlook won the war, but there are things it cannot do."

I don't believe the lack of depth in recurrence patterns is because Outlook was designed for both home and corporate users. When I've discussed the lack of a 5th [weekday] of the month option with members of the Outlook team, I got the impression they didn't see a need for more recurrence patterns. Maybe they never used GroupWise? It really does have better recurrence options

OOF in Exchange 2007

An Exchange 2003 user, moving soon to Exchange 2007 wants to know if he can set up Out-of-Office to automatically activate during his non-working hours (nights and week-ends).

While Exchange 2007 has many improvements for out-of-office replies, it's not perfect. Users can set it ahead of time to run at a specific time, such as between 10 AM and 1 PM tomorrow and won't need to remember to turn it off, but can't schedule a series of OOF times. If you need the use OOF every night and over the weekend, you'll need to remember to set it something during the day for the 5 PM until 8 AM period. Also in Exchange 2007, you can configure different OOF for internal and external messages and limit OOFs to contacts in your address book. You will need to use Outlook 2007 or OWA with Exchange 2007 to take advantage of the new OOF options.

Note that it’s not usually necessary to set an OOF for nights and weekends since those aren't traditional business hours and most reasonable people realize this, but you should set it when the time off is during the traditional business week. (Yes, I know not everyone is reasonable and I've had my share of emails at 3 AM ET wondering why I haven't replied to the 1 AM email yet.)

Remove the file lock from a PST

Twice this week people asked about the lock that Outlook keeps on a PST after the PST is closed. In one case the user wanted to delete or move the PST after closing, in the other they want to make the PST available to other users on the network. While network access of a PST is not supported or recommended, it is possible to release the lock faster.

Outlook keeps the lock on the file for about 30 minutes but there is a registry hack that will cause Outlook to release the lock much sooner. If the following key doesn't exist for your version of Outlook, create it, then add the DWORD PSTDisconnectDelay and edit the data value. (A hexadecimal value of 10 equals 16 seconds.)
HKEY_CURRENT_USER\Software\Microsoft\Office\xx.0\Outlook\PST (replace the xx.0 with your Outlook version number).

See http://support.microsoft.com/kb/222328 for more information.