E-Bitz - SBS MVP the Official Blog of the SBS "Diva"

It's two months and counting

To End of Life of Windows NT Server.  So for anyone still running SBS 4.5 [or heaven forbid SBS 4.0] the clock is ticking folks. 

Microsoft Monitor talks about the latest Steve Ballmer memo about Windows versus Linux and he says it's related to the end of life of Windows NT and the announcement of Dell and Novell's SuSe Linux.  For the small biz space, I still don't see a huge move towards Linux especially as the main domain controller.  Medium firms, larger firms, but not down here.

So get ready to say goodbye to DIP switches.

Goodbye to no plug and play.

Goodbye to closing my eyes and thinking happy thoughts as I would reboot my SBS 4.5.

Goodbye to a platform that served us well, but it's time is now over.

So I think Princess Aurora would be using a laptop, wouldn't you?

My apologies, it's a little hard thinking geek topics tonight when I'm standing here in a purple gown, flowing sleeves that keep getting in the way, a long red wig and a “Princess” hat on.  You see tonight is the tradtion of “trick or treat” called Halloween.  So at my door cats, witches, and other assorted characters come to my door asking for candy in exchange for yelling “Trick or Treat” at the door.  We decorate our house and I always dress up in a costume to answer the door. 

So right now in between “treak or treaters” I'm on the wireless, typing on the laptop and shoving up my sleeves.  But I think if Princess Aurora was around today, she'd be on the Internet and she and Prince Charming would be making sure they stayed in touch with their subjects.  You don't have to be a member of the Geek Squad to be “online” and “in touch”.  She'd have a MP3 player, I think, along with a dvd player, either a TIVO or a Windows Media edition, and of course so she could swap photos with Snow White, a digital camera and what not and probably be a “mobblogger“.  She'd have a smart phone for certain.  She and Prince Charming would have RSS feeds of the latest happenings of the Kingdom.  You know... the latest of what's up with Flora, Fauna and Meriweather and what not. 

Seriously, look at the technology that is now used in animation and entertainment that we take for granted.  Pixar has a product called “Renderman“.  Heck, who 'da thought that “Ray Differentials and Multiresolution Geometry Caching for Distribution Ray Tracing in Complex Scenes“ was uber geek speak for “this is how we do that really cool animation at Pixar“.  Shrek 2 was done with faster better computers, and George Lucas used newer technology to update Star Wars.

So as I go to answer the door again, just remember that technology is all around us and is even entertaining us.

Happy Halloween everyone!

Is your Outlook posting appointments an hour off?

Note to all... if you have a sudden problem with one or two workstations in your clients' offices that insist on booking appointments an hour off of everyone else, make sure they have the box checked “automatically adjust for daylight savings time“ by clicking on the time in the system tray and checking the second tab on the time screen that pops up.  I swear that EVERY OEM Dell I've ever purchased does not retain this setting, yet every workstation that I've personally installed has kept that setting.  Yet Dell support reps blame Microsoft, yet I know that cleanly installed XP machines retain this setting.

Bottom line, if you've bought a new Dell since April, double check this little box, otherwise that workstation may think it's an hour different than everyone else.

Remember we're changing the time tonight!

KBs of Interest

Issues that may occur when you use Outlook Mobile Access with Sony Ericsson mobile devices in Exchange Server 2003:
http://support.microsoft.com/?kbid=871194

You may receive an "Error 1920. Service RtcSrv (RtcSrv) failed to start" error message when you try to install Live Communications Server 2003:
http://support.microsoft.com/?kbid=883320

"The following user settings are private" error message when you try to migrate a user's profile to Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=886210

"HTTP 500 - Internal Server Error" error message when you try to open the Companyweb Web site after you perform a disaster recovery in Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=886618

Low disk space may occur when you use the Remove E-Mail Attachments feature in Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=828058

Small Business Server 2003, Standard Edition does not support dial-on-demand USB networking devices:
http://support.microsoft.com/?kbid=829045

How to Reinstall the Small Business Server 2003 Consoles:
http://support.microsoft.com/?kbid=829622

How to move the client programs folder to another location in Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=830254

Users cannot connect to your Small Business Server 2003 computer by using Remote Web Workplace:
http://support.microsoft.com/?kbid=886206

The Backup Configuration Wizard ends and you receive an "Unspecified error" error message in Small Business Server 2003:
http://support.microsoft.com/?kbid=886297

Some administrative shortcuts may be missing from the Administrative Tools menu if you perform an in-place upgrade of Small Business Server 2000 to Small Business Server 2003:
http://support.microsoft.com/?kbid=885956

Fax send fails when you try to send a fax from a Windows XP-based client computer through a Windows Small Business Server 2003-based computer:
http://support.microsoft.com/?kbid=885123

So what kind of VAR/VAP are you?

Now before you say, well that's because you run a Windows network.  No.  It's because I run a NETWORK, period.  A living, organic, working environment that needs vigilence. 

Today in the Encase, Computer forensics class, the instructor was asking one of the students about his position and the student said that most of the time his job included “firewalls”.  So the instructor said well you probably just set them up once, right?  And the student said, “No actually on a regular basis we have to examine intrusion attempts, ensure that remote access to the network has only been done by authorized employees”.  You don't just set things up and walk away. 

Take today for example, I got a couple of alerts about Bagle varients, next month, second Tuesday we will have another Patch day to review the patches for, and on a regular basis, I would argue that you should make sure that no one has changed the network you have configured.  To ensure that a network is secure, passwords and passphrases should  be changed, the network should be scanned for rogue wireless access points, to just make sure that everything is as you left it.

Look around us.  What we consider to be secure today will not be secure tomorrow.  Already RSA has announced a Small Business push for two factor authentication.  May of the folks in the class that worked for larger firms already do this.  That's something I'm interested in checking out.

Think about the last few years.  What we take for granted now, we did nothing like this a few years ago.  Look at just what happened Thursday in the USA.  A law went into affect called “Check 21”.  No longer will you be getting copies of your paper cancelled checks, instead you will get a “digital” image.  This of how much we email, fax, send electronically, order over the web now than we did a few short years ago.

You know what this business is like, the things you did ten years ago, five years ago are not what you do now.  Heck, did we even know what Voice Over IP was a few years ago?  And now more and more businesses are intregrating it into their networks. 

Security is not an end goal.  It's a process.  We don't get a map, a final destination, it's like life.... we keep growing, learning, changing, evolving.

Over the last four days, I used computer tools to search for emails that were deleted, for documents printed.  I remounted drives that were fdisked.  I made hashes of certain files that I was looking for and ran an exam against the hard drive to see if those files that weren't supposed to be on that hard drive, were in fact, on there.  I learned that as we were there using the Internet on our lab machines, traces of our activity, our email from our offices were leaving there traces in our Internet temp files [just another reason to never use Internet kiosk machines to check email and to only use your own computer], that while one piece of circumstancial evidence might be explained away, that the patterns and history I was finding left trails behind.

Our “digital lives“ need constant attention.  Setting networks up, of any flavor, whether Linux or Small Business Server flavors, is not just about setting them up securely right NOW.   Keeping safe on the Digital Information SuperHighway age means that you will reevaluate that network on a regular basis.

Heck look at me now, sitting in a hotel room, connected wirelessly typing up this hopefully somewhat coherent post.  It wasn't too long ago that I was pretty much dialing up on the road.  I haven't used the phone cable in my laptop bag in ages. 

So getting back to the point of this rambling post, I don't think you guys just set up networks and walk away.  I think more of you guys out here are the other kind of VAR/VAP.  The one who is the Outsourced Chief Information Officer and not just “the guy [or gal] who installed the network“.

What's your favorite add on to SBS 2003?

Went out to dinner tonight with Jim Locke [founder of the LA SBS User/partner group] and we were talking about how we didn't know if there was a web site resource that listed ALL of the products that had “SBS” versions that we had come across.  We were talking about how I had sent Dana to talk to Jim about the SBS marketplace and how it was really hard to find out sales numbers for our marketplace out here to give as a “carrot” for vendors to start coming into this space.  The best I”ve found is some Yankee Group research, but even then a lot of vendors have to, I guess go on faith.

I'd like to start blogging about those vendors that have made the effort to join the SBS family.  Kind of a way to keep track of those folks that have taken the time to be SBS family members. 

We already talked about those vendors that came and supported SMBNation. 

In Googling “Small Business Server 2003 version“ let me see what I can find:

Hmmm... got a little problem here Vern.  I'm not getting hits of programs that have SBS versions.  But I know they are out here.  I know for a fact that Yosemite Tape Backup has a SBS version.

There's got to be more than this.

Okay folks... help me out here!  If you know of a third party program that has a SBS version, either post it in the comment section or email me at sbradcpaATpacbell.net and I'll accumulate the programs that you've found to be “SBS Family members”.

<oops realized I screwed up my email address -- it's sbradcpaATpacbell.net>

Are you signed up for the MSSmallbiz update?

Microsoft Small Business Community (http://www.mssmallbiz.com) Update

Topics in this October 28^th update:

1) Tuesday, November 19^th Microsoft Small Business Channel Licensing Training Session
2) New MS Small Business Community User Guide Posted
3) Coming next week – Exchange Server 2003 SP1 and the Intelligent Message Filter Session posting
4) Microsoft Across America Events you can participate in for FREE
5) NEW – Microsoft Small Business Partner Engagement Program



1) MS Small Business Licensing for Partners - Microsoft Small Business Channel Training Session

Many of you have asked for this session, and now it is here!

Join us for this exclusive, Microsoft^® channel-only event.  The “MS Small Business Licensing for Partners,” sales training session is being offered to our Small Business Channel Community to provide you the information and resources you need to differentiate yourself and win more business.  This session was developed exclusively for our channel partners based on feedback and requests from the highly-rated “Triple Your MS Sales in 2004,” and “SA for Channel Partners” sessions we ran earlier in our Midwest Area.  Consider this a MUST ATTEND event if:

1)       You sell to companies with 75 PCs or less.

2)       You want to know the real differences between OEM, Retail, and Volume License software and which is right for your customers.

3)       You want to understand the differences between Open Business and Open Value and when to use each.

4)       You want to learn what Software Assurance REALLY is and how to sell it

5)       To learn about current rebates, promotions, and tools you can use to drive more business today

6)       You want to know how your customers may qualify for FREE Microsoft^® Office licenses, or FREE training on Microsoft^® Office or Server products they purchase from you.

7)       You want to build customer relationships that have them coming back to buy from you over and over.

8)       You want to learn about the NEW Microsoft^® Small Business Channel Community

Knowledge IS power.  Come learn how to win more business today! 
Presented by: Eric Ligman - Microsoft^® Business Development Manager – US Central Region

Don’t just take our word for it…  Here are just a few comments from other MS Channel partners that have attended these sessions in the past:

- “Your presentation outlining licensing and software assurance clarifications was quite the epiphany.”
-  “Excellent session.  I would like to attend more as everything makes more sense after attending.”
-  “Outstanding presentation.  Very happy I made the trip.”
-  “This session REALLY helps.”
-  “Wow – fantastic information…  Today was time well spent!”
-  “Excellent presentation.  A lot of information in a short amount of time.”
-  “Great session.  Lots of content at summary & detail level.”
-  “All partners should be required to attend a meeting like this.”
-  “Great presentation!  Very informative regarding licensing.”
-  “Topics covered were excellent, learned a lot.”

Tuesday, November 9, 2004 from 11:30 AM (CST) – 1:30 PM (CST)

To register or for more information on this session, please go to:
http://msevents.microsoft.com/CUI/EventDetail.aspx?culture=en-US&EventID=1032263703 or
http://www.microsoft.com/usa/events and enter Event ID 1032263703 in the Search box or call 877-MSEVENT and provide them with Event ID 1032263703.  Be sure to register today!

2) New MS Small Business Community User Guide Posted - We have posted a new Small Biz Community User Guide document in the MS Small Biz Shared Documents section of our site (http://www.mssmallbiz.com) describing how to do many of the most common questions we get asked.  Be sure to check it out and provide us your feedback on anything else you would like to see added to this Guide.

3) Coming next week – Exchange Server 2003 SP1 and the Intelligent Message Filter Session posting - Be sure to check out the Announcements section of our site next week (if you don’t already have an Alert set up on it) as we will be posting the registration information for Brad Billison’s (Central Region Small Business Technology Specialist) upcoming Exchange Server 2003 SP1 and the Intelligent Message Filter LiveMeeting session that he will be conducting in November.  The feedback on Brad’s Windows SharePoint Services session in October was great and the Exchange session is bound to be fantastic as well!

4) Microsoft Across America Events you can participate in for FREE - Did you know that you have the ability to participate in a local Microsoft Across America event in your area for FREE?  This is free marketing for you and an opportunity to meet new prospects, be highlighted as a Microsoft Partner, and give you more exposure in your local markets.  Participation can range anywhere from having a table in the back of the event to show your services to having a timeslot on the NEW Microsoft Across America mobile Technology Vehicles to bring your customers and prospects through and show off the latest Microsoft technologies!  And the best part…  it’s FREE!  Be sure to go to the Microsoft Across America section of our site for information on how to sign up, locations in the Central Region that we have openings for you to participate in and more (including pictures of the NEW mobile Technology Vehicles listed above.  (http://www.mssmallbiz.com)

5) Microsoft Small Business Partner Engagement Program - Enroll in the Partner Engagement Program for Small Business!  Designed for re-sellers with small business clients, involvement in this program will support your marketing and sales efforts for Microsoft® Windows® XP Professional (with Service Pack 2), Office Small Business Edition 2003, and Windows Small Business Server 2003.  As a member of the Microsoft Partner Program, you're well-positioned to provide your customers with services designed to improve their business productivity while generating incremental revenues for you. To start expanding your service and revenue opportunities right away get involved and sign up for this Small Business Engagement Program!  Click here to learn more: https://partners.microsoft.com/Pep/default.aspx

From Today's mailbag, James asks "Do you send emails to clients prior to the install?"

From today's mailbag, James asks “What type of emails do YOU or others send to the companys employee's to get them excited about the install that is coming soon?“ 

Good question.  I know in my firm we have training sessions to ensure that folks know how to use the new stuff and while the SBS box sends out an “welcome to your new server“ email, it certainly isn't something that folks probably take the time to read. 

I know that Chad does indepth training in Outlook [and Sharepoint] for his clientele but I don't know if he sends out emails “ahead“ of time. 

This is part of that “managing expectations“ process.  There does need to be a process where you communicate with your clientele and ensure they are aware of the process. 

In my firm, before the install is rolled out, I normally don't send out notifications ahead of time, I do the training once the install is rolled out. 

So I'll ask the community out here.... do you send out emails ahead of time to let the employees know what is in store?  How much training do you budget ahead of time for your install?

About that "Windows Validation"

I see folks on the web talk about how you MUST validate your Windows before downloading some things like the Microsoft Time zone tool.

That's actually incorrect.  You can say “no” to validation and still get to the download page.  Personally, while I understand that any corporation needs to worry about piracy and what not, what I don't like is how it penalizes those of us who are trying to do the right thing. 

“No, do not validate Windows at this time, but take me to the download.“

At this point in time you “can“ say no.

In our MVP community several people have noted that even on OEM installs it has failed to validate the operating system and they've had to either “opt out” or dig up the product key code to make it validate properly. 

Before you penalize those of us that ARE trying to do the right thing, make sure this is bulletproof... especially for those OEMs, okay? 

And another thing.  While I'm in rant mode here tonight, can we do a little bit better job of communication when you bring out new initiatives like this and the new KB search and Microsoft support pages? 

I don't know if it's that Microsoft sends too many emails or not enough, or not the right kind, but I must have missed the memo about the changes to the Microsoft support web site and to the Validation initiative. 

A little less on some stuff and more on stuff that truly touches me, okay?

Why aren't we?

So I'm chatting with Eric F and he brings up that much of this can be done with group policy.  So off to google I go to check and sure 'nuff, we can block this stuff like this.  So why aren't we?

The article “To create a hash rule” talks exactly how to do this in Software restriction policies.  Now granted it would probably be tough to do this, and might be easier to build the “here's the good program” database and just put in those programs that CAN be run, but why aren't we utilizing more of this power that we have already under the hood?

Like all the running around with our heads cut off we've been doing for the gdiplus.dll issue.  Couldn't we build a restriction policy to either allow only the good one to run or the bad one not to run?  Or am I oversimplifying this?

NIST has hash files that you can subscribe to along with other sources on the web.

I just think that as we go forward more of the “kewl” stuff like this will be more integrated and automated.

Well those of us in the USA have to get something in return!

I just found that there's a new TechNet Magazine that is free to techies in the USA. 

I just ordered my copy and you can review some of the articles online.  Dr. Jesper Johansson and Steve Riley are working on a book together and a sneak peak is included in the first edition of TechNet Magazine.  Anatomy of a Hack talks about what you need to know that the “bad guys” already know.

Got your policy in place?

So ...do your clients have a security policy?  Do your clients require their employees to sign the policy?  Does it document what resources they have the rights to access?  Is it less than 10 pages?  This is approximately the size that will result in 15 minutes of attention.  If employees cannot read it in 15 minutes it's too long.

I'm listening to a recording about the subject and one of the recommendations they make is to make sure that the boss is aware and in agreement of the policy.  Do you ask your client if they have a policy?  Do you recommend that you help them craft a policy.... one that they can live with? 

One of the discussions we got into today is what is acceptable for one firm, may not be for another.  A guy from a software firm that does databases [and no it wasn't Microsoft] was saying that they use internal and external IM because for their environment they need this type of “collaboration” enviornment.  So for him, he can't restrict IM.  Another firm who is an insurance company has to worry about HIPAA and any ePHI can't go over IM without protection and logging.  So for her environment, IM is not acceptable.  At least not “normal” IM that most of us use. 

I realized today... as I was in the class that had Internet access on the desktops, that I would try out the web based MSN IM and realized that it appears that the traffic for MSN IM goes over port 80.   You know port 80?  What the experts call the universal firewall bypass port? 

It's clear to me that if we don't have the written policies in place to help the people know exactly what they can and cannot do, even in our small firms, we're not properly matching up policies with technology.  Even in our firms, have both in place.  We have risks just like big firms.  Your security policy should be a clear roadmap of what your risks are.  If your clients, if you, have as your biggest risks worms and viruses, if your security policies do not include limitation or blocking of web based email, you are not aligning your policies with your risks.

So the next time you are in your client's office, ask them what their “pain point“ is... what are the biggest risks they face?  Now have them grab their security policy.  Compare that policy with what they just said their risks are.  Do they line up?

Hey the hotel has wireless!

While the advertisement of the hotel only said “dataport” the nice surprise was that it had Wireless Access in the rooms.   Right now I”m not my “baby laptop”, my Acer Tablet PC just about ready for bed.  Tomorrow will be day one of a four day geek fest.  At the hotel I”m on a 172.16.x.x network here and one thing I forgot to do to this laptop just to do a smidge more security by obsecurity....not that I don't already have Windows Firewall enabled and Trend micro's turned on ...and no matter what Trend Micro's installer says, the two cohabitate just fine..... is change the Workgroup name to “not” be workgroup.  I try to make laptops that I use for the road to be “just for the road” and I don't have them as domain units.  If I'm hanging out in wireless all over the place, taking the laptops to security venues and loading gawd knows what tools on here, I don't like them anywhere near my production domain.

I consider this the ulimate “air gap”.  I will use a USB pen drive and what not, but my machines that are my “test beds” I like to stay separate from the real network. 

I also make sure my laptop is up to date on patches and anti virus def files if it's going out on the "highway".

What about you?  Do you take extra precauctions in your role as consultant to ensure that you don't get infected when connecting to others?

I'm going to be a bit offline the rest of the week

I'm going to be a bit offline the rest of the week and checking with the hotel where I am staying, it looks like it only has dial up.  Ugh!  I'll be in search of a Starbucks for sure.  But it's all for a good reason.  The firm that I work for [you know, the day job] specializes in litigation consulting and for awhile we've been “dabbling” in forensics and are seeing a need going forward.  So I'm off to Pasadena tonight to start four days of training at Guidance Software/Encase. 

David Coursey went to the training and talked about it at Eweek recently.  NIST even has a paper on PDA forensics.

Personally I think I'll end up being even more paranoid than I am now... which may or may not be a good thing.  Friday night I went on a candlelight historical tour and one of the mansions that I walked through is now re-used as an office building by Attorneys.  What do I remember most about that building?  Not the wood staircase or the vaulted ceilings.  Oh no.  I remember freaking out that as part of the public tour they had us on walked right by their Windows 2003 server for the firm.  [And not an SBS box at that too!]

Nice physical security there.  We're making sure in my office that our new server that is being added to our network is in the locked network room, the patch panel is also under lock and key.  Our workstations have locks as well. 

After I get back from Encase training, I'll probably never let anyone save anything ever again. 

:-) 

So I have my SBS 2003 loaded up and where's that Internet Connection Sharing?

Many times in the newsgroup the question gets asked “I just loaded up SBS and am looking at the network connections tab and there's no Internet Connection Sharing.  Where is it?”

It's not there because we just something better.  We have a RRAS firewall in SBS 2003 Standard or an ISA firewall in Premium.

<Click here for a larger view and click here for Handy Andy's step by step>

See that “Connect to the Internet in the “To Do“ list that loads up after you finish the SBS install?  THAT's where our wizard lives to help you connect your server to the internet.  None of this wimpy Internet Connection Sharing stuff - we have a better way to connect.

And is everyone aware of the Chat coming up on this?

Windows Small Business Server 2003 Configure E-mail and Internet Connection Wizard

Join Microsoft experts on October 26, 2004, 2:00-3:00 PM PDT, to discuss how the SBS 2003 Configure E-mail and Internet Connection Wizard (CEICW) can help you configure your network.

Add to Calendar

October 26, 2004

2:00 P.M. Pacific Time

Additional Time Zones

Enter Chat Room

Want to play a game?

A game of picking passphrases? 

Okay here's the rules.  Think of a passphrase that you would use.  Say.... Mountain Dew comes in five flavors!  Now send that to passstud@microsoft.com.  In the latest installment of Passwords versus Passphrases by Dr. Jesper Johansson he asks:

In this installment of the passwords article series, we took a first a step toward analyzing passwords and pass phrases. As you might have noticed, however, we do not know much about the pass phrases people use. In order to understand more about this, we would like to ask you a favor. If you would like to help us, think of a pass phrase you might use (preferably not the one you are currently using!) and e-mail it to passstud@microsoft.com*. We hope to get enough samples to be able to perform some analysis on pass phrases and understand how they are actually formed.

Sounds like fun!

To whom it may concern:

I don't want Rolex watches.  I don't need V_agra.  I don't need P_nus enlargement.  I don't want an IBM laptop.

When I go to the HP web site and look at the 3d version of the zd7000 notebook, I didn't give you the right to suddenly load something called Viewpoint.

If I load up AOL's IM client, I also didn't allow you to load this up or whatever else you allow to tag along.  You have this ad campaign on that says you care about stopping malware.

To whatever software....I didn't give you the right to install Wild Tangent.

I didn't give you the right to install WexTech Answerworks either.

And ZDnet, after I specifically opted out of newsletters and email, I still ended up with junk mail from you guys.

Apparently you as vendors think that we're stupid enough just to put up with this?  Maybe we are because we aren't putting up the fuss we really should be doing.

And the sad part is how much effort we put into cleaning these boxes up.  We can't trust them anymore.  Yet we spend so much time and energy in malware tools when we should be flattening them and rebuilding the systems.

I was just chatting online with a guy who just rebuilt a system yesterday, loaded up AOL IM [for friends and family] and ended up with Viewpoint.  So I'm recommending that he loads up Trillian instead that plugs into multiple IM clients.  Mind you he's re-flattening a system he just built because he's in an industry were security is important and having programs “do thing” that he didn't authorize is just not his way. 

Maybe that's the thing to do.  “Vote” with our feet and walk away from vendors that do this.  Or email them.  Or talk to their representatives.  Or.... well you get the idea.... start speaking out against this.  If we don't, we won't “own” our systems anymore.

Okay I'm in a mood....

Fredly posted in the newsgroup asking a question about Watchgard versus ISA and where ever he crossposted to responded back that he had gotten another response that said this:

“The best thing you can do is to get a firewall as Watchguard or another box
and remove the ISA. Its never any good ide to run a firewall on the same as
your production server. I cant think off any explanation why MS dont removed
the ISA when they removed the TS on SBS2003, its a bad ide to have firewall
on your production server, very bad. But if you have the Watchguard you will
be safe, and then you only need one network card. But if you only are runing
ISA, DHCP and DNS and not excahnge or other stuff, then you can use your SBS
as a stand alone firewall and thats ok, but maybe a litle overkill to have a
SBS box for that and not only a standard server with  ISA.”

To whom it may concern that posted that:  The best thing you can do is to understand that right now my vulnerabilties, my threats, my weaknesses are not my ISA on my domain controller but the fact that many of my line of business apps want local administrator.  Having a firewall on our little boxes is not where my security threats are coming in from, dude.  It's my blasted desktops that cause me my grief.  A firewall is a speed bump.  A Watchgard firewall is also just “software on a box“.  And right now with my Shavlik, I have a patch tool for my firewall.  Watchgard needs patching just like anything else. 

As long as you are running Windows 98 or XP's in local administrator mode, the number of NICs, the position and make/brand etc of your firewall is irrelevant. 

My threats are not attacking my domain controller.  They are attacking my desktops. 

As long as we don't understand where our true vulnerabilities are.... we will be arguing while the house burns down in flames behind us.

UPDATE:  Bruce Schneider has a blog post on this subject:

http://www.schneier.com/blog/archives/2004/10/security_inform.html

“Again and again, it tells customers that they must buy a certain product to be secure. Again and again, they buy the products -- and are still insecure.

Firewalls didn’t keep out network attackers -- in fact, the notion of "perimeter" is severely flawed. Intrusion detection systems (IDSs) didn't keep networks safe, and worms and viruses do considerably damage despite the prevalence of antivirus products.

The key to network security is people, not products.”

I'm tempted to move. Aren't you? Jeff and Swing IT!! is coming to town near you.

Oh man, am I envious of you guys in Australia.  You have a very special event coming up in the next months.  Combine that with three VERY special folks involved in it, I'm tempted to move to Australia.  Jeff Middleton, SBS MVP and migration guru of SBSMigration.com will be in Australia.  HP and Microsoft are presenting the HP and Microsoft SMB Reseller Summit in various locations in Australia.  He'll be discussing his Swing It!! Kit which includes the Swing It!! Reference Kit and the Swing It!! Technician Kit.

The “Swing IT!!“ migration is a method that Jeff [and many of the larger partners] have been using for years - a way to ensure that you keep the domain name and don't mess with the desktops.  As Jeff puts it, you don't have to plan for only weekend installs anymore.

Then you have both Wayne Small AND Dean Calvert, again, both SBS MVPs presenting there as well!

Now what's funny about this is we always joke that Jeff is about two years ahead of the marketplace and he does most of his consulting and what not remotely.  Given that he crosses the international date line in the process, Henry was joking that Jeff can actually pro-actively support his clientele the day before something happens in their networks.  ;-)

Seriously though, this summit looks to be fantastic and one that I'd be definitely going to.

Perth

Thursday 11th Nov 2004

Hyatt Regency Perth Hyatt Regency Perth

99 Adelaide Terrace

Perth WA  6000

Adelaide

Wednesday 17th Nov 2004

Adelaide Convention Centre Adelaide Convention Centre

North Terrace

Adelaide  SA   5000 

Sydney

Tuesday 23rd Nov 2004 

Sydney Convention Centre Sydney Convention & Exhibition Centre

Darling Drive

Darling Harbour

Melbourne

Wednesday 1st Dec 2004

Crown Towers - Melbourne Crown Towers

8 Whiteman Street

Southbank  VIC  3006

Brisbane

Tuesday 7th Dec 2004

Brisbane Convention & Exhibition Centre Brisbane Convention & Exhibition Centre

Cnr Merivale & Glenelg Streets

South Brisbane  QLD  4101

He may not post often....but when he does a gem

Charlie Anthe [SBS release manager/Volleyball guru] comes through once again with a gem of a post.  And he showcases how Microsoft really uses the Dr. Watson “dump” technology to understand what is going on under the hood.  Interesting that hardware is one of the issues that they are seeing.  I've [knock wood] chugged on my SBS 2000 because of the hardware I chose.

Eric F also loves dump files.  You can be pounding your head on an issue and you contact PSS [Eric is “uber PSS” i.e. he's called in on the really gunky “weedy” stuff] and within seconds/minutes after uploading that file they are telling you what is going on with your system.

You hit the “send this to Microsoft” when the crash program prompts you and you help all of us.  Now that said, I still have people think that they specificially track the crash that got sent up such that “I” can just call Redmond and say “Hey we just hit the send button and can you look up the dump crash our system just sent you?”  Doesn't quite work that way.  If you are having issues, call Microsoft Product Support Services and they can set up a dump session.  Make sure you state that you are running a SBS box to ensure that you get back to the “Motherships” for SBS [my nick name for the locations around the world that have the PSS support engineers that are just as wacko of SBSers as we are].  You are in very good hands when one of the SBS “Motherships” are at the helm.

Woody says SBS Rocks!

Woody's current “Woody's Office Watch” leads off with “SBS ROCKS!”

Why yes, Woody.. it does doesn't it?!

Don't you love good geek newsletters on a Friday?

Savvy computer users can do the SBS setup themselves, but we suggest
you save yourself a lot of time and angst - get a SBS consultant to
come in and walk through the setup and configuration with you.  We were
lucky enough to have Wayne Small from http://www.correct.com.au  who
did a first-class job.  After the initial setup, Wayne could remotely
connect to the machine from his office to make any fixes we could not
figure out for ourselves - a time and money saver for both consultant
and customer.

Once Wayne was done with the initial setup, we took over for the rest. 
SBS 2003 comes with some nice features for beginner administrators. 
There's a To Do list of items to work through and the Management
Console has wizards galore for common tasks like Adding users, Creating
Backups etc.

Way to go Wayne! [Fellow SBS MVP]

Have a glass of water and an extra strength aspirin on hand...but BE THERE!

I get word that MS is going to do a “Licensing” event.  Okay folks... all that complaining about licensing is obviously being heard.  I keep telling folks that Software Assurance is working for me. Even in David Coursey's column he talks about Software Assurance as being a “good thing“.   

Grab a glass of water, have an aspirin or two on hand just in case, but this event should be a MUST DO.  And I totally agree.  Knowledge is INDEED Power!

MS Small Business Licensing for Partners - Microsoft Small Business Channel Training Session

Tuesday, November 09, 2004 11:30 AM - Tuesday, November 09, 2004 1:30 PM (GMT-06:00) Central Time (US & Canada)
Welcome Time: 11:15 AM
Language: English-American

Many of you have asked for this session, and now it is here!

Join us for this exclusive, Microsoft^® channel-only event.  The “MS Small Business Licensing for Partners,” sales training session is being offered to our Small Business Channel Community to provide you the information and resources you need to differentiate yourself and win more business.  This session was developed exclusively for our channel partners based on feedback and requests from the highly-rated “Triple Your MS Sales in 2004,” and “SA for Channel Partners” sessions we ran earlier in our Midwest Area.  Consider this a MUST ATTEND event if:

1. You sell to companies with 75 PCs or less.
2. You want to know the real differences between OEM, Retail, and Volume License software and which is right for your customers.
3. You want to learn what Software Assurance REALLY is and how to sell it
4. To learn about current rebates, promotions, and tools you can use to drive more business today
5. You want to know how your customers may qualify for FREE Microsoft^® Office licenses, or FREE training on Microsoft^® Office or Server products they purchase from you.
6. You want to build customer relationships that have them coming back to buy from you over and over.
7. You want to learn about the NEW Microsoft® Small Business Channel Community
   

Knowledge IS power.  Come learn how to win more business today! 
Presented by: Eric Ligman - Microsoft^® Business Development Manager – US Central Region

Don’t just take our word for it…  Here are just a few comments from other MS Channel partners that have attended these sessions in the past:

-  “Your presentation outlining licensing and software assurance clarifications was quite the epiphany.”
-  “Excellent session.  I would like to attend more as everything makes more sense after attending.”
-  “Outstanding presentation.  Very happy I made the trip.”
-  “This session REALLY helps.”
-  “Wow – fantastic information…  Today was time well spent!”
-  “Excellent presentation.  A lot of information in a short amount of time.”
-  “Great session.  Lots of content at summary & detail level.”
-  “All partners should be required to attend a meeting like this.”
-  “Great presentation!  Very informative regarding licensing.”
-  “Topics covered were excellent, learned a lot.”

To register or for more information on this session, please go to:
http://msevents.microsoft.com/CUI/EventDetail.aspx?culture=en-US&EventID=1032263703 or
http://www.microsoft.com/usa/events and enter Event ID 1032263703 in the Search box or call 877-MSEVENT and provide them with Event ID 1032263703.  Be sure to register today.

So tonight on Dana's blog, he asks....

Which File Extension are You?

Well.... I do label myself blonde, so it fits doesn't it?

  ;-)

Source:  Dana

Ever notice how people tell you things ...after....

My Dad calls.  “I got this notification that my AOL account has been locked down to a terms of service violation and I have to go into the master account to re-open it”.  Okay, Dad, no problem.  It's probably an expired credit card or something, I'll take care of it as I'm the master account holder anyway.  [Yes I still have an aol account]

 Dear Member,

America Online's Terms of Service agreement (AOL Keyword: TOS) prohibits members from sending unsolicited bulk e-mail. This prohibition helps protect the AOL community from unwanted junk e-mail or spam.

On 10/21/2004 22:24:07 EST, your account was secured by America Online's Community Action Team because unsolicited bulk email was sent from the ######## Screen Name.

AOL secures accounts used to send bulk e-mail or spam because they often may be compromised: that is, somebody has stolen the account password and is using a screen name on the account to send spam without the knowledge or consent of the account holder. By securing the account, AOL ensures that an authorized owner regains exclusive use of the account.

We understand that taking these actions may inconvenience some of our members. However, we think you will agree that regaining security of your AOL account, and the personal information it contains, is top priority.

There are several ways that you can help to keep your account more secure. If you feel your account was compromised, these tips can be especially helpful.

Computer Safety Tip #1: Beware of websites that claim to be America Online. Remember, the only time you will be required to enter your password is when you log onto AOL or when you change your password at AOL Keyword: Password. Often members receive e-mails with a link to a website that claims to be an "official" America Online website. Be very cautious when going to one of these websites, especially if they are soliciting your password or personal information. Most AOL accounts that are compromised are compromised because the legitimate user clicked on a link or provided information in a scam pop-up or e-mail.

Generally an authentic AOL website will have "aol.com" somewhere within the web address, (i.e., aol.pictures.com). If you are unsure about whether a site is a legitimate AOL site, you can always try to go directly to the area (for example, if an e-mail or pop-up asks you to update your password, try closing the form and going directly to AOL Keyword: Password). If you want to make doubly sure, you can chat with one of our consultants online at AOL Keyword: Get Billing Help.

Computer Safety Tip #2: Beware of "Trojan Horses." Trojan Horses are files attached to e-mail or web pages, some of which send your AOL password to another person, allowing them to access your account. Never download an e-mail attachment sent to you by someone you don't know and be very careful about what you download from the Internet.

If you think you inadvertently may have downloaded a Trojan Horse program, go to AOL Keyword: Anti-Virus, and click on the Try It Now For Free button. Once you click on the Download Now button, you will be registered for the McAfee VirusScan software. Just follow the instructions as they come up. The software will download and install itself with pauses where the computer needs to be restarted. After the software is installed, don't forget to run a virus scan to ensure there are no Trojan Horses on your computer.

Enjoy your first month FREE of McAfee VirusScan Online brought to you by AOL. After your free trial offer, the service is $2.95 a month plus any applicable taxes in addition to your basic monthly AOL membership fee, conveniently billed to your AOL payment information on file. To avoid being charged a monthly fee, simply cancel your McAfee VirusScan Online membership before the trial period ends.

Password Tip #1: Change the passwords to all Screen Names on your account at AOL Keyword: Password. Be sure to keep your passwords a secret, and change them frequently. Also, remember that AOL staff will never ask for your password.

Password Tip #2: Don't create passwords that are easy to guess. The best passwords are at least six characters long and contain a combination of numbers and letters.

Safety Awareness Tip #1: Visit AOL Keyword: Neighborhood Watch regularly for updates on account security issues.

Safety Awareness Tip #2: Check out the security options available at AOL Keywords: Parental Controls and Mail Controls.

Safety Awareness Tip #3: - Keep informed on how to combat unwanted junk mail at AOL Keyword: Junk Mail.

Safety Awareness Tip #4: Take advantage of the information and tools at AOL Keyword: TOS.


I hope you find this information to be useful. Please note that this screen name cannot accept replies. Therefore, if you have any other Terms of Service related questions or comments, please visit AOL Keyword: TOS Questions. To review AOL's Terms of Service agreement, which is presented to all members during the sign up process, see AOL Keyword: TOS.

Holy ____ Dad, what did you do?  So I unlock the account, reset the password and call him back.  My sister is over at their house picking up our very spoiled Toy Poodle who goes over to their house during the day for “doggie day care” and she relates the story to Dad.  “Dad, they cracked your password”, she says to him.  And I give her the guidance to relay to him about long passwords, make sure there are numbers  blah blah ....and then she comes back that “he says that a month ago someone asked for his password and he typed it in.”...

Whoa.  Say that again?  What did what?

Ever notice [and this happens even in my office] that people will tell you things LONG after the flames are shooting up and then they remember that “oh yeah, something happened”?

Mind you, he's made me the paranoid person I am today but the Internet is one place that he's probably still a little too trusting on. 

Take the time to discuss “normal” operations and empower people to tell you “oh yeah, this happened” more often.

I'm just going to stop using the Internet...maybe that's the proper answer?

So I'm reading that Internet Explorer, XP sp2 is screwed, Firefox and Mozilla have vulnerabilties and as the Incidents.org web page so aply puts it, “If you are reading this diary with any web browser other then 'lynx' or 'wget', you are likely vulnerable to one of the issues released today.”

Okay... so that's nice to know.  And how long before Lynx and Wget get vulnerabilties?  I know a lot of geek buddies have switched to firefox but I don't like any browser that can't authenticate in with ISA and active directory.

When push comes to shove it's all about risk.  A new blog on Security guides opened up recently and Brian Johnson pointed to a Security Risk document that was released. 

Me, I'm making to movement to User Mode and least privilege here in the office and making sure I have other processes in place.  I'm not willing to move from a browser that I can remotely patch.  Sometimes you have to stand back and realize that we will never ever have absolute security.

Just is not going to happen folks. 

The client is not "ALWAYS" right

On the same day that SeanDaniel.com talks about how to host two domains on one SBS, I get an email from someone asking if they can take a SBS 2000, connect a Win 2003 member server and install Exchange 2003 on that member server.

Well.. you can do a lot of things..but the question is ....why? 

The answer came back that the SBS 2000 was serving two companies and now they want one domain but two servers one for each company.  Can they use the SBS 2000 active directory and Exchange 2000?

Sometimes while the customer is always right is the standard saying, the customer isn't always “bright“.  Call me a bit wacko, especially after I bought the “monster“ server that some question my sanity about, but I just can't see that this will add a great deal of anything other than complexity to a situation. 

Two Exchange servers to lock down, two entry points into that network, and not to mention since they obviously can't purchase SBS 2003 for that second box, a lot of costs for not a lot of bang in my opinion. 

Some folks ask this question for redundancy and I can see that more logically [but then I can point to the services like tzo.com that do backup MX records for mail and what not]

I mean we can do a LOT of things in SBSland but we don't have to do EVERYTHING.  Sometimes the client doesn't always know best and it's up to you as the consultant to guide them.

So.  Am I the wacko one?  Do you see a good reason for this setup and why it would make sense?  I think I'd rather find out from the client why they see this as a need.  I'm going to use a word I heard at SMBNation  “pain point“.  What is their pain point here and what is this going to solve?  I just see this as more complexity and not solving a problem, but maybe that's just me?

What do you think?  What would you recommend?

I'd rather they spend their money and upgrade the SBS 2000 to SBS 2003.

Privacy and Good Business

Lisa Traina gave a talk at the last AICPA Tech conf, the jist of it was 'privacy is good business'.  Steve Friedl posted this morning this lovely story about a research project that, while authorized, didn't handle their data in the best way possible.

Ouch.  Big time ouch.  Man, what in the world that researcher doing with that detailed of information?

My favorite is this section in the version on CNN: “The data, which included home addresses, telephone numbers and dates of birth, was being used at the state's authorization but without the consent of the individuals whose information was being used in the study.“ 

Ouch.  And then SB1386 notifications big time.  This is why my laptop has a mounted virtual pgp.com drive that all my potentially senstitive data goes into.  Should anything happen to my laptop [which is my biggest risk areas] I will protect my client's data.

Spec'ing out a server

So why so big?  Because I swear every single time I “think” I've over bought my hardware, I get to the end of what I consider to be the best most solid lifespan for a server [3 years], the point in time after which you should start planning for a new one, I've realized I filled up just about what I thought I wouldn't ever fill up.  Thus I don't buy for “now“ I'm buying the server I think I will need in three years.

Because we [and most other Accounting firms] are seriously looking/doing document imaging, harddrive sizes, spaces, ways of storage, we never dreamed of are now the normal.  Jeff Middleton is also recommending that I look into a more long term [i.e. something burned into a jukebox or something] storage. 

So today on the listserve someone was asking for a “what do you think about this spec” and one of the things that Amy drove home was that you can't just take the same server for two different types of firms.  One firm can be the paperless [less paper] office of the century and be growing at a gig or more per week, a larger firm could be staying solid at say less than 10 gigs.

Right now in the Accounting and Attorney professions, taming the paper tiger is HUGE.  When spec'ing out for THOSE firms, just because a firm is “small” does not mean they don't have large storage requirements.  Bigger harddrives, member servers, SANs, Jukeboxes, you name it, could be part of the network of a smaller firm and not even be considered for a larger one.

We've come a long way from that picture I stumbled across, haven't we?

Gavin says check out the Sharepoint Guide

Gavin pings and says “have you checked out the Sharepoint useage and admin guide”....ummm no I haven't...... “it's a good document”

Check it out folks!

This compiled help file provides searchable, up-to-date information about using and managing sites based on Microsoft Windows SharePoint Services technology. The topics covered in this file include the following:

• Basic concepts
• Viewing information
• Sharing files and documents
• Sharing information
• Deleting information
• Organizing meetings
• Customizing lists and pages
• Customizing sites
• Customizing pages by using Web Parts
• Managing permissions and security
• Managing sites and settings
• Troubleshooting
• Reference

The content in this file is different from the content you can find in a Windows SharePoint Services site when you click Help. This content has been updated to correct errors, add information, and be easier to browse.

A few technical difficulties in the last one ...but not bad for being virtual today

Today I had three live meeting events.  The first one was one that I had arranged with Stan Leszynski of the Leszynski Group giving an overview of Tablet PC.  Steven Lai, fellow SBS MVP and SF SBS user group gave me Stan's name.  Stan did an EXCELLENT presentation to the Technology Committee of the California Society of CPAS who were meeting in Irvine about how tablet PCs can be used... annotations...markups.... digital ink.  He did a great presentation on Tablet PC technology.  Prior to that I had asked Karen Christian who brought along Jeff Adzima [hopefully I spelled that right] and they did an in person demonstration of Sharepoint.  John Levy said that it wasn't as full featured as Lacerte's Document Management system.  But John needs to understand that Lacerte was specifically built for CPAs.... Hmmm. but still might be a comment worth passing along to the Sharepoint folks for comparison to/benchmarking to.

The second meeting was “me” talking about Office Live meeting, the pricing, how it worked, how easy it was to get started, uploading the Powerpoint deck, sharing out the desktop and what not.  I even pointed to Scoble's blog where he says that some of the people doing those Official [and free] Microsoft webcasts may be doing them in their PJ's.  I couldn't make it down to the meeting but I could present to the group using Live Meeting [which I was showcasing] and we used a speakerphone.

Last but not least was our Live Meeting to SBS User Group.  Anne Stanton and I are big into patch management and she asked if I could do a Live meeting to her group tonight.  So I fired up the Live Meeting, booked the event for tonight and right at 5 tonight, launched the Live Meeting.  We had one technical problem.  Because the Live meeting that I have only includes phone connection and not VOIP like Microsoft uses, and because where she was tonight only had one bar of cell phone coverage, and because I'm a paranoid wacko and won't do Skype, and because I was at the office I had no microphone equipment to do it out the Instant Messenger and because...well you get the idea.... so we improvised.  I'm a quick typist and I typed the comments I would have made over the phone via Instant Messenger, with Anne filling in color commentary as needed.  So it wasn't exactly the most shining moment of the use of technology, but considering the road blocks put in our way, I'd say the days use of Office Live Meeting was a success nonetheless.

hmmmm.... think I will have Anne update her blog posting to say “Susan Via Instant Messenger”  :-)

So today I flipped my lid

I had to meet with an Attorney and took my Tablet PC with me to jot notes.  While there I also found that I needed Excel, so I flipped the screen around to get at the keyboard and continued taking the notes I needed in Excel.  I think the Attorney's jaw dropped on the floor.  This would be a great feature for a Attorney firm but they being not quite the geeks that the rest of us are [or think we are] need to see this stuff up close and personal. 

Remember the story of how the Post It Notes caught on?  They gave them to the secretaries in the companies to get the corporations hooked?  Maybe if you gave a tablet PC to young law school graduates, the young whipper snappers would make the older Attorneys drool over the Tablets. 

I'll be taking two trips next month [one a fast weekend trip to Orlando where I think I'm going to be taking the red-eye/night flight to get there Saturday morning at 6:00 a.m, then later that week up to the Seattle area] and I'm going to be packing the Tablet for these trips.  I've been very happy with my sub-notebook 3 pounder. 

SBS CHAT with Handy Andy

> 

SBS LIVE CHAT THIS WEEK:

** Tuesday, Oct. 19, 7 pm EDT: SBS Live!

The ever-popular group known as SBS Live!, headed by Microsoft MVP and Small Business Server expert Andy Goodman, gets together online for its usual one-hour chat to discuss their favorite topic -- what else? -- Small Business Server. Got a question or want to help others, or do you just want to chat about your favorite software? Join Andy Goodman and the rest of your SBS peers this Tuesday, Oct. 19 at 7 p.m. Eastern time.

To join these chats, to learn how to join a chat, to read the rules of conduct, or to obtain a transcript of a past chat, go to http://MCPmag.com/chats. If you're using a chat program, such as Microsoft Chat 2.0 or mIRC, you can join by going to the #MCPmag.com room on the chat.mcpmag.com server.

If you can't make it to SBS Live! but need help with a question or two, you can also post to the SBS thread, where Andy Goodman hangs out:

http://mcpmag.com/forums/forum_topics.asp?fid=67

Missed the Sharepoint Live Meeting last week? No Problem!

Eric L sends the email today that they've put the recording of the Sharepoint up on the MSSmallbiz web site.  Kewlamundo!

Thank you to all of you who attended the Windows SharePoint Services LiveMeeting session we presented last week.  Since that session, we have received several requests for this information once available, so here it is.  The PDF& PPT versions of the 10/13 Windows SharePoint Services LiveMeeting that was presented by Brad Billison and Eric Ligman are now available along with the information regarding how to view the recorded version of the session in the "LiveMeetings" section of the http://www.mssmallbiz.com site:

http://www.mssmallbiz.com/LiveMeetings/Forms/AllItems.aspx

Thank you and have a great day,  [1]

Eric Ligman

Small Business Manager - U.S. Central Region

Enabling millions of small businesses and partners to realize their full potential

[1]  He's so polite isnt' he?  :-) 

Looking for Security awareness stuff for end users?

SANS.org has just started a newsletter geared towards end users called “OUCH”.  Cool!  Sign up here!

Just to give you a sneak peak, here's the table of contents for this edition:

 What To Avoid This Month

I. Email from people trying to get you to divulge private details.   These are often trying to steal your identity (and your money)
 I.1 Phishers Are Getting Together
 I.2 Scam of the Month
 I.3 AT&T - Credit Card Declined
 I.4 Wells Fargo - 'Wells Fargo Customer Support: Transactions security     standards update.'
 I.5 'Verify your billing information at Earthlink.'

II. Virus/Hoax Alerts
 II.1 Backdoor-CCT
 II.2 W32.Netsky.ag@mm

III. Interesting links about Phishing

IV. FTC Goes Phishing, Nails Scammer

Good news, bad news

Rats.  Just read some good news/bad news.  First off Cisco and Microsoft have decided to work together to make sure their two perimeter security products work together.  That's really good news so that companies don't have to choose one over the other.  They will both work together.  That makes sense.

The bad news is that as a result, the Network Protection version, the one that will make sure your internal clients are nice and patched as well is slid into Longhorn and 2007 and will not be in the R2 of Windows server, the one in the “next“ version of SBS 200x.  Rats.  I was really looking forward to that. 

Sounds like though, they are going to “blonde“ the VPN network quarantine control that I've been complaining is not “blonde“ enough and has too much “scripting“.

Yes, Tristan, us SBSers will know exactly what you mean!

I quite agree Tristan!  And yes, if you tell an SBSer to run the CEICW we do indeed know EXACTLY what you mean  :-)  The post has some great screen shots and point you to more detailed resources about RWW.

[hope you don't mind Tristan... I linked to your “Ninja Feature” icon .]

During SMBNation we asked for your best ideas

And I finally got around to digging out the index cards I recieved....so without further ado, here's the first from Cindy Slade of Shalli Network Consulting for workstations/clients:

DECREASE THE DELAY TIME FOR MENUS

Windows annoyingly delays the drawing of menus on workstations

Change this by going to the following:

• HKEY_Current_User
  • Control Panel
    • Desktop
      • Menu Show Delay

Change the value to less [the value is in miliseconds].  This setting is also discussed here.

Cindy is co-leader with Bob Hood of the Chicago SBS user group.  If you are in the Chicago area and an SBSer...look them up!

{I'll be posting more ...but do you have a good hack/idea that you've done for your clients?  Post it here!}

We interrupt this regularly scheduled blog for a notification regarding a Season Change

 We had our first rain for the season last night and today.  It was expected as it's the last day of the Fresno Fair.  It's traditional that it ALWAYS rains during the fair.  I also received the first of my two bulb shipments this week.  My first one was from White Flower Farm and my Paperwhites.  What?  Don't know what Paperwhites are?  They are Narcissus bulbs that can be easily grown in ANYTHING.  Put them in dirt, in rocks, in pebbles, you name it.  My next shipment will be from Dutch Gardens for my normal tulips, hyacynths, daffodils and what not.

We're not quite ready to plant in California yet so I put the bulbs in a spare refrigerator to keep them at the proper temperature until planting time.  And exactly what IS planting time?  When you are outside and it's just cold enough so your nose runs [sorry to be a bit disgusting, but it's true]. 

And yes.... I really do go outside every now and then.. truly.  November is spring planting season in my area.  You plant the bulbs and next March the flowers will bloom. 

 You prepare the ground, give it fertilizer, ensure that your purchase bulbs of quality and they just bloom and produce without fail.  Skimp on quality of bulbs and you don't get the blooms you expected to get.  A bit of maintenance and cultivation along the way and in March you'll get blooms from MY favorite flower -- Daffodils!

 So to those in the northern hemisphere...happy Fall... to those in the southern....happy Spring!

We now return you to our regularly scheduled SBS blog.  But there's a bit of a message of technology in there.... have quality equipment and up to date software and your technology blooms!  ;-)  See I can make this a geek post after all!

Carl in the newsgroup asks.... "Can SBS be used for the home"

Heck YES!  In fact Yankee Group predicts that homes will be networking by the year 2008.

SBS 2003 has wizards in the box to set up these roaming profiles so you don't have to deal with the details.  It has the ability to centralize the email, to backup critical documents, to do just like Carl needs, allow people to log onto any computer and get the same desktop.  I would also argue that with SBS combined with Trend's CSM suite that includes malware protection, you home systems will be better protected. 

Remember that you don't have to have a static IP address [business class] in order to host your own email.  Using dynamic DNS services like tzo.com or dns2go.com and other services, even with a dynamic IP you can have all the tools that even businesses have.

Eric F talks in his blog about ordering a new XP media Center and this week Bill Gates predicted a future where digital video recorders will offer more options to the viewers.  In fact, you can click here to see the launch of Windows XP Media Center Edition 2005.  Check it out. 

Hey, in googling around, I just found one problem though.  Media Center 2005 CANNOT JOIN A DOMAIN.  Apparently there are some wacko workarounds ...you have to make sure that you join a domain during setup but if screw up and don't choose it you have limited functionality.  HUH?  Guys?  Did you miss the memo from Yankee group that says that homes will be NETWORKING?  We already have a hassle in SBSland with people who purchase XPHomes and attempt to hang them off a SBS network.  A domain is nothin' more than a workgroup with more toys.  Guys, wake up and smell the CAT6 will ya?

I think as we go forward more and more people will be networking at home.  What about you?  Are you networking at home?  Are you tivo'ing at home?  What do you think you will be doing by 2008 at home? 

I guess the message here is go ahead and network at home but don't plan on having the Media Center 2005 as part of that domain.  That's a real shame.  We've gotten questions about MCE 2004 being on a domain and it could.  This is a real shame that they didn't include this in the 2005 edition. 

I think they should seriously rethink this one.  Maybe they will wake up by the time MCE 2006 rolls out.  One could only hope.

I think SBS will be there, but I'll admit I'm wacko.  What do you think?

I just have one question.... can I get THOSE flat screens in my house?

So Pocaro says Microsoft is listening and he wasn't kidding

The other day I commented that we had a cool community page but that I was a bit disappointed in the SBS blogs showcased on the site.  I even went so far as to ping some of the posters and ...well... be the annoying person that I am and say .... “Hey...where's the SBS stuff?”.  Some of them actually indicated to me that they truly were SBSers just hadn't gotten around to putting SBS “stuff“ on there.

So I'm over on SeanDaniel.com's blog and he says that he's started a new personal blog as his more SBSized blog is listed on the Community page.

.......... it IS?  It wasn't before.... I gotta go check this out..........

Whoa.. you guys moved the furniture around....and...sniff..sniff..... you've got our SBS blogs as well as the Microsoft SBS blogs.

Even though I'm a geek at heart, I've missed John Pocaro's postings lately and was glad to see him start back up.  A recent one showcases what just happened on our community page.  Microsoft is listening.  And making changes.  Maybe not huge changes, but “baby steps“ as I always call them. 

So are a lot of other companies out there.  Have you seen the recent AOL commericial where the Mother with the baby wanders into the corporate board room and ends up standing on the table demanding that they help her keep the skumbuckets away from her children?  Church of the Customer blogs about this very fact.  But AOL needs to make sure that they don't just make it part of an ad campaign.  Mean it.  Do it.

You know how I can pretty much pull a Yodaism and make it fit any occasion?  We once again turn to the wisdom of the little green guy:

“Do, or do not.  There is no 'try'.”

I think Mr. Ives needs to take a new look at the Microsoft Small Business blog page again, don't you?

So today I get asked if there is anything in HIPAA....

So I'm on the phone today and get asked if there is anything in HIPAA that says that ISA server/SBS 2003 is not HIPAA compliant because it has two Network cards.

Huh?  Say...whaaattt?  First off a bit of background,  HIPAA stands for the Health Insurance Portability and Accountabilty act which was signed into law in 1996 and part of that law includes protecton of ePHI ... electronic Protected Health Information.  Stuff you want to secure, you know?

As part of the final rules that were released, it is purposely technology neutral. 

As is discussed in this GIAC practical by Dan Aiken-- “Network Design – The Rule makes no explicit mention of network security principles such as resource separation, firewall placement and protection, and limiting visibility of traffic between systems.”

The National Insititute of Standards and Technology has also produced a introductory resource guide for implementing the HIPAA Security rule.  At 96 pages I would argue it's probably a bit more than an introduction, but nonetheless, it too is silent as to the exact type of protection i.e. one network card or two.

So we continue on the conversation and the gentlemen on the phone says that he recently lost out on an installation of SBS 2003 with ISA server because he thinks that another firm came in with a dash of FUD [fear...etc] and sold them how that they had to have a CISCO protecting their firm.  Meanwhile CISCO's source code has been stolen and it has a few vulnerabilities here and there per Secunia.  Meanwhile ISA Server 2004 has none in the same database, and ISA Server 2000, just a few.  Now, granted you can be totally freaked out by the number of services on our boxes, but the point is, it's not how many nics you have, what firewalls are in place, it's the entire network you have to look at. 

Where's your weak spots?  That's where you need to be focusing your time and budget on.

Counting network cards is not the way to more security.

Just a heads up folks... There's no silver bullet that is going to make the bad guys all go away.  Staying on an up to date and patched platform is the best way to stay safe.  And with that... I'm firing up the Shavlik folks and getting my control thrill in for the evening!

About that open source....

So yesterday I ranted that I couldn't send out email to a couple of listserves and places and I thought it was because I was blacklisted because of my ISP.  Well, I was only half right.  I still am partially blacklisted, but that's not the reason why I couldn't send out email as I had been used to.  You see, I keep my office firm email separated from my outside email account that I've used on the web because I really don't want to pull in all the gunk that goes into that account. I've had my pacbell account so long that my V__gra emails get V__gra emails.....So I purposely use a different mail client to separate out the firm email from the “public email“.  Then, because I hang out in newsgroups and am not a fan of Outlook Express for newsgroups, I've always used some Netscape/Mozilla/Thunderbird derivative for newsgroup reading/posting. 

So when my Thunderbird at home AND my Thunderbird at the office both started experiencing the annoying error that "supposedly" was fixed two or three versions ago per the Thunderbird support page, it sort of doesn't leave you too many options.

<click here to see the error>

Gartner's Talking Technology talks about when you make the decision to go with open source solutions to make sure you lock in the support.  In my case I just orphaned my old emails and left them behind in Thunderbird and moved over to Mozilla and using it just for email.  Not exactly the greatest answer, but when I attempted to build a new account for my pacbell and left the old one behind to keep my emails, I found that yesterday I couldn't email anything to anywhere.  I couldn't get Thunderbird fixed and had no “Mothership” to call for support.  I tried their web site but they indicated it was fixed a couple of builds ago.  I even tried totally removed the program and folders and then copied the folders back in.  No go.

So I fixed it. Sort of.  I'm now on Mozilla and if I need to find an old email, I have to open up Thunderbird and go searching.  'Course I don't have my address book from the old Thunderbird so I'll now go in search of that... and while this is not the best solution, I don't have a phone number or product support personnel to call.

My Dad called me at work last night and I had to help him send an email.  Technology is still just a bit too much for the geeky I think.  It needs to be more self monitoring and alerting of when something isn't right. 

So far I have done this “fix“ before when I used Netscape and the mail client broke on me.  Happened with Thunderbird.  Hopefully Mozilla will hang in there for awhile.  Meanwhile my office email is on the Exchange server, backed up nightly.  I've added Lookout to Outlook to make searching easier because the native search was cumbersome and slow as compared to Thunderbird.  Now the Search is nice and speedy.  Outlook is also where my RSS feeds reside....everything over THERE just works....

hmmm....go figure..... 

Now if Outlook could just handle newsgroups....   [1]

[1] even with the NNTP ability of Newsgator.. it's not the same...

I am NOT a spammer!

Let me just get this off my chest...

• I'm not a spammer
• I pay for a static IP at my office
• It's the only DSL in town
• Can I help it if Pacbell is SBC that joint ventures with Yahoo?

I noticed it a couple of days ago when a business email that I was sending out bounced back as undeliverable saying that I was a “spammer”.  Today, I could not post messages to various listserves and locations from my Pacbell account through the office but I can here at home.  I think I know the reason why. 

The good news I'm in good company with Dana, whom I was helping out the other day relaying email with his issue and it looks like my ISP's smtp server that the office system goes through has been SPEW'd, Dana was SORB'd but it's still a case of mistaken identity.  What's weird is the originating IP is 209.132.240.249?

I'm going to have to do more digging to figure out if I'm reading and investigating this correctly, but it's just plain annoying these days when it's getting harder and harder to stop spam at the same time it's getting harder and harder to send email. 

Message labs sent out a Monthly report that said:

MessageLabs currently scans over 70 million emails per day on behalf of its clients.

In September, MessageLabs scanned more than 1.45 billion emails worldwide for spam, of which over 1.05 billion or 72.14% (1 in 1.39), were stopped as spam (404.68 per second).

During the same period, we also scanned over 1.78billion emails for viruses, Trojans and other malicious content, and more than 86 million or 4.83% (or 1 in 20.69) were intercepted (33.27 per second).*

That's pretty bad when almost 3/4's of email traveling around the Internet is Spam.  I've been in a hotel room where I had to remote back to my office to send email because the mail server the hotel used was blacklisted.  I'll have to investigate more tomorrow.

Bottom line to you folks that run Blacklists, Whitelists and what not... they are not working.

SBS 2003 Knowledge base articles of Interest

Read the fine print first:

1.  We're not licensed for this yet.

2.  It will be part of SBS 2003 sp1

3.  Good things come to those who wait.

....but... if you are a SBS installer/partner and want to start “playing“, get out your action pack version of ISA 2004 and take a look at Matt's post.

Fine print:

Do not put this in a client's production setting or you will get a Susan 2x4 upside the head for putting a configuration in -- that at this time - is “unsupported“ on top of SBS2k3.  This is for play only guys and gals....

If I had a dime for every time I told someone that hotfixes are a free call

I think I've posted this again, but I'll say it again.....

When you have a Knowledgebase article that indicates that there is a file to be obtained from Microsoft IT'S A FREE CALL. 

Nada, zilch, zippo, zero cost.

You call in the US 1-800-936-4900 or UK 0870 60 10 100 or the other phone numbers found at Microsoft Help and Support and it's a FREE CALL.  I think it's option 3 if I remember right.

Call, state that you need a hotfix, they see if they can bundle it up and send it...and then they email a link to a place on on their servers to you with a password to unlock it.

P.S.  To answer the question at the top... I think I'd at least have enough to buy a good dinner.

XP sp2 stuff

I'll revisit the “stuff” you need to have for deploying sp2 on your SBS 2003 network:

ENABLING THE FIREWALL

• Update to enable and configure the SP 2 firewall inside the network [this comes down via Windows Update]
• Hotfix to fix the “long name“ error on the Group policy edit [this does not come down via Windows Update]
• KB article about the issue
• Whitepaper to deploy XP sp2 firewall

DEPLOYING SP2 TO NEW MACHINES/NEWLY JOINED MACHINES

• Package to deploy SP2 to new computers  - please note this cannot be uninstalled
• Whitepaper to deploy XP sp2 as the SP to new machines

SP2 INSTALL PACKAGE

• XP sp2 install package

TURN OFF THE FIREWALL?

• What policies to adjust to turn OFF the firewall at the domain controller

MICROSOFT'S RESOURCES

• MS's resource page for XP sp2
• XP sp2 release notes
• XP sp2 deploy tools
• XP sp2 support tools

XP SP2 hotfixes you may need

• Loopback fix [for VPNs etc]

One of the best ways to get a feel for how much you can control is looking over THIS spreadsheet.  Take a look at it and I think it will give you the best feel for how powerful this is.

So, I'm sure you are wanting to know ...why do we need a firewall on the inside when we have ISA/RRAS on the outside.  Because look at our past Blasters, Sasser and other worms.  Most of the affected businesses HAD firewalls, yet they got nailed.  Port 80 is jokingly called the universal firewall bypass port because so much goes though there now.  Protecting your workstations, limiting the ports that they are exposed on is the best practice going forward.  The Windows 2003 R2 [the next release of the server OS in a year or so] will include network protection feature so that workstations that don't “pass muster” won't get a IP address.  Enabling the firewall inside our networks is the first step in the journey towards that.

Whoa Scoble.. you cut to the chase don't you?

Scoble has an interesting posting today about a conversation he had on a plane where the passenger told him that Microsoft products “suck!”  So he invites folks to:

So, I'm looking for more people who think our products or processes or services suck. Tell us why. Either here, or on your own blog. Just link here and I'll see it show up in PubSub or Feedster or on my referer log.

Okay dude.  You asked for it.

• SUS sucks.  It's been a year since Steve Ballmer stood at the Worldwide partner conference and told people that he'd be back in a year to ask them if they were running SUS 2.0.  They aren't.  It's not out.  A year since SBS was first released there is still not a automatic patch tool built into the SBS platform to help the consultant/owner keep their boxes patched.  Microsoft... just buy Shavlik or license them or something because you just shoved out 10 patches yesterday and several of them do not come down via Windows Update.  Fortunately the SBS team has built a page for downloads...but our latest ones that we need are not listed yet.
• Licensing sucks.  In SBS land I don't NEED the same licensing that works for the big firms.  I don't NEED user versus device cals.  All that it does is make things more complicated.  My Software Assurance vendor even screwed up my SA renewal quote and I had to get the kindness of the folks from SoftwareOne to guide me through the process.  You are going to lose out to open source NOT on the basis of security, but on the complexity of licensing.  I as a customer should not have to track down the SKU code for Live Communication Server that I'm allowed to get as a SBS 2000 SA customer.  We shouldn't hear first that we are not licensed for Entourage for MAC and then I get in the mail from SA fulfillment a Entourage disk.  There's not a day goes by that someone doesn't complain about the complexities of licensing [heck even Directions on Microsoft say this and even Dan Appleman ] and yet you guys seem to be stuck in a quagmire.  I don't get it.  You got the Security stuff folks... fix the licensing now.  Kudos to Eric and the gang for getting us the SBS 2003 standard to premium/SA upgrade SKU because initially we only had a retail upgrade package. 
• End of life sucks.  Okay there will be probably people that disagree with me on this but when you say end of life for Windows NT 4.0 server is December of this year.  Mean it.  Don't even think about extending that.  I'm getting tired of hearing “we're phasing this out“ and then right before it's the drop dead date, you decide that you have too many people still on that platform and you can't drop it.  Decide that up front or something because too many of us decide what we do based on what WagEd says you are going to do.

So... Scoble asked.. answer him.  What do YOU think sucks?

P.S.  Every person that I've shown my Acer Tablet Travelmate C110 to also goes ooooh... get those suckers out in the store where they CAN be seen!

If ya snoozed... that's okay

Eric says that the PDF of the Sharepont webcast is up on the Small Business Channel Community site now and the Powerpoint will be there shortly.  It was ALSO recorded and will be available for play back [usually about 24 hours].

If you haven't checked out a webcast, check it out when it goes live.

Here are some other Sharepoint webcasts you might like:

• Why a small business needs an Intranet
• Remote connectivity with SBS
• Moving from peer to peer to SBS

I'm also a huge fan of the security webcasts

• Security virtual labs
• Security elearning
• Mike Nash's Security 360 webcasts
• and More

Microsoft Small Business Community Update

Topics in this update:

1) Microsoft Small Business Community User Group
2) Alerts
3) Windows SharePoint Technologies Webcast – Wednesday, October 13^th

1) Did you know that in addition to the Microsoft Small Business Channel Community site you are already a member of (http://www.mssmallbiz.com) we also have a Community User Group which provides direct interaction among the Small Business Partners?  Get answers to questions, discuss Small Business topics, interact with your peers, and much more.  If you have not done so already, be sure to also join the MS Small Business Community User Group today: http://groups.yahoo.com/group/mssmallbiz.

2) Have you used the “Alerts” feature on the Microsoft Small Business Channel Community site yet?  By setting up alerts on the areas of the site you are most interested in, you will receive instant notifications of additions, changes, and deletions of items from that section/page to ensure you do not miss any items that may help you in your business.  Some of the more popular areas for Alerts so far are the Announcements, Sales Tools, Partner Resources, Marketing Opportunities, MS Small Biz Shared Documents and Events sections of the site.  Start utilizing the “Alerts” feature by click the “Alert Me” on the left-side of the page for any folder or section you want to be notified of additions, deletions, and changes to.

3) Many of you have asked for this and now it is here!  Join us for our Microsoft LiveMeeting Session showcasing Windows SharePoint Technologies on Wednesday, October 13th.  The session will be presented by Brad Billison & Eric Ligman of the U.S. Central Region Small Business Team and we will be using our own site (www.mssmallbiz.com) as a demo during this session.  (Be sure you have User ID & password for the site during this call)

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?eventid=1032261876

Microsoft Windows SharePoint Services enables companies to develop an intelligent portal that seamlessly connects users, teams, and knowledge so that people can take advantage of relevant information across business processes to help them work more efficiently. Attend this presentation to learn more about this exciting technology and to see a demonstration of the technology as implemented with Microsoft’s Central Region Small Business Team itself.

View this webcast to learn some of the major ways your small business customers can utilize an intranet. You'll also see demonstrations of Microsoft's out-of-the-box intranet solution, Windows SharePoint Services, which is included in Microsoft’s award winning Small Business Server 2003.

Agenda:
- Introductions
- Overview of SharePoint technologies
- Demonstration: Microsoft Small Business Channel Community – http://www.mssmallbiz.com
- Q&A

Subject: Microsoft SharePoint Technologies
When: Wednesday, Oct 13, 2004 11:30 AM (CST) – 1:00 PM (CST)
Duration: 90 minutes
Presented By: Brad Billison – Technology Specialist, U.S. Central Region Small Business Team & Eric Ligman – Business Development Manager, U.S. Central Region Small Business Team

This presentation will be delivered via Microsoft Office Live Meeting and will utilize Voice Over IP technology for the audio portion of the presentation.  Because of this, you will need to view this presentation from a sound-enabled computer.  All information regarding the URL for the meeting and login instructions will be emailed to all registered attendees at least 24 hours prior to the beginning of the presentation.

Handicappin' the Patches

MS04-035 - Vulnerability in SMTP Could Allow Remote Code Execution

(885881)

http://www.microsoft.com/technet/security/Bulletin/ms04-035.mspx 

Critical, Remote code execution again.  Newly discovered with no acknowledgments and the CAN link has no “live exploits”.  The issue is with DNS lookups, but in our SBS boxes, we don’t normally have port 53 open on the outside anyway.  A lot of us use Smarthost for email delivery anyway.  Will I patch this anyway.  Yup.  Better be safe than sorry.

Needs a reboot.  Can be removed.  Can be scanned by MBSA.  Not Windows Update.

My take?  Server only and not a high priority, nothin’ to do on the workstation.

MS04-036 - Vulnerability in NNTP Could Allow Code Execution (883935)

http://www.microsoft.com/technet/security/Bulletin/ms04-036.mspx  

Critical, Remote Code execution again.  Private reporting.  On our SBS boxes, NNTP is not enabled and running,  Read the bulletin and it’s ONLY important on Server 2003.  MBSA will scan for this.  Furthermore we don’t have port 119 and 563 open from the outside unless we ARE running a newsgroup. Thus in theory while I could never really need to patch for this since I’m never doing NNTP, nor opening up ports 119 or 563, I’ll still patch because I want to make sure that in case I do something STUPID in the future I won’t nail myself.

May not need a reboot.  And can be removed. Can be scanned by MBSA. 

My take?  I’ll patch, but I’m not putting it on a high priority

MS04-037 - Vulnerability in Windows Shell Could Allow Remote Code

Execution (841356)

http://www.microsoft.com/technet/security/Bulletin/ms04-037.mspx 

Critical, remote code.  Uh, oh.. “Public vulnerabilities” as per the executive section.  BUT it’s only has a rating of Important on the Server 2003 system. 

This one is again mostly email and web based attack.  So for the server I’m not so concerned.

Needs a reboot.  Can be removed.  Can be scanned by MBSA

My take?  I’ll patch, but I’m not putting it on a high priority

MS04-038 - Cumulative Security Update for Internet Explorer (834707)

http://www.microsoft.com/technet/security/Bulletin/ms04-038.mspx 

This one to me is the biggie of the month. 

Critical. Remote code.  Public AND private vulnerabilities.  And here’s the example of where those “in the wild” stuff is.  See this CAN link?  That’s what I was talking about earlier.  That drives you right back to the discussions on the Full Disclosure listserves.  Along with this one.  The infamous Drag and Drop vulnerability.  One called HijackClick.  And some others not public.  This suckers on a fast track.  I’m going to put it on a couple of desktops tonight and start testing for a fast rollout as I need this even on XP sp2.

Needs a reboot, can be removed, Windows Update and MBSA scannable.

My take?  ROLL THIS OUT ON YOUR WORKSTATIONS ON THE FAST TRACK.  Server … I don’t surf on the server so it’s not the biggie there but this IS a highly critical on my workstations.

Important Bulletins:

MS04-029 - Vulnerability in RPC Runtime Library Could Allow Information

Disclosure and Denial of Service (873350)

http://www.microsoft.com/technet/security/Bulletin/ms04-029.mspx 

For SBS 2003 we don’t even need this at all.  If you are still running SBS 4.5 …folks the clock is ticking.  You don’t have a huge community to help you test patches.  We’ve had historical issues in the past that ONLY aftected the 4.5 platform.  This sucker replaces the Blaster patches.  It is only a denial of service.

My take?  I’m glad I’m off NT4.  NT4 server is on service pack coverage until the end of the year… clock is ticking folks.

MS04-030 - Bulletin Title Vulnerability in WebDAV XML Message Handler

Could Lead to a Denial of Service (824151)

http://www.microsoft.com/technet/security/Bulletin/ms04-030.mspx 

Private vuln, on our IIS boxes, and Webdav is enabled on our SBS 2000 boxes.  I don’t remember if WebDav is enabled on SBS2k3… I’ll check.. but I’ll patch in due time but I’m not freaking on this one.

My take?  I’ll patch just to be a good patcher.

MS04-031 - Vulnerability in NetDDE Could Allow Remote Code Execution

(841533)

http://www.microsoft.com/technet/security/Bulletin/ms04-031.mspx 

Remote code – important.

I don’t even know what this is… http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ipc/base/establishing_a_network_dde_conversation.asp  but again, for now I’ll patch but not on a priority schedule.

MBSA Scannable. May need a reboot. Can be uninstalled.

My take?  I’ll patch just to be a good patcher.

Re-Released Bulletins:

MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code

Execution (833987) http://www.microsoft.com/technet/security/Bulletin/ms04-028.mspx 

Per Russ Cooper the reason for revision:  Bulletin updated to advise on the availability of revised security updates for Office XP, Visio 2002, and Project 2002 customers that are using Windows XP Service Pack 2. Microsoft Knowledge Base Article 833987 documents the currently known issues that customers may experience when installing these security updates. The article also documents recommended solutions for these issues. Microsoft has also released the MS04-028 Enterprise Update Scanning Tool to help customers detect and deploy the required updates. For more information about the MS04-028 Enterprise Update Scanning Tool, see Microsoft Knowledge Base Article 886988. We have released an update for Windows 2000-based systems that have installed the Windows Journal Viewer. The bulletin has also been updated with a new FAQ that addresses questions regarding the Visio 2002 Viewer, Visio 2003 Viewer, and PowerPoint 2003 Viewer programs.

All of this is my personal opinion, your mileage may vary. You need to do you own “way” of handicappin' the patches so that you feel comfortable.  If you have a test system install them there first.  If not, watch the SBS newsgroup  and we'll report if they are okay.  I'm pretty confident with security patches.  They are doing a much better job of testing these days.  I'm off to start installin' tonight!  See ya later!

[1]  See posting from Dominc White on the Patch Management listserve... while the document and posting referred to SUN, the guidance is universal:

Sun has released a reccomended patch management policy for Solaris.

It is primarily a description of the tools Sun provides and how to use them.
The concept most repeated is minimise change and patch appropriately for the
role of the machine. Here's a summary snip.

Sun's recommended strategy for updating software includes these practices:

* Analyzing the need to apply patches or update your software based on
risk, cost, availability, and timing
* Minimizing change to your environment whenever possible
* Addressing SunSM Alert notifications and other critical issues as soon as
possible
* Only making other changes to your environment to address known problems
* Maintaining your environment as current as appropriate for your business
and application needs

http://docs-pdf.sun.com/817-0574-12/817-0574-12.pdf?biga=15
http://singe.rucus.net/blog/archives/243-Sun-Recommended-Patch-Management-Policy.html

--
Dominic White

Gentlemen, Start your Patch Testing

October Summary
http://www.microsoft.com/technet/security/Bulletin/ms04-oct.mspx 

Critical Bulletins:
 
MS04-032 - Security Update for Microsoft Windows (840987)
http://www.microsoft.com/technet/security/Bulletin/ms04-032.mspx  

MS04-033 - Vulnerability in Microsoft Excel Could Allow Code Execution
(886836)
http://www.microsoft.com/technet/security/Bulletin/ms04-033.mspx  

MS04-034 - Vulnerability in Compressed (zipped) Folders Could Allow Code
Execution (873376)
http://www.microsoft.com/technet/security/Bulletin/ms04-034.mspx  

MS04-035 - Vulnerability in SMTP Could Allow Remote Code Execution
(885881)
http://www.microsoft.com/technet/security/Bulletin/ms04-035.mspx  

MS04-036 - Vulnerability in NNTP Could Allow Code Execution (883935)
http://www.microsoft.com/technet/security/Bulletin/ms04-036.mspx  

MS04-037 - Vulnerability in Windows Shell Could Allow Remote Code
Execution (841356)
http://www.microsoft.com/technet/security/Bulletin/ms04-037.mspx  

MS04-038 - Cumulative Security Update for Internet Explorer (834707)
http://www.microsoft.com/technet/security/Bulletin/ms04-038.mspx  


Important Bulletins:
 
MS04-029 - Vulnerability in RPC Runtime Library Could Allow Information
Disclosure and Denial of Service (873350)
http://www.microsoft.com/technet/security/Bulletin/ms04-029.mspx  

MS04-030 - Bulletin Title Vulnerability in WebDAV XML Message Handler
Could Lead to a Denial of Service (824151)
http://www.microsoft.com/technet/security/Bulletin/ms04-030.mspx  

MS04-031 - Vulnerability in NetDDE Could Allow Remote Code Execution
(841533)
http://www.microsoft.com/technet/security/Bulletin/ms04-031.mspx  

Re-Released Bulletins:

MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code
Execution (833987)
http://www.microsoft.com/technet/security/Bulletin/ms04-028.mspx  

This represents our regularly scheduled monthly bulletin release (second
Tuesday of each month). Please note that Microsoft may release bulletins
out side of this schedule if we determine the need to do so. 

No, Thank You!

On the Microsoft web site is a flash movie that says “Join us in celebrating the one year anniversary of SBS“ and it says at the end “Thank you for making SBS 2003 a continued success“

No, Thank you.  Thank you, the people of Microsoft.  The ones that I personally know at Mothership Redmond.  Thanks to you, this Server was built with security and features that any business needs to thrive.  It's now safely in the hands of Motherships Charlotte, Las Colinas and Shanghai for the excellent support you give to Microsoft partners and owners.  Thanks to the folks I know there that even work during national holidays, weekends and late nights to provide support.

Thank you to the Microsoft partners that have installed and supported this platform. It's not easy being in your shoes.  You are the Outsourced Chief Information Officer of that small company.  You help guide the technology decisions in the small firms you consult with.  You have a trusted relationship with that small business and you never forget that.  Sometimes your clientele come to you and say “whatever you say is best” and sometimes you have clientele that keep you on a budget. 

Through it all you guide that small business.  You analyze their systems, guide them on what is best and recommend the technology that keeps them in business.

Thank you to the Small Business Server 2003 customers.  You bought 262% more of SBS 2003 than SBS 2000. You are the one most to gain because you now have everything you need to be agile, productive, a global presence. What?  You think I”m joking? Read this.  You now have the power to compete globally.

Oh and I'll say this again, if you install Small Business Server 2003 and are one of those Outsourced Chief Information Officers and are not signed up at least as a registered partner on the Microsoft partners web site, why not?

Exchange server best practices got another SBS update .... I'm so excited!

The update history says this version --

1.5.7.1 - Improved baseline rules output. Introduced new rules which detect recently modified changes. Updates to existing rules in the following areas: server name resolution, operating system version detection, cluster heartbeat configuration, content indexing, SBS2000, SBS2003, virtual memory, debug settings

Okay....I just read my own headline... I'm really sick and need a life don't I?

Server Newbies 101 - Today's concept is file saving schemas

For those firms that are just getting started with using a server and not “yet” ready to go Sharepoint.  [Like a CPA firm or Attorney firm - we're a bit old fashioned] the best thing you can do is sit them down and have them build a structure for saving files.

Map a drive... under that mapped drive we have in our office a structure based on our job duties.  Litigation client data is one folder, Tax client data is another.  Then you need to decide if you are saving by client or customer name or by year of the project.  We also have a further “sort” by partner to delinate how our files are organized. 

All of this is organized and documented so that everyone knows where exactly to save things.

The most important thing to remember when building file naming schemas is to get the firm together and discuss how best to do this.  What works?  What will flow the best?  How is the firm organized. 

Get that structure in place from the beginning and it makes the move to the server world so much easier.

Tomorrow is SECURITY BULLETIN DAY but I have a patch to apply tonight

Remember that tomorrow is Security Bulletin day, but in the meantime tonight I'll be ensuring that I'm all patched up for any ASP.net vulnerability.  The patch to apply is located here and has been SBS approved.

Microsoft has released an ASP.NET HTTP module that Web site administrators can apply to their Web server. This module will protect all ASP.NET applications against all potential canonicalization problems known to Microsoft.

The bad news is that this does not come down during Windows Update, does not get applied with Shavlik's HFnetchkPro because it's not a Security bulletin nor it is a Knowledge base article.  The Shavlik folks have added tools to their downloads and gotten complaints, came out with the Download.Ject patch after complaints and have to draw the line somewhere. 

So you'll have to know to apply this because we have two applications that are asp.net related and could be exposed to the Internet.  The first is Sharepoint, the second is Remote Web Workplace. 

Fortunately it's NOT remote access, nor a code red, or nimda attack where someone can deface your web site and cause damage, but I like to stay nice and patched.   [In other words, I'm not putting down my can of Mountain Dew and running screaming to the server screeching “PATCH, I MUST PATCH NOW” or anything like that.....]

It's right under your nose... right THERE!

I've seen this several times.  Someone comes into the newsgroup looking for something and it's right there.  No, not there... THERE.  In the helpfiles on your SBS 2003 box.  They want to do Outlook over http and don't know how and go looking for info, a how to do it.  But the best info is right there.. THERE.  Right about now, I can hear Gramps reminding me that it's not obvious to everyone that the information is in there.  And I guess he's right, because I've even seen Microsoft folks unfamiliar with the SBS platform not know that information is there.  You are right Gramps.  I need to be more patient.  I need to understand that I know exactly where this is because..well.. I know exactly where this is.  You remind me that not everyone knows this and to be way more tolerant. 

Thanks Gramps.

http://www.smallbizserver.net/Default.aspx?PageContentID=21&tabid=160

Connect to your server using https://servername/remote to access the "Remote Workspace web site". Log on to the site using the administrator account, and locate the "Additional Links" box on the right side of the web site. A Link named "Configure Outlook via the Internet" should be available. The link provides the required additional steps for the Outlook client configuration. If for some reason the link specified is not shown, you will need to edit the registry in order to make it available.

Open Regedit (on the server)
Navigate to
             

 HKEY_LOCAL_MACHINE

SOFTWARE

Microsoft

SmallBusinessServer

RemoteUserPortal

AdminLinks

On the right pane you will notice many DWORD values. Locate the value names "RPC". Click this value and change the value data to 1 .

Refresh the Remote Web Workspace, and the link should appear.
Since all information was entered correctly during running the Internet and Email Wizard, the naming information provided in the "Configure Outlook via the Internet" help should match the exact settings you should provide within your Outlook 2003 client configuration, it's as simple as following a recipe.

Mark Stevens and nine questions

Nine questions to ask when evaluating a security threat - Computerworld:

http://computerworld.com/securitytopics/security/story/0,10801,96425,00.html

1. Does the new threat affect software we use?

2. Is this exploit an insider threat or from the outside?

3. How difficult is this exploit?

4. What is the impact of a successful attack?

5. When was my last backup?

6. Have we prepared a response to this kind of threat?

7. What's the state of my network today?

8. Is this threat personal?

9. Is the cure worse than the disease?

Mark Stevens is chief strategy officer at WatchGuard Technologies Inc., a network security company based in Seattle.

Good things to think about there, Mark.  Thanks.

Are you Sharepointing?

SBS 2003 is a year old and one of the parts of the box that I don't think we've played with enough is Sharepoint.  Harry made this point in his “Happy Birthday SBS” email yesterday.  Scoble says that O'Reillys' books on Sharepoint are the top sellers.  When Chad showcased his “poor man's” CRM at SMBnation people just started to see the concept and what you can do with Sharepoint.

As Scoble says:  “The impulse to create is strong. The impulse to share is strong. The impulse to consume is strong.”

So here's my personal take of what we need that came out of SMBnation to help us “bamm“ up Sharepoint as Emeril would say:

1.  We need consumables for the end user that are like “sound bites“  that make Sharepoint into easy how tos.  Right now most of the documentation out there is all aimed at the designer NOT the end user.  Don't forget that you need to TRAIN the end user how to use this technology.

2.  We need a Infopath that is a “runtime“ version.  What's that you ask?  One of the coolest additional tools that you can use as an additional feature is the program called Infopath.  This of it as a “standardization tool to help you “suck“ in data and information.  But you have to BUY the product to use it.  The SBS folks at SMBnation need a “runtime“ or bundle version that can run via a web app so that it does not need to be installed locally.  If you are in a situation where you forgot to install it, you can't use the power of it.

3.  We need a better centralized place for finding web parts and other “cool stuff“.  Right now it's a lot of word of mouth and blog linking that makes us find this stuff.  SmilingGoat and Sid Weber's Playground  I found via blog links or word of mouth.  Make it easier for me to find this cool stuff.

4.  Where's your Sharepoint Community page and advertisement of RSS feeds?   The official home page of Windows Sharepoint services is there.... where's the community link?  I know that Mike Walsh is a tireless Sharepoint MVP, yet where the page that can point me to his site?  “I“ know that it's located here but how would anyone else know that?

5.  Sharepoint blogs.  Advertise them more!  And again, I need a Sharepoint blog that focuses on the END USER and their needs.

• Mike Walsh's blog
• Sharepoint Thoughts
• Listing of Sharepoint Bloggers
• More Bloggers on Sharepoint from Laura J
  • Amanda Murphy
  • Arpans' Weblog
  • DevHawk (Category)
  • Drewby (rss)
  • Eric Legault
  • Frank Fischer (in German) (rss)
  • Jan Tielen (rss)
  • Jim Edelen (rss)
  • JohnWe's Sharepoint Blog (rss)
  • Lamont Harrington (rss)
  • Patrick Tisseghem (rss)
  • Point2Share (Daniel McPherson) (rss)
  • Random Ramblings...
  • RandomElements Blog
  • SharePointBlogs.com (rss)
  • Stramit's Blog
  • Tangible Thoughts (rss)
  • Tim Heuer (rss)

So what about you?  What do YOU need to “bamm” up Sharepoint for you?

Dear Microsoft Time Zone:

  I need more than five time settings.  You see I have geek friends around the world and I need to know what time it is around the world.  You've got a great start... but I NEED MORE THAN FIVE!  You start out with allowing me to choose only five:

So I've adjusted it below... but right now I can only make sure I remember what time Steve Foster, Steven Teiger, Wayne Small, SuperG, Wallace Fu and my posse of geeks on the East Coast are on, but I'm missing out on Mariette and Marina [the Magical M&Ms], Mal, Dean, Jeff M, Les, Eric F, Brian, and everybody else on my IM list.   

Oh and can I assign names of people or companies to this?  Oh I CAN, can't I if I manually “add a location“ and then assign it to a timezone.  One of the issues we have with webcasts internationally is that we have to convert to proper time zone, remember if we are or are not on daylight savings.  For me in California, watching a webcast that is broadcast from MY time zone of “Pacific” means that I don't even have to think about time conversions.  But.. if we do online SBS MVP IM sessions, or try to coordinate a phone call, bedlam practically ensues as we all do the time conversion [and usually screw it up].

So you've got a great start here.. but I either need more than five time zones... or can everyone I know just move?

Download Microsoft Time Zone here:

Good stuff on Seandaniel.com blog today

Prevent Spammer attacks on your Exchange Server.

And Dana was wanting the IIS log stuff in the console and I think we might be able to do that via this.

Kewl.  Thanks SeanDaniel.com blog!

From today's mailbag...Joel writes "Do you remember MSKB?"

When you could type in MSKB into your Internet Explorer and it would immediately jump to the Microsoft Knowledge base article?

Oh yes I do remember that and blogged about it before.  But I just found a better one!

Internet Explorer Address Bar Tweaks for Techies:
http://www.commandline.co.uk/searchurl/

Note that to get the Security bulletin one to work I had to edit it to;

http://www.microsoft.com/technet/security/bulletin/MS%s.mspx

Look for the entry at HK_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL\sb and edit accordingly.

Dana was on the ball wasn't he?

Hmmmm interesting links as well off of this site -- see what you think --

http://www.radiantmarketing.biz/

http://www.danavan.net/weblog/index.html

http://www.sbblog.com/sbbloghome/

http://www.wonderbranding.com/  I found this one interesting as they say that Women do a lot of the decision making

http://www.ducttapemarketing.com/weblog.php

http://www.entrepreneur.com/blog/0,6834,,00.html

http://www.business-opportunities.biz/

<sorry screwed up the link...fixed.

Is everyone aware of Check21?

In the Small Business Trends blog  [looks interesting... I subscribed] I spotted this article about how writing checks as we know it in the USA is changing at the end of the month.

Jim Blasingame of the Small Business Advocate points out that the check float that so many U.S. consumers (and small businesses) have relied upon will soon be gone.

Also is everyone aware that the paper cancelled checks that us beancounters are used to are also going away.  We will have a digital version of the check, but no original cancelled checks anymore.

So? How do you patch?

If you didn't know already, I'm a nutcase on patch and patch management and found this section on patching in a Risk Management checklist.  Good things to think about.

 *  When applying a patch to any system vulnerability, do you have a
     process for verifying the integrity, and testing the proper
     functioning of the patch?
   * Have you verified that the patch will not negatively affect or
     alter other system configurations?
   * Are patches tested on test beds before being released into the
     network?
   * Do you make a backup of your system before applying patches?
   * Do you conduct another vulnerability test after you apply a patch?
   * Do you keep a log file of any system changes and updates?
   * Are patches prioritized?
   * Do you disseminate patch update information throughout
     organization's local systems administrators?
   * Do you add timetables to patch potential vulnerabilities?
   * Are external partners required to patch all non-critical patches
     within 30 days?
   * Are external partners required to patch critical patches to
     servers and clients within 48 hours?

http://www.infragard.net/library/pdfs/technologyrisklist.pdf

Document Management and VoIP HOT

Bob Scott's Consulting Insights includes a paragraph on what's hot at CPA firms that I've copied below and the funny thing is we've had dual monitors around here in my office for about two years.  My best purchase is a QUAD Matrox video card that I purchased used off of Ebay and can support four monitors.  Ken in my office runs three monitors and we need to get him one more so he can spread that spreadsheet across 4 monitors.  I can personally do a lot more with a second monitor.  Listen to a web cast, have Excel on one screen, Word on another.  We even throw in a PCI video card and use a second monitor.  Most of us now have 17“ or 19“ flat screens and either a matching second monitor or a 15“ second monitor here at my office.  The only annoyance is when I remote in and lose the “second monitor“ experience.  That's one thing that technology needs to somehow fix as we go forward.

Remember that even a laptop can give you a dual monitor experience.  Most newer laptops have the secondary video connection that can be used as the “second“ monitor.

 DOCUMENT MANAGEMENT, VOIP HOT.
Interviews with a number of CIOs and technology directors at multi-office CPA firms convinced me that document management is probably the hottest tech trend at the firms. Let's not call it paperless, yet. Many are implementing electronic workpaper products and musing over whether they can be used as full-blown tools to go paperless. The move to paperless is prompting another trend—the use of dual monitors—which seems fast on its way to being something that could be standard at the big firms in the next two to three years. VoIP is coming on like gangbusters at the regional CPA firms, no matter what some critics still say about it not being quite ready. It seems to me that anyone replacing an office telephone system is at least looking at VoIP. You may know that AT&T is aggressively pushing the technology to businesses and has rolled it out to residential customers in New Jersey. VoIP is probably the one chance that AT&T has of making it as an independent company, now that it's pulling back from traditional long-distance service.

Have you checked out the SANS top 20?

The real weapons of mass destruction

The press talk about “weapons of mass destruction” but you know what the biggest weapon of mass destruction we have around here? 

Windows XP with local admin and a keyboard. 

Get something inside your system, get a compromise in a forest, and can you clear out that network?  Think in terms of how the “nature's” forests and how we stop issues in them like forest fires.  We have to dump chemicals, water and build a fire break to stop that fire.  It's better if we are proactive and prevent stuff.   Forest managment.  Our computer networks need to be managed as well, at least better than we are now.

Risk management is a big issue.  Lack of structure is also a big issue.  Lack of policies is a big one.  If you haven't checked out the SANS site for sample policies for your firm.  Do so.  Have an acceptable use policy.  Protect your forest from bad management up front.

Patch management tool comparisons

http://www.winnetmag.com/Windows/Article/ArticleID/43870/43870.html

In this month's IT pro there is a patch program comparison... now I can't talk about other products....but I can talk about the one I personally own and the chart says that Shavlik doesn't support uninstalls and rolling back patches but I've got 4.3.0.1 [Which according to my machine is the latest version] and there's patches that I can roll back....not that I want to go ripping patches off my production server mind you on a Friday night just to prove the author wrong... [I do have a BIT more of a life than that] but I do have the option to do it.  I have tested it at home though.  Also, I know that they patch ISA server and Linux as well.  So if those items are wrong, the best thing to do is do your own homework.

Might want to do your own due diligence regarding this table.   But, it is a nice chart though of all the vendors in this space to get you started.

SA is a good thing... I got something I didn't ask for from MS Licensing

Software Assurance is GOOD.

Today from DHL I got from MS Licensing part number T75-00170 WIN SBS Prem English Subscriber CD

On the packing list is a description with a X10-88223 part number MS CD Win SBS Prem 2003 English Ent.

What is it?

Entourage 2004 for MAC

Wow.  This is the first time I have gotten something via SA that I didn't have to call and ask for.  It just came.  Whoa.

I knew that us SBSers were allowed to get Entourage 2004, let me confirm whether it's because I'm on SA, on Premium or what.  I'll post back.

ASP.net vulnerability update - Remote Web Workplace

Just to let you know that Microsoft has updated the ASP.net security incident page with a program to help protect from this information disclosure vulnerability.  The application called Validate Path Module has just been released and we've asked for clarification to see if us SBS 2003 boxes need this and to ensure that our customizations for SBS have been tested.  For now hang tight.  This is not a issue that would cause defacement or damage like Code Red or Nimda and I have not see any reports of it being see out on the web in action to the level that we need to be worried out here.  I'd rather hang tight and hear from the “Motherships” [Redmond, Charlotte, Las Colinas, Shanghai] before applying this on our boxes.

Microsoft has released an ASP.NET HTTP module that Web site administrators can apply to their Web server. This module will protect all ASP.NET applications against all potential canonicalization problems known to Microsoft.

The Remote Web Workplace is an ASP.NET Web site that lives on the Small Business Server. It requires authentication to reach the main menu, which is the dynamic list of links that is determined by the available features on the particular SBS installation and the user's credentials.

http://support.microsoft.com/default.aspx?scid=%2fservicedesks%2fwebcasts%2fen%2ftranscripts%2fwct010804.asp

Dana blogs about the update here as well.

Just because we are little doesn't mean we don't see a lot

Gavin pings me today with a situation he had with XP sp2 and the funny thing is I think it might be related to an issue I saw posted to NTbugtraq.  Gavin pinged the poster to Russ's list, but it brings to light a philosophy of mine that I have hidden on my web blog page.  The other day I changed my blog skin and Anne pointed out that it was a bit ... well ...plain.  So I went in search of a few graphics.  If you view the blog on the web, and hover over the cartoon graphic of my favorite Star Wars character on the right side of the blog , and if your browser supports the alternative text, you'll see my favorite saying “Size matters not!  Judge me by my size, do you?“  Now, scroll down a little and what is the alternative text you can read when you hover over the SBS 2003 graphic right below Yoda?  See what it says?

And that's what's cool about SBS.  We may be little, but there  isn't much we can't do for a small business.  Now, yes some of you would argue that we don't have Terminal server, but there are many medium sized businesses that are very envious of our remote web workplace feature. 

If I were in charge of the Universe, just like with Quickbooks POS, I would make more bundled SBS solutions.  I get a monthly subscription to Gartner's Talking Technology and next month they are going to talk about the phenomenon of wireless email  That's one area that I think they could bundle and brand “SBS ready“ smart phones and blackberries.  Meaning that you would be guaranteed that these models would work flawlessly, no issues whatsoever, with SBS.  When I was mentioning this to Jeff Middleton earlier, he said he had mentioned this about six months ago.  I think he's slipping.... he's normally two years ahead of the curve...not six months. :-)

So what do you think? Right now I see our space rolling out XP sp2 much faster than larger firms, tackling group policy much more often than folks in larger firms, and just a heck of a lot more agile than our larger counterparts.

Disk full? I think not.

So the other night I'm saving some files up to the server that I needed to load on the server and it gives me the message, disk full.  Disk FULL?  No way.  Well remember this is my play baby server here at home and I never turned off the disk quotas so I was being limited by the “quota” on the drive.

Guess what I turned off.  You got it. Disk quotas.  I don't go around limiting peoples space on the hard drive.. we just buy bigger disks that's all. 

To disable disk quotas

1. Open My Computer.
2. Right-click the disk volume for which you want to disable disk quotas, and then click Properties.
3. In the Properties dialog box, click the Quota tab.
4. On the Quota tab, clear the Enable quota management check box, and then click OK.

Notes

• To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated an assignment of administrative responsibility to a user, computer, group, or organization.

  For Active Directory, an assignment of responsibility that allows users without administrative credentials to complete specific administrative tasks or to manage specific directory objects. Responsibility is assigned through membership in a security group, the Delegation of Control Wizard, or Group Policy settings.

  For DNS, an assignment of responsibility for a DNS zone. Delegation occurs when a name server (NS) resource record in a parent zone lists the DNS server that is authoritative for a child zone.

  the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

• To open My Computer, click Start, and then click My Computer.
• If the volume is not formatted with the NTFS file system  or if you are not a member of the Administrators group, the Quota tab is not displayed in the volume's Properties dialog box.

SBS Knowledge base articles of Interest

 875501 - You are unexpectedly disconnected from your VPN session after several minutes in Windows Server 2003:
http://support.microsoft.com/?kbid=875501

886346 - You receive HTTP_500 error message when you synchronize your mobile device with Microsoft Exchange Server 2003:
http://support.microsoft.com/?kbid=886346
886205 - Deleted items are not available after you use "Recover Deleted Items" in Outlook 2003:
http://support.microsoft.com/?kbid=886205
884032 - Update is available for the Windows Small Business Server 2003 Client Setup feature to deploy Windows XP Service Pack 2 to Windows XP Professional-based clients:
http://support.microsoft.com/?kbid=884032
842466 - You may receive an error message or the Setup program may stop responding when you install Microsoft Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=842466
884004 - "You must install Internet Security and Acceleration Server 2000 Service Pack 1 and:
http://support.microsoft.com/?kbid=884004
875421 - "An error occurred while configuring a component" error message when you run the Configure E-mail and Internet Connection Wizard in Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=875421
875432 - Third-party fax program cannot send faxes in Microsoft Small Business Server 2003:
http://support.microsoft.com/?kbid=875432
885191 - Small Business Server 2003 installation starts automatically when you try to start the Recovery Console from the Dell OEM version of the Small Business Server 2003 CD:
http://support.microsoft.com/?kbid=885191
867457 - The View Usage Report tool may report many e-mail messages in Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=867457
875422 - "The wizard cannot set the DHCP scope options" error message when you run the Configure E-mail and Internet Connection Wizard in Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=875422
884032 - Update is available for the Windows Small Business Server 2003 Client Setup feature to deploy Windows XP Service Pack 2 to Windows XP Professional-based clients:
http://support.microsoft.com/?kbid=884032

What You Should Know About a Reported Vulnerability in Microsoft ASP.NET

I posted in the links the other day that Dana has posted about the ASP.NET vulnerability and today the following have been released: 

What You Should Know About a Reported Vulnerability in Microsoft ASP.NET

http://support.microsoft.com/?kbid=887459
http://www.microsoft.com/security/incident/aspnet.mspx

So let's compare this to EventID.net shall we?

Eric pointed out at tool on the Microsoft download site that helps identify errors:

Download details: Exchange Server Error Code Look-up Tool:
http://www.microsoft.com/downloads/details.aspx?FamilyId=BE596899-7BB8-4208-B7FC-09E02A13696C&displaylang=en

USAGE: err {value} [value] [value] ...
 where must be of one of the following forms:
   1. decorated hex (0x54f)
   2. implicit hex  (54f)
   3. ambiguous     (1359)
   4. exact string  (=ERROR_INTERNAL_ERROR)
   5. substring     (:INTERNAL_ERROR)

All values on the command line will be looked up in our internal
tables and presented to you.  If available, informational data
associated with the value(s) will also be shown (see below).
All tables are searched by default, but you can restrict the
output to those tables you deem appropriate by adding
"/" to the beginning of the commandline.

Example:

> err /winerror.h /ntstatus.h 0
# winerror.h selected.
# ntstatus.h selected.
# for hex 0x0 / decimal 0 :
  STATUS_WAIT_0                                             ntstatus.h
  ERROR_SUCCESS                                             winerror.h
# The operation completed successfully.
  NO_ERROR                                                  winerror.h
  SEC_E_OK                                                  winerror.h
  S_OK                                                      winerror.h
# 5 matches found for "0"

  Last compiled on Mar 31 2003 14:39:19.
Interesting....

when putting in the code on this tool I get:

<click here for the larger view>

Not quite as good as GUItroubleshooting as Eventid.net, Eric, but definintely a keeper  :-)

Hey.. nice hack dude!

One day in the blogosphere and Sean Daniel of Seandaniel.com shares his SBS 2003 backup hack.

Very cool!  Thanks Sean!

It's a bit ironic

Scoble and the blogosphere are buzzing over what Steve Ballmer apparently said about IPOD's, MP3 players and stolen music.   Want to know something really ironic?  And I apologize to any Microsoft MVP that hasn't yet received their October MVP award but this year it's not anything to do with Swiss Army gifts.  In fact, while it doesn't have a fruit on the outside of the small, pocket sized device, it sure could be used in EXACTLY the same way that Ballmer alluded to.

Fellow MVP Chris Lanier blogs about how DRM sucks.   What I also think has to occur is how technology for the home HAS to be easier.  We've had a discussion about how the remote technology that we are opening up our businesses to also open up our firms to the threats and risks from home computer systems.  We remote in from systems that may have as a security risk one of the most high risk users of all time, that of the teenager.  Joe Wilcox of the Monitor blogs about this issue. 

Security is too complicated still for the average person.

I think "Wus" and "Sus" are my favorite

Ecora just released a funny video about patch management.  Bambi, Bernie, Wus and Sus, and Martha are the “patch team”in Company A. 

My favorite are the characters of “Wus” and “Sus”. 

While it is a very funny video it brings up a great point.  If you can't confirm compliance you don't have a good patch managment system.  It's all about control folks!

IF YOU ARE A GEEK AND A BEANCOUNTER - PLEASE PASS THIS ALONG

I want to see how much the "word of mouth" networks works.  So I need your help in getting the word out about this survey!

Tim Stull, Anne Stanton, David Cieslak, Roman Kepczyk and myselk ask you to take the time to vote on this survey.  

If you are a CPA, IT consultant in the Accounting marketspace, member of the AICPA or your local CPA Society, please take a few minutes and run through the quick AICPA TOP TECHNOLOGIES SURVEY located at http://www.top-techs.org/survey/

Please feel free to forward this to your Associates and Contacts under the Accounting umbrella including members in industry, accountants, consulting firms, accounting firms and state and national society members.

It's been a year since Simon LeBon, Happy Birthday SBS!

It's been a year since the launch of Small Business Server 2003 at the WorldWide partner conference in New Orleans.  It's been quite a year hasn't it? 

Since work committments kept me from going to the launch what I remember about the event is quick snatches of conversations on IM from my SBS buddies who suddenly had to dash off for a different venue and say, “Bye, got to go!”

It's been a year since the entertainment that featured one of my favorite bands when I was in high school, Duran Duran.  Yup, you guessed it, I had a crush on Simon LeBon.  So when I heard that Simon LeBon and Duran Duran was going to be a the Small Business Server 2003 launch party, needless to say, I was driving around for weeks with Duran Duran greatest hits playing in the car.  The guys did call me during the party and for a long time I had this voice mail on my cell phone that if you were the Duran Duran afficiando that I am, you could tell it was "Reflex", but otherwise, it wasn't exactly the clarity of a pin drop.

I've seen pictures of Mardi Gras beads, face painting and stories of... well... you know how that ad goes that “what happens in Vegas, stays in Vegas?“, well I think they need to extend that to New Orleans as well.

This year at the World Wide Partner Conference, I again, was unable to attend and missed out on meeting Dr. Jesper Johansson in person.

First, missing out on Simon and then missing out on Dr. J.  Boy, I tell ya, just one bummer after another.

Exchange Best Practices tool - what does is say about SBS?

The Exchange Best practices tool and the corresponding update has been making the rounds in the SBS2k3 newsgroup and I wanted to showcase a couple of things.  First off the folks over on the EHLO blog have been VERY responsive to us SBSers and I'd like to thank them for what adjustments that they've already made to the tool.

I just ran the tool, with the recent update on my XP workstation that then scanned my SBS 2003 box.  [now this does have the sp2 firewall on it so I might need to temp disable it and try this for grins again just to see if there is any change but it appears to work just fine]  You don't have to scan from your server, since the tool hooks into the active directory, it will find the server [and in the case of SBS, it doesn't have too far to look anyway].

I did the test on mine and it only reported three issues that can be found here.  Here at home I'm “pop”in not SMTPing.

From my XP workstation, looking at the server, I get no relay reports as some have reported.  Remember the conversations that have gone on in the newsgroups in the past that I will revisit.  SBS PM Charlie Anthe graciously allow Karen Christian to repost his response here.  A default SBS 2003 does not relay. LET ME SHOUT ...er say that again.  WE DON'T RELAY.

We can get password cracked and be a SMTP auth attack victim.

We can be an NDR relay attack victim.

We can get stupid and enable the guest account and be relayed off of.

But we are not, and never have been a relayer.

Shut off those NDRs and all Virus notifications.  They are worthless.

Blogosphere.. get ready for Sean of SeanDaniel.com

So, I've told the story before that I was posting in the newsgroup and gave a Microsoftee a bad time about posting in and recommending the use of Eventid.net, right? 

Well I didn't tell the rest of the story.  So I ping “the guy” and give him a bad time, and then my brain starts putting pieces of fragment of grey matter together and thinking... ummmm....didn't I meet someone with that name that I just gave a bad time, and weren't they somone I was introduced to up in Mothership Redmond?  So I fess up and email back and say “Did I meet you?” and sure enough comes the response that I sat right across from him for a couple of hours in Redmond.

Oops. 

Needless to say, Sean Daniel of SeanDaniel.com hasn't been forgotten ever since. 

Without further ado, it gives me great honor to welcome another Blogosphere member, Sean Daniel. 

XP sp2 webcasts all this week

I have two monitors in my office and normally if there is a really good webcast, I'll throw it on the second monitor and listen. 

We got some good ones this week with an all week Windows XP sp2 webcasts events!

Cool!  Make some popcorn!

Honestly, I posted the other blog before I saw this

Well guess what's on the download site today?

Windows Small Business Server 2003 Getting Started Guide.

Advertised as step by step instructions to complete a new installation of SBS.

You know... the thing we're supposed to read...but never read... yeah that thing.

Okay so the marketing sucks, but seriously... do we need it?

So I'm hitting the newsfeeds and notice this article about how SBS 2003 has taken off and propelled revenue growth of partners.  It goes on to say that the marketing campaign is minimal in comparison but the word of mouth buzz cannot be overstated. 

The corresponding market research article goes on to say that it's one of Microsoft's “best kept secrets“. 

I guess I'm just either too close to SBSland or something because we've been saying that SBS just ROCKS since SBS 2000 and even more so in 2003.   I mean is suddenly everyone waking up to what we knew for like years now?

And thinking about that marketing campaign..... who are you selling this to anyway?  For one, you do a SBS ad to my boss and he wouldn't even know what server he has.  Now what you DO need to sell it to and more than anything else you need to TEACH the consultant/partner how to install SBS correctly.

Handy Andy Goodman has probably the best step by step how to's on the web for installing SBS the right way.  Then Mariette and Marina [the Magical M&Ms] have the best “technical bits and pieces“ web site. 

I think Eric Ligman's Microsoft Small Biz campaign does a better job of selling SBS by “selling“ it to the partners that any ad campaign. 

And I'll say it again.....I still say that the BEST ad for Small Business Server was not about SBS at all.  But about “building a business“.

 Go grab the kleenix before you click on the link... you were warned.

<sorry fixed the link>

It's time to get involved World!

Above this post is one of my favorite pictures of earth.  It's a picture done by NASA [time elasped of course] of the lights on all over the Earth.  You can see that on Jeff M and Anne's side of the East Coast of the USA that they are pretty well lit up.  But over there in Australia where Dean, Wayne, Mal and Henry are it's less populated.  But it's still a pretty amazing photo of how there are people all over the world.  Even now here at home when I'm just about to go to bed, my IM window is popping with fellow geeks on Instant Messenger waking up and starting their business days.

So I“m sure you are wondering what sent me into this “waxing poetic“ blog post?  Well I went to a political fund raiser for a school board member in my city today and one of the things he said at the end was to get on our computers and send emails to get people involved in voting.  To tell people to get more involved in their communities. 

Well, you know me.  I don't consider my community to be just the one in my home town, my community spans the world. My community is all of those lights down there in that photo.  And, in fact, I'll do one better than that.  I'll blog on the issue.  You there.  Yes YOU.  I'm talking to you world... I can see your lights on.  YOU need to be a better community member.  You need to look out for your fellow man [or woman].  You see that picture of US down there?  That's all we have of an inhabitable space.  For all of our technology, for all of our education, if we screw up what we have down here, we don't get a second chance.  So if you haven't voted, haven't joined in with your community whereever it is, haven't joined up with your neighbors in some event, haven't done SOMETHING to get involved, you are overdue.  Vote.  Volunteer.  Donate.  Reach out.  Mentor someone.  Move a little mountain in the way that only YOU can. 

Nuel Brown was the gentlemen running for Fresno School board who challenged those in attendance to “Fix what was broken“.  That he needed the help of the community to build a bridge between the administration and teachers union to fulfil his wishes for the children.... you know me.... I'm seeing “community“ as the answer to a lot of things that ails us.  I was pinging a Security guy just today that “we“ the “community“ had to take the message of security to the masses.  Conversely, “we“ the community need to give better feedback to vendors. 

See those lights down there in that photo?  That's us.  That's all of us.  That's people.  Think of the power we have if we just stop and realize that we are a community that CAN fix things together.  And we CAN.

The picture also reminds me of the Pale Blue dot post by Carl Sagan.  You remember it don't you?  I've pointed to it in the newsgroups a couple of times.  My favorite part is the very end..... “There is perhaps no better demonstration of the folly of human conceits than this distant image of our tiny world. To me, it underscores our responsibility to deal more kindly with one another, and to preserve and cherish the pale blue dot, the only home we've ever known. “

Enough for tonight.  Thanks for the indulgence in the really off topic post.

Just remember:

Participate.  Be part of the community.

Dude, there's a reason it's wasn't there

At the time SBS was built, we did not know what the firewall would do [remember SBS 2003 was RTM in September of last year].  Thus the firewall was group policy disabled to ensure that it would not cause any issues with the workstations  while they are on the domain because they didn't know what SP2 would finally end up like.  If they come off the domain, the firewall was/is re-enabled.  Thus it was a pro-active setting to ensure that small businesses could still just work no matter what happened with sp2.  It's a little hard to ship something when the firewall ended up not coming out almost a year later.  The SBS Dev guys and gals are good... but not that good.

Now because the XP sp2 is built and baked they were able to test and roll out a specific Group policy that enables the SP2 firewall.  As is noted in the magazine article this is located at:

872769 - You cannot configure Windows Firewall settings or Security Center settings on a Windows XP Service Pack 2-based client computer that is in a Windows Small Business Server 2003-based network:
http://support.microsoft.com/default.aspx?scid=kb;en-us;872769

However, I should point out that if you'd merely go to Windows Update with that server, you'd get this patch.  So if that Sysadmin was having this issue, he needs to first go to Windows Update and patch that box as he [or she] might be missing some patches.  Next, the article doesn't go on to state that you'll also need the following:

842933 - "The following entry in the [strings] section is too long and has been truncated" error message when you try to modify or to view GPOs in Windows Server 2003, Windows XP Professional, or Windows 2000:
http://support.microsoft.com/default.aspx?kbid=842933

This does not come down via Windows update.  In fact it might be wise to also visit this web site to make sure you aren't missing something else.  Actually your best bet is to seriously consider purchasing a patch management product.  Right now Software Update Service only does Windows, so my advice is to look around.  I'm still a Lime Green Gal myself. 

Oliver? Try recalulating that price tag again

Oliver Rist gives a review of ISA 2004 and says

“I think ISA is an excellent SMB firewall provided you’ve already got an anti-spam and anti-virus solution. And you’ll also need a fairly deep wallet because ISA is most likely to cost you about $3,000 for the software and another $2,800 to $4,000 for the hardware. Then again, for an IT admin who’s harried for time, those wizards and tight AD integration may make every penny worthwhile.”

I think we need to re-add some costs.  Try the cost of shipping and handling for us “S”s in the SMB marketplace.  Remember as part of SBS 2003 sp1 we will get ISA 2004.  We had a discussion on a listserve about ISA 2000 and the comments were back and forth whether people liked ISA or didn't like ISA.  One comment that it was a resource hog, but I'm not sure that everyone knows about the tweak we need. 

What does ISA 2000/2004 that RRAS doesn't give me?  The logging I need.  RRAS doesn't give me the control I need. 

The community of ISA is also very strong from ISATools.org to ISAServer.org.  There isn't a RRAS community out there ;-)  As you know I”m big on Community and ISAserver has even begun to post articles on SBS/ISA on their site.

So tonight I had dinner with a Webcast star

So tonight I had dinner with Security MVP and webcast star Steve Friedl.  We had an interesting and entertaining dinner before he drove on to home.  Couple of interesting things about how we look at things.  First off he loves command line, I hate it.  He hates GUI, and I'm a GUI gal.  Okay so maybe “hate“ is too strong of a word, but I'm sure my preference towards not using a black command line would drive him crazy.  :-)

He talked about how he doesn't call the business relationships he has as “clients” as that makes him feel like there is a disconnect.  Rather they are “customers” because each time they come to him, he has to re-earn their trust and he needs to nuture the business relationship.  That's an interesting comment and a good outlook on business relationships.

For all the technology we support around here, it still comes down to people, doesn't it?

ASP.net form vulnerability

I first spotted this on LeastPrivilege.com and Dana follows up on his blog about the issue.  The good news in this as yet unpatched vulnerability is that IIS6.0 is not affected.  That means our little SBS 2003 boxes are not affected by this issue and can go back to doing what they do best.  Staying on the latest platform means that you get all the best protection afforded to you.  Thus Windows 2003, Windows XP sp2, it all adds up in layers in your environment to keep you safe.  Dana and I were IMing over the issue of ROI.  You get nailed ONE TIME with a virus or disaster issue and suddenly your budget for such events goes shooting through the roof.  CFOs can't compute the cost savings from protection and so they can't compute a proper ROI on an upgrade.

For SBS 2000, as per Dana we're guessing that we probably dont' use .NET auth but a nice good IIS lockdown and URLscan on our boxes will proactively protect us and is a standard “good thing to do anyway“.  If you have port 80 open, hosting a web site on your SBS 2000 box and you haven't done IIS lockdown and URLscan?  What ARE you waiting for?

Switching gears, I was reading the incidents.org home page and a story about how a damaged computer was stolen and resulted in the loss of data, of personal information, of tax data should be a reminder to all of us that we have just of important “stuff” on our home systems.  They need backups too.

We'd like to announce the latest introductions to the SBS MVPs and SBS Family Members

Andy L. Goodman
Calvin McLennan
Chad A. Gross
Cris E Hanna
David B. Nickason
Dean Andrew Calvert
Eugenio Zilocchi
Frank McCAllister
Frederick Johnson
Harry Brelsford
Henry Craven
Jason Gerend
Javier A. Gomez
Jeff Loucks
Jeff Middleton
Jim Behning
Kevin Weilbacher
Les Connor
Malcolm Osborne
Mariette Knap
Marina Roos
Merv Porter
Michael Cocanower
Michael James Jenkin
Michael William Malloy
Nick Whittome
Roger Otterson
Steve Foster
Steven Banks
Steven Lai
Steven Teiger
Susan Elise Bradley
Tadeusz Lopatkiewicz
Wayne Small

Small Business Server Family Members

Eliot Sennett

Grey Lancaster

Grey is also the first recipient of the “Grey award”.  

The award is bestowed upon by members of the MVP community and is a 
permanent award for past service for members of the MVP community who 
have found there is real life out there and have decided to join it.  
This is not an official Microsoft program.

The award package includes invites to locations around the world 
[assuming he or she pays his own way], sleepovers in the nicest houses, 
and the offers of beers [and at least one mountain dew] whereever and 
whenever he or she meets up with current and/or former MVPers.

Blog World - Say hello to Eric F

Blog world!  Say hello to Eric Fleischman and his new blog.  So you probably want to know all about Eric, right?  Well to us MVPs he's Mr. Debug man.  Give him a nice fat juicy debug file and he's probably in seventh heaven.  He is down in Mothership Las Colinas and while he's not an “SBSer” in the job that he does, he certainly has the friendly SBS family spirit.

You know we always see Microsoft as this big bad evil empire, but in reality, it's a lot of “Eric's” around there.  I'm an admin, he's a “deep weed” person.  You know, someone who works deep in that gunky stuff I never have to worry about.  Who loves problem solving, resolving an issue, figuring out why something isn't working as it should.  He gets into that section of Windows that we/I don't even touch - lots of active directory stuff.  The issues he faces, the customers he touches could run circles around me and what I do, but the cool thing about Eric is the way he treats us little guys.  With lots of respect.  And for that, I thank him very much.

Sometimes I look around at the company I keep and wonder, how did a little SBSer get to rub shoulders with all these folks.   I was at lunch today with a gal pal and was telling her how I had all these people from around the world on my IM.   But you know what, I've found in my travels in the Internet that in the tech world, people talk geek.  It's a universal language across the globe.  It crosses international boundaries and builds bridges across the globe. 

So grab some popcorn folks,  subscribe in Newsgator, and welcome Eric to the Blog World!

Yes I changed the "skin"