E-Bitz - SBS MVP the Official Blog of the SBS "Diva"

I want an RSS feed and I don't think I'm the only one

On a couple of listserves, WSUS, and Focus on MS, I've seen some folks talk about how their first indication that Office 2003 sp2 was when their workstations popped up with a “you have patches to install” icon.

Hands down the Security folks have the SDcubed +C nailed.. Secure by Design, Secure by Default, Secure by deployment and Communication.... the Security patches are communicated to us ahead of time, we know what code is installing on our box.

But if you want us admins to 'trust' enabling autoupdate on our workstations, you HAVE to inform us that you are going to be releasing Serivce Packs that will be coming down on Microsoft. Update.  Yes,  I know it's not a security bulletin and thus not your communication responsibility, but go wack the team upside the head in Service Packs that should be communicating better.

If you want me to enable auto updates, then let me know what's coming down on my box.  I should not use the “updates are being downloaded icon” to be my communication vehicle for such things. 

Gentlemen, I want an RSS feed of any bits that hit my machines.  As an admin, I've been asking for a email notification for Security patches for many years now.  I've upgraded my request... these days I want an RSS feed.  But the bottom line is, I'm not the only one who was blindsided by that SP coming out.  And as I'm the controller of my network at the office, I don't want to have to use my Laptop where the AU is enabled to be my “what new code is going to be offered to me indicator”.

Hey check this out!

There's a SBA [small business accounting 2006] blog!

 http://sba2006.blogspot.com

Small Business Accounting 2006 fixes the "suckage" problem

One of the things that I said needed fixing in SBA 2006 now is fixed... Suckage.  SBA needed to...had to... pull over ALL transactions from Quickbooks.  The original version did not.  They've just relased the update to allow the software to be 100% pull of transactions from Quickbooks to SBA.

This download provides the update to Microsoft Office Small Business Accounting 2006 to enable import of transactions from Intuit QuickBooks.

Someone said that it wasn't CPAs that would drive SBA...but rather the customers.  So true... your customer will buy it and you'll need to learn it.  I'd sign up for the MPAN program to get a head start..

I have a yellow Shield on my laptop today [Office 2003 sp2]

And since this is my laptop, and I'm on the road, I'm probably going to say “wait” and install later.

 Office 2003 Service Pack 2 provides the latest updates to Microsoft Office 2003.

Now I should 'fess up ...and fix up...the fact that I was running ... oh sorry Dana.... Local admin again because I was needing to adjust network connections so Steve and I could share my Aircard connection on the road.  And the RunAs just wasn't working.  We wonder if it was because I have a blank admin passoword.  Now why would I do that you say?  For one.... I put this laptop in my backpack and it goes with me everywhere so I ensure I have physical security of it, secondly a blank admin password means that the Admin account cannot be accessed over the Network.

So Dana... I'm flipping myself back to restricted user since today is registration day at the Summit.

Sharepoint SP2 - revisited

From the mailbag today...

For what it's worth, the KB announcing WSS SP2 does NOT include SBS2003 in the 'Supported Operating Systems' list and when I ran MU on my SBS box, WSS SP2 did NOT show up in the list of available updates. Then again, SP1 does not explicitly specify SBS, either. Still... based on that, SP2 is not getting installed until a SBSized version shows up, or until many other people have successful installs!

First off... you won't find 'generic' service packs that explicity say they support SBS when we are just merely the sum of our parts.  If you are expecting any patch for Windows 2003 to say “SBS”, you will have a long wait.  Any patch/;service pack that goes on 'normal' Windows 2003 goes on SBS.  Flat out don't expect a KB or patch to explicitly state SBS unless it's “ONLY” for SBS.

Next, I'll have to check the MU on my own box, but you 'can' install it manually you know.  We will be installing it later on our own machines.

Lastly, the SBS Dev team pinged us today in fact that this patch has been tested and approved on SBS boxes. 

Bottom line, unless EXPLICITLY stated in the KB that it  'can't' go on SBS, it's approved on our boxes.

Update... got a ping that this Sharepoint SP2 “will' be on MU/WU ...just a bit later on.  It just happens to be only on the download site for the time being.  So, for now it's on the Download center but will be on the WU/MU in the future.

Again, this IS fully supported on SBS boxes.

Feedback

I got a ping today and in the email this was included....

“My biggest concern is that the last 3 calls to Microsoft's Business Down Critical Support have yielded no help whatsoever and the communication issues have been a huge issue as well.  Our techs don't even want to call support any more as a result, and I want to pass this concern on to someone who can make sure it is heard”

Ouch... that hurts...and something that is a real shame to hear.... if you don't like what you are seeing give feedback... it's the only way things will change and get better.

Are you a Small Business Specialist member?

If you are... boy do we have an offer for you!  Level Platforms and Microsoft has teamed up with a cool offer!!

Check it out!

Looking for the Bkrunner.exe script that was mentioned in the blog

Steve Foster did the [hack] fix for the backup script and the link is specifically here.

You need to sign up for the sbs2k-subscribe@yahoogroups.com and log in and set up a profile and download the adjusted script/hack there.

Windows Sharepoint Services sp2 released

Bill reminds us that Windows Sharepoint Services sp2 has been released.

Now, keep in mind that ANY service pack for our parts is perfectly fine to put on a SBS box, but I personally am not at home and I won't be testing this yet. 

We do have some special customizations for Sharepoint, so if you'd rather one of us crazies in the newsgroup installed it first, triple checked to ensure that there are no issues with this SP2 on our SBS boxes, I would say you are a wise person.

Installing patches on SBS boxes is only fun for me the wacko SBS patcher.  It's really NOT fun at all if a patch affects the system,even if it's a minor annoyance.  It breaks the confidence of the client in your ability to be their outsourced CIO.  I know many consultants who, if they are traveling, or busy with other projects will wait on service packs like this Service pack.

If you've set up WSUS to pull down service packs and auto apply them, you are indeed a 'bleeding edger'.  Just remember that those of us who are more into control, we don't set up our servers to auto patch anything.

P.S.  I have no idea what will happen if you install Sharepoint SP2 and then attempt to install the SBS 2003 sp1 bundle.

Geek train trip status report

Met a lovely Austrailian couple on their way to see their daughter in Canada.

Met Ben's mother [fellow MVP]

Met a husband and wife from the states tonight, and each time I'm sure bored them with geek talk of “Patch Tuesday.  But that's six folks that now know that second Tuesday of the month they should expect a patch from Microsoft.

Talking with travelers it reminds me that it does need to get eaiser to operate a computer... it's still way too geeky.

Ben, we met your Mother on the train

On the train eating lunch and of course I get into my “bore the other people at the table by talking geek talk” aka patching, security issues and what not.... and we start trying to describe what we are and why we're going to Seattle and the lady across the table starts saying that her son was going to be up in Redmond starting Wednesday.

She says he doesn't work at Microsoft, but he does a lot about Digital Media and helps online.... hmmmm we start to think....

Steve and I look at each other and say “will he be there Wednesday through Saturday?”  Yes.  We look at each other even more..... “What's his name?”

Ben Waggoner, Microsoft MVP for digital media... Steve Foster and I had lunch with your Mum on the Amtrak to Seattle... hope to meet you in person!

Wouldn't it be funny if he ends up in the same hotel as we do?

The 'other store'

We walked into the “other' store in San Francisco.  The Apple store.  And while one could argue that the tack that Microsoft has taken with it's 'open' platform that allows anyone to upgrade and build on the Windows platform, man could Microsoft take a page or two or three or four out of Apple's marketing playbook.

Young, hip.  With a presentation section that had a young woman talking about 'using' the Mac to the “Genius bar” that allowed you to book expertise to help you migrate data from one Mac to another Mac or... uh... migrate from a PC to a Mac. 

And with displays that are pleasing, uncluttered....not like the glaring, noisy, jarring Best Buy with the absolute information overload of varieties of Personal computers and laptops.  

Designs of systems that just are clean and stylish.  Don't tell Steve Foster this, but even challenges his Acer Ferrari laptop up for a coolness award.

Training ...education...not just shoving stuff and warranties at you with blaring rock music in the background.

Mac, I have to give you guys hands down credit.... in the marketing and buzz department you kick.... you majorly kick.

Next stop Seattle

Sitting in the Emeryville train station waiting for the 10:12 Amtrak from Emeryville to Seattle...and Steve Foster and I are sharing out the Sony Ericsson Aircard between my laptop connection .... so the two of us are sitting here ...me blogging him IMing to folks asking Steve ...why in the world is he taking the train when he could drive or fly there faster.. well mainly because I asked him to. 

I find that train travel is very relaxing and some of the routes even have WiFi...and well.. with the Aircard, we're sort of bringing our own.

Now if we could just figure out how to do streaming video of the season premier of Desparate Housewives we'd be all set......

Accepting risk

So sitting outside the Meteron in San Francisco where they have wireless network..... and here's what I had to agree with....

Acceptable Use Policy
  
This document provides a general description of this hot spot's policy on the Acceptable Use of this wireless public network.
 
Activities that adversely affect the ability of other people or systems to use this wireless network or the Internet are prohibited, including launching of denial of service attacks from your computer. Users of this wireless network shall not knowingly collect or solicit personal information from a minor or use this Service to harm a minor. A minor is defined as any person under the age of 18 years old.

Security Information and Liability Disclaimer

THIS SERVICE PROVIDER provides public wireless access to the internet.  Public wireless services are not inherently secure. Computer viruses, worms and other programs can damage the user's computer. Hackers may attempt to penetrate the user's computer and download information from the user's computer. Unprotected access to files on user's computer may be visible to hackers. Communications can be intercepted by equipment and software designed for that purpose. This network does not use WEP encryption. Operator of this hot spot strongly recommends that users of this wireless network take measures to ensure the security of their wireless connections, such as VPNs, encryption and personal firewalls.

This is a public wireless network. By connecting, you may be exposing yourself to privacy invasion, viruses, or other malicious programs. You are solely responsible for protecting your privacy and equipment from such programs and attacks. Metreon is not liable for damages arising from the public nature of the network.

Super G and Steve F and I were laughing ...who protects us from the minors?

SF and Internet access

Walking along the streets of San Francisco and seeing the Internet cafe's always brings up the issue of security and keystroke loggers.  Steve Foster suggested that you turn on the accessibility keyboard so that you aren't 'typing' in your password but using the mouse to enter in your password instead of a keystrokes.

I never thought of that one....

In my office, our policy is to not use Internet kiosks for access back to the corporate network.

<btw I titled this wireless first and I renamed it Internet access as wireless had nothing to do with the post... too much wind in the brain hanging off the edge of the Cable Car,,,what can I say>

The checklist

Geek clothes....

...more geek clothes....

... Blogging T Shirt.....

Power cords......

Cell phone power.... [and btw you would think that a cigarette lighter that's supposed to be a mini usb would fit my Audiovox but it didn't and Steve and I were in Yosemite today with my dead cell phone... cut off... no email...no IM... no...oh yeah we were taking the day off weren't we?

Check the weather report ......

Get maps to San Francisco and Frys....

Print out PDF with full detailed info on where we 'think' we will be.

I know I'm going to forget something....

oh..yeah....

Don't forget the train tickets.....

PEAP, WPA and .....uh what?

From the mailbag the other day....

Susan,

Okay, so I'm pretty sure that WEP has been "dead" as a viable wireless security option for at least 3 years, right?  I mean, sure, there's plenty of home users using WEP or WPA because it's easy, but I think even in the SMB community, we're not advocating WEP, or even WPA anymore.

About 4 years ago I had a few clients fired-up about 802.11b; secured with 128-bit WEP keys. did a few implementations, and then interest seemed to dry-up in the SMB market that I served.  Well now, finally. in 2005 I'm starting to see some renewed interest.  Not just among the "let's replace our Ethernet infrastructure with wireless" crowd, but among customers who actually generate revenue.  

What I'm seeing that they want 1 of 2 things - sometimes both.

1)         Internet-only WLAN for use by guests/contractors/etc., where ease-of-use is paramount, but with the capability of accessing the corporate LAN for employees via some secured means.

2)         A "really-reliable" and "really-secure" wireless infrastructure to co-exist with the Ethernet infrastructure (everyone complains that the WLAN drops occasionally, but I have very little confidence that any solution will be notably "better").

(Granted, for the life of me, I can't figure out why everyone insists on sitting at their desks and using the WLAN, when they have an Ethernet port on the wall that they can plug into, but I digress.).

In working up a technical overview, I'm coming up with the options, and wanted to run them by you, and get your take.

Goal: WLAN for guests.

Option A: Build a solution with an open AP and some solution to redirect all traffic to a given gateway/registration web address.  Then offer a PPTP or IPSEC VPN tunnel into the company LAN for employees. 

Option B: Buy an out-of-the-box solution like a Sonicwall TZ170 which purports to support all that stuff. 

Goal: Secure, corporate LAN for SMB:

Option A: RADUIS backed 802.1x WLAN solution. Cons:  Need some infrastructure improvements (switches, services, etc), and owner buyoff on time commitment.

Option B:  WEP-enabled AP on the outside of the LAN; require VPN access through RRAS to access LAN.  Or, any other suggestions?

I haven't done anything with 802.1x yet for any SMB customers, so there's going to be a learning curve.  I'd really like to do this, because it would add value, and be a good learning experience, but I don't think I'm going to get owner-buyoff on this right now.  Have you done much with wireless lately, and if so, what's your take?

Uh.... Mr. Mailbag... I'm right behind you.  I don't have wireless on the “inside” of my networks either...they are still 'outside'.  Now they are running WPA these days and not WEP [as WEP should be shot dead], but I've yet to take the time to read the SBS Admin book [Charlie Russel/Jason Gerand] and go through their excellent guide on how to do that.  I'm not quite ready [nor truly have a need yet] at my office, but truly should do it here at home.  For example, poor Steve Foster who is staying here this week has no access to printers or anything else even though he's able to get to the Internet.

What I'd really like is like what we get to see when we go to Microsoft... smart card deployment that unless you have the magic card, you cannot get on their network period, and you REALLY can't get on their wireless.  Fire up the netstumbler and you can see the poor device go crazy with MSLAN way before you see the true campus off the freeway.  But they are just that...secured... and you can't get on them.

So Nick?  After I get back from my trip to the Mothership Redmond, I'll be cracking open that Russel/Gerand book myself.

I'll let you know how I go...

Who's on first?

From the mailbag comes this question....

How in the heck do you know who's on first (let alone second and third)?

I am sitting here reading your blog, and checking out several of my clients' server via remote desktop and I need to reboot one of them. You know, it used to be a simple thing, but now, with RWW, Sharepoint, VPN, GoToMyPC, et al, how do we know who is logged on and working and using the network when it appears to be in a restful state? I always go to the Computer Management console and look at open files under Shared files, but that really doesn't cut it either. Any tools to do this, or just close your eyes and hit the button???

Also, one other thing, have you heard of any way to audit actual logins and logouts? Not those 100's of 1000's of login entries in the security event log. Just, Freddie logged in at 8:45AM and out at 5:02PM and then logged in at 7:30 from home and out at 3:02AM. That kind of thing. You know, for all the emphasis on security, actually tracking who is doing what to whom is woefully inadequate in Microsoft's world.

Data.  I will agree with you that audit logs throw off a lot of data.  And it's data that we need a filter for all this data, don't we?  Too much information, unfiltered is just that... information. 

I'll answer the easy one first on how I do it.  I know in my office I have a way that i can tell if someone is logged in... I have Live Communicaiton Server because I had SA on SBS 2000.  When I remote in to do patching, in addition to doing exactly what you do, I have a better check.... I can fire up Live Communication Service [aka the internal lunch menu instant messaging system] and I can see if anyone has a 'live' IM.  If they are I can ping them and send a message to them saying I'm patching. 

The other way to do it is to set aside a maintenance window.  “Between the hours of # and # your systems may be rebooted“ or something like that. 

As far as tracking logins and logoffs, I know that Dana does centralized logging with third party auditing tools and the guys from PSS Security use some specialized tools to filter out auditing.  I know that I just use the native filtering when I analyze the logs, but I agree it could be easier.

I'll leave it to the folks that suffer the 'captcha' to comment, and anyone else feel free to ping me with ideas at sbradcpa - at - pacbell.net.

P.S. ...if someone is using gotomypc inside a SBS network... go ahead a reboot.... I truly can't find a reason why you would need that inside your network anyway....

What's the catch?

Many times there are two camps of folks learning about SBS....

Camp A - aka 'what's the catch' when they find out about the pricing of SBS

Camp B - aka 'do we have to use the wizards?

This download is for a bit of both worlds....

The slide deck and questions/answers from the Web cast address some of the common myths in Windows Small Business Server environments.

You DO know about the TS2 blogs don't you?

I hope you are following the TS2 blogs.....because if you did you'd find out the following....

Also, we've received word that PSS will support the hosting of the SBA database on a SBS 2003 Standard Server!

Hoooraay!!

You may receive a stop error if you are running PcAnywhere with A/V

You may receive a "Stop 0x00000020" error message on a computer that is running Windows Small Business Server 2003 or Windows Server 2003:
http://support.microsoft.com/?kbid=905539

This problem is known to occur on servers that are running Symantec pcAnywhere 11.5 with Symantec AntiVirus 8.x or with Symantec AntiVirus 9.0. An updated version of the Symantec Event Handler driver (Symevent.sys) causes this problem. The Symevent.sys driver is installed with pcAnywhere 11.5. The Symevent.sys driver causes the Symantec real-time protection drivers to generate the "Stop 0x00000020" error.

To resolve this problem, download and install the latest Symevent.sys driver.

My comment... what the heck are you doing running PCAnywhere on SBS when you have practically forty trilllion ways to connect to that box without using a third party program.  If your vendor demands that they have to have PCAnywhere... get a new vendor!

P.S.  Okay so forty trillion is an overstatement...but still...

Got bit by the ActiveX/Spybot false positive bug?

Stealing this from the newsgroups from JJDavidson.....

If you've been getting errors from RWW/RDP recently, particularly "This portion of the Remote Web Workplace requires the Microsoft Remote Desktop ActiveX Control" or "An invalid server name was specified" you may have been hit by a false positive from an antispyware program, particularly Spybot S&D 1.4.  This affects the machine connecting to RDP, not the target machine.

Spybot set a registry entry to set the kill bit for the Microsoft RDP ActiveX control.  Although the latest Spybot updates no longer immunize against this control, it's apparently unable to undo the existing block, so you have to do it manually.  Some details are on the Spybot support forum here and here:

http://forums.net-integration.net/index.php?showtopic=32952

http://forums.net-integration.net/index.php?showtopic=32934

Disabling/uninstalling Spybot will NOT fix the problem!  Other antispyware programs may also have blocked RDP (AdAware has been mentioned), but the

following will fix any of them (at least temporarily).

To fix one machine, navigate to the following registry key and delete it:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX

Compatibility\{7584C670-2274-4EFB-B00B-D6AABA6D3850}

To build a file to patch several machines, save the following as a .reg file.  Remove any unwanted line breaks (the file should be six lines long including comments).  Then merge it into the registry on machines attempting to connect to RDP.

REGEDIT4

; --------------------------------------------------------------------------

; The following code will remove the ActiveX Compatibility restriction on

; CLSID = {7584C670-2274-4EFB-B00B-D6AABA6D3850}

; Microsoft RDP Client Control (redist)

; --------------------------------------------------------------------------

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7584C670-2274-4EFB-B00B-D6AABA6D3850}]

That Exchange patch from the other day

Just a reminder in case it wasn't clear....

The patch that came down last week, 888619, says in the KB article that you don't need to reboot, but on our boxes, it clearly does need one.

And if you are on SBS 2003 with no Service pack, you need to reapply 843539 to get it back to the expected behavior [keep in mind that I've heard a few folks say they've seen a server or two that 'hasn't' needed this...so your results may vary...

So to recap....

• Reboot
• Reapply 843539 [if you are not on SBS 2003 sp1 and merely just have Exchange 2003 sp1]

Needing to put Domain\Username back into OWA and you didn't before?:
http://msmvps.com/bradley/archive/2005/09/19/66948.aspx

WSUS and MU offering a fix and issues with KB 888619:
http://msmvps.com/bradley/archive/2005/09/16/66706.aspx

So how do you make a drive letter out of Sharepoint?

So after the blog post the other day, people asked how do you map a drive letter from Sharepoint.

Easy... on a workstation give this a try.

Click on My computer, tools, map a drive, pick a drive letter and when the 'browse' box shows up, just put “wack wack” or \\companyweb in the browse box and voila..you get a tree structure of your Sharepoint. 

There's your drive letter.

Now I wack off autodisconnect so the drives don't fall off, but you could probably script this from a login script as well.

Upcoming events in the blog

Just a heads up... blogging the next week will be a bit “unusual” to say the least.  First off on Saturday, Steve Foster and I are driving to San Franscio on Saturday to do a bit of sightseeing, then taking the train [yes THE TRAIN] from San Francisco to Seattle. 

Which means....

Blogging via train!!!

Then onto Seattle for the MVP summit!

oohh yeah... there just might be a road trip to Fry's in route you know.... hey.... gotta show Steve the geek tourist views you know!

I just LOVE Tom Liston's posts

Just a shout out for today's Incidents.org diary post.  I can always tell when Tom Liston is at the keyboard.

Love that man's posts.

So how can you save from Outlook email to Sharepoint directly?

So I have these attachments that I wanted to dump straight into Sharepoint..but they were email attachments in Outlook...so...I asked the gang and Javier said.....

Save it to Sharepoint just like you would save it from any other application.

Right-click on the attachment-> Save As-> type http://companyweb (or https://whatever.company.com:444 if you are doing it externally) on the file name to open the sharepoint site and select the folder you want.

Of course, if you plan to do it more than 1 time-> Either add the folder to Network Places or create a drive letter for Sharepoint.

and then he said....

By the way... 

Since the day I learned from Chad that I could access 
Sharepoint as if it was share or drive letter my VPN usage
 has hit an all time low.
In fact, for the most part I'm not even VPN to clients anymore  :-) 
 
-Javier

Cool!

Is your VPN slow? Maybe it's the app that doesn't like being on the VPN?

From the mailbag today....

At work I have SBS running RAS on a 3 Ghz Xeon box w/ 2 GB of RAM.  It is connected to the internet via DSL.

When I VPN into RAS from home using the Windows XP VPN client (PPTP) over a cable internet connection and try to run an application or do anything else on the server it seems pretty slow.

When the connection is active I can go into the task manager on the server and look under the networking tab and it shows the connection as 28Mbps.  The same connection on the client end shows 100Mbps.  

Why is this?  Is a 28Mbps connection what I should expect?

Also, the connection on the server end shows active under task manager (but not under RAS) even when it is not active.  What's the deal?

For one thing, unless it's changed, the connection in the window is not indicative of the real speed.  It might be that the application doesn't like to be pulled across the VPN like that...what's the app first and foremost?  Some apps hate being over a VPN.

Next, I'll be honest with you ... I haven't VPN'd in eons... we RWW almost exclusively.  You might have to look into setting up a TS box or additional workstations for RWW.

I don't salute you one bit....

 James Coates says....

"I salute you for keeping a Windows 98 computer running in the face of enormous pressures to upgrade to XP,"

And he gets PAID to write this?

And he's a technology writer?

Do you backup your CALs?

Do you go inside the Licensing console and backup those CAL licenses?  What?  You don't?  You do realize that if you have to [heaven forbid] rebuild the server, that you will have to call up PSS/Licesnsing and reactivate the CALs.  But if you just take a quick sec to dump out that licensing file to a place on the server, back it up ... say stick it on YOUR server ...say in a Sharepoint database or something.... you can save yourself a lot of hassle.

Back it up.

Mind telling me which one, dear?

So the backup failed last night and I remote in to look at the log file errors....

“Verify of "F:"
Backup set #3 on media #1
Backup description: "SBS Backup created on 9/19/2005 at 7:00 PM"
Verify started on 9/19/2005 at 10:30 PM.

Error: An inconsistency was encountered in the requested backup file.”

Okay... that's nice...mine telling me which file?

Steve Foster posted up in the SBS2k yahoogroups a patched backup script [bkprunner.exe] that excludes the verify command. [the file is in the Yahoo Files section] 

Hmmm.. maybe I might want to try that if I can't figure out what file it doesn't like?

Now the Backup troubleshooting page says

Backup fails, reporting "An inconsistency was encountered."

Cause:  You are backing up to a UNC path on the local computer that is currently being backed up.

Solution:  Use the Backup Configuration Wizard to change the destination of the backup to another location. Alternately, you can use the wizard to exclude the UNC path from the backup.

Merv talked about his backup resetting and including the drive of the backup as well... I wonder if that's what's happened to me? Hmm.... doesn't look like it.  Okay so maybe I'll wack off the backup verification.

Update - also in my log file was a 'bad block on device 2' which of course is the harddrive.  So I flipped that one out and the backup completed perfectly tonight.

October 19th! It's stump Ray Fong day!

Exchange Server 2003 General Discussions
Come join us this 1-hour open Q&A session about Exchange Server 2003. Experts from our Exchange Admin, Exchange Client, and Exchange Connector team in PSS are ready to answer any of your Exchange questions. Questions from setup, disaster recovery, public folder replication, mail flow, Outlook Web Access, or even interoperability with other system, you just name it and we will give you an answer!

Okay folks here's your chance to throw your nastiest Exchange questions at one of the best, Ray “THE MAN” Fong.  Given that Steve Foster heard at the PDC that us SBSers have more Exchange deployed, it's no wonder that a former SBSer is now an Exchanger.

Hey... ask him about the upcoming Service pack 2 that will let us go to 75 gigs of junk email!

October 19th, Noon pacific time... BE THERE

Add it to your calendar!

Needing to put Domain\Username back into OWA and you didn't before?

According to the folks at the Microsoft Professional Developer's Conference, a lot of the Exchange installs are SBS boxes... but there are times I feel like we need the Exchange team to get a bit more SBS love.  We're not quite sure what happened with the Exchange update but it appears the following is going on:

Last Thursday/Friday, we got offered up on Microsoft Update and WSUS, a hotfix [not a security fix] KB 888619.  We're seeing the following issues:

• If you have SBS 2003 NO service pack 1 it appears you need to reapply KB 843539 even if you applied it already
• If you have SBS 2003 with SP1, it appears you are fine [it's working for me]

I did have in my office after the reboot on Friday that my SQLAgent$SBSMONITORING didn't start back up again automagically thus I had to manually restart it this morning [thanks to my handy dandy 6 a.m. in my face email alerting me about the health of my server, thank you SBS dev team for that]

If you are seeing any other interactions/weirdness/full moon/sunspots ping.

You worried about passwords?

Got 98's in your network?  You do?  The you are running with LanMan hashes inside the network.  These hash values can be VERY easily sniffed and the password 'cracked' if you have access to the network.

But... read that again....

IF you have access to the network.  And that's the key... IF you have access to the network.  Physical access is probably the highest risk and that's why your biggest risk is from insiders most days not outsiders.  Remember it's law number 3 of the laws of computer security.  If someone has physical access to your computer, it's not your computer anymore.

Yeah, hash values can be remotely grabbed and taken offsite, but the risk of that in SBSland is rare in how we set up our network...and even then, I would argue that in SBSland that's not our biggest fear.  I don't think we spend enough time looking at how we set up the inside as gooshy as we do.

Check out Sysinternals AccessEnum tool.  Run it in a test network.  What level of access and permissions are we giving folks?  Is it too much?

.... hmmmm... I just thought of something... Steve Foster has physical access to my home network right now... and my laptop......

....hmmmm.... I might be in big trouble.....

Restricted user and wireless

One interesting thing, in my quest to ensure that I won't be ragged on at the Summit for running as local admin on my tablet, I found that when I switched the account to restricted user... and later adjusted the wireless to not need WPA, the connection would only become stable if I logged in that account with admin rights, hook onto wireless and THEN flip back to restricted user.

Weird. 

It's like it needed to log in as admin with the necessary pieces it needed and then it would become stablized. 

Steve was showing the new PDC build of Vista [he's got his Ferr-whatever Acer set up for triple booting].

Some cool things ahead...

Please be aware...

You see... these are mine... those aren't....

Having a friend come over to stay and purposely opening an outside Wireless access point to make it easier for him [ala Hotel you know but without the $9.95 bill] as well as leaving my WPA one intact.  And as I'm typing up the instructions as to which access points are mine and which ones are not... it struck me funny.

Yes Steve, you can use the ones called “Heckno” and “Yeahright” as those are mine but the “Linksys” and the “2wire” are some neighbor somewhere.  Try not to use those if you can, dear.  It's also funny to fire up the Netstumbler as that can find APs that people have taken off the SSID but you can still see they are there.  SSID removal doesn't always add a layer of protection some would argue.. as they still can be sniffed and hacked.  Conversely sometimes they make it harder to attach to without the SSID.  So some would argue that it's no protection at all.

For now I'm giving the world the right to attach to “Heckno” because I purposely made it open.  I chose with WPA that “Yeahright” is not.  That's my line.

Pringles cans or no Pringles, one I've made the choice to open one up and keep the other closed.

Note to self.. before leaving for the summit... pack back up again the travel Wireless router [aka the Anne and Susan router] as that's what's broadcasting. 

Defragging, Repairing [NOT], and rebuilding Exchange oh my!

Since a certain person won't blog this excellent post, I went and grabbed it from the Archives of the AD listserve.

Click and read.

The highlights....

• The /p switch ...
• Repair (/p) is destructive.
• Aside: NEVER run repair on an AD database.
• Defrag (how it works) ...
• Space Usage ...
• White Space ...
• Miscellany
  
  

How to get started?

Got a ping today on how to get started consulting for SBS boxes.

• You read this blog that's a good start
• Go to www.mssmallbiz.com and check out the resources there
• Sign up for smallbizit-subscribe@yahoogroups.com and check out the consulting agreements and sample contracts in the file download section
• Do lunch and learns for professional groups...like CPAs.  Call up the local CPA society and offer an educational course on Networks or better yet on Microsoft Small Business Accounting 2006 and tell those CPAs to sign up for the MPAN program
• Sign up for the Microsoft partners site as a mere registered partner, get the action pack and start learning

oh yeah ... one more thing.... www.sbsgroups.com there just happens to be a User group in New York Elijah... hope you can attend!

Do we really value ourselves properly?

How many hours will you bang on an issue before you call for help?

An hour?  Two?  A day?

I mean do they assign a value to your time spent dealing with an issue?

What about you?  The IT Pro?  I've had this rant before, but sometimes it spills into buying products or services as well.  The idea that a consultant will not call for support and pay the fee, or will not buy a product that will make his or her life easier.

Don't you value your time?  Don't you value your expertise?  Why will you not look at the cost of a product and thing of the time savings you will have?

Think about that the next time you hesitate before spending money on something to make your life easier.

WSUS and MU offering a fix and issues with KB 888619

If you have chosen to have WSUS offer up 'all patches but drivers' and you find that...

• Exchange doesn't work
• /remote doesn't work
• /exchange doesn't work

You are not alone... Reboot your box and you should be okay [if you are NOT, ping me]

The value for the PR_ACCESS property that is returned from the DAV PROPFIND method is always read-only in Exchange Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;888619

Looks like we got offered up that KB on WSUS that also hit the download site that is causing a bit of issues in SBSland.

Better yet, don't install it.  It's okay to install it but you may need to reopen Outlook.

Better yet, don't auto update on servers.  Desktops I have less issues with... servers...uh..no..I want to know what got applied when thank you very much.

 WSUS offering 888619: do NOT install!: 

I'm going to say that I think we're okay applying this...but I truly do wish they'd give us a heads up next time...

I do wish there was some sort of heads up email for WSUS and MU patches.  This was offered up on both WSUS and MU and sorry folks... I'd like to know ahead of time rather than the IM backchannel alert network that we have  to use these days.  Admins need patch planning ...not oh gee what came down on Microsoft update now ....detective work.  Tell me, inform me, RSS me, but let me know when you are going to be offering code up to my box, okay? 

Update 2 - Make sure if you had Outlook open that you close it and reopen it.  Mine wouldn't grab the new email until I did.

Group Policies anyone?

From the mailbox comes the question about setting up group policies...and the poster talks about setting up all the local users within their own Organizational Unit...but here's the thing.. I'm not sure if he's mucked with the “My business” OU...the one that Lanwench even says “stay away from”.

Next, keep in mind that SBS has many default policies ...or should anyway.... and one of them is a Password policy that you can adjust.  Remember inside the Connect to Internet wizard the password policy even asks you what you want to do.

Rule of SBS

Set up ADDITIONAL OU's and make sure you leave “My business” OU right where it is.

Figured I'd better do this before the MVP Summit

There.

Tablet.

Laptop.

LUAized.

Yeah I know... way too late...but about time.

Dana talks about the new LUA/UAP stuff in Vista [Steve Foster is at the PDC and says it's cool]

Get ready for Exchange to grow

The Ehlo blog talks about the upcoming SP 2 that will allow our Exchange databases to increase above 16 gigs....hooray!  Consider that in mind when building servers these days.

If you want to read another 'weedy' type of blog post about Exchange...here's another.

If you really and truly messed up the OWA permissions

Someone really got their OWA permissions horked up pretty good, and before we just went and uninstalled and reinstalled, I remembered our dear friend Ray Fong had posted a “fasten your seatbelts we're editing the metabase“ post a while back.

THIS IS NOT FOR THE FAINT OF HEART AND I'M ONLY POSTING THIS SO I CAN FIND IT FOR THE NEXT TIME SOMEONE REALLY AND TRULY SCREWS UP OWA [and yes I know I'm yelling]

But as always...thank you Ray Fong!

1. Go to IIS, right-click servername (local computer), Properties.

Backup/Restore Configuration to save a copy of IIS settings

2. Right-click servername (local computer), Properties. Check Enable Direct

Metabase Edit.

3  Expand servername (local computer), Web Sites, Default Web Site.

4. Delete Exadmin, Exchange, ExchWeb, Microsoft-Server-ActiveSync, OMA (Do

Not delete exchange-oma)

5. Open MetaBase.xml with Notepad.

6. Locate the following object where ID = 61472

  Location

="/LM/DS2MB/HighWaterMarks/{57F70E62-7E37-472B-A9F0-3BE08883AC5A}">

                Name="UnknownName_61472"

        ID="61472"   (<---- This one)

        Value="53322"

        Type="STRING"

        UserType="IIS_MD_UT_SERVER"

        Attributes="NO_ATTRIBUTES"

   />

7. Change the Value to "0". Your original number will not be "53322".

8. Save the file.

9. From a command prompt, type "iisreset"

10. Restart Exchange System Attendant

11. Run CEICW (ToDoList -> Connect to the Internet). Make sure you select

Enable Firewall.

Another one for the category of Ray-isms... dedicated to once a SBSer always a SBSer Ray Fong!

Installing a new A/V

So while I'm making sure I'm not getting ragged on at the summit, I realize my Trend a/v is getting close to renewal...so I re-up. 

Now here's the annoyance...because I'm going up to the 2005 version, I have to uninstall the old one.  And of course...when does it tell me this?  AFTER I've attempted to install the 2005 version... and of course that means I have to write down the Product Key code and all that....Oh wait ..never mind.. it kept the product key code ...now I'm doing the full install even though I use the XP sp2 firewall and the XP sp2 security center.

You know one thing that is amazing... how can the normal non geek understand what these anti spyware prompts are telling you?  Heck I don't even know what some of this stuff is doing!

One down, one to go

Okay okay okay .....

Convert c: /FS:NTFS

Volume name is ACER

Now in NTFS format

Now to LUAize it...now here's the funny thing... this Tablet PC has had it's registry hacked already for Quickbooks [it was the standalone non domain machine I used to do the screen shots]

Okay okay okay.. I'm trying to distract you again.... redownloading Thunderbird and installing it correctly now.... gonna walk the walk ... I know my gang at the summit are gonna rag on me if I'm not.

If you are an app developer... have I got a forum for you....

If any dev type folk happen to be down in Los Angeles at the Professional Developers Conference... and if by any chance anyone from the Intuitive Accounting application program is down there... can you really do me a favor?

Can ya

• Learn how to read Secure Coding Second edition
• Read the 19 deadly sins of Software Security
• Read Threat Modeling

And then join the Vista Technical forum on “Security for Applications in Windows Vista“.

Please notice that “I“ as a buyer of software posted the first post, so obviously you Devs from any Intuitive accounting software probably are still paryting down in Los Angeles for the next couple of days at the PDC.  I'll let you slack off for now, but I'll be watching to see if you start posting in there.

Security for Applications in Windows Vista - Microsoft Technical Forums:
http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=116

I'm working on getting your software buyers to care... can you work on caring as well?

Is your technology a risk to your firm?

Today I had to get a harddrive out of a computer that was running Windows 95.  Yes you read that... 95.  Yuck.  Dirty, dusty, with the fans protesting loudly that it was on it's last legs.  It was Quickbooks data for a firm. They had two computers, one was out in the shop and would boot into Windows 95 but sounded so horrific in the process that I was practically talking to the drive telling it to 'hang in there until I get that qbw file off'.  The other computer wouldn't boot at all.

With computers being as reasonably priced as this... why did this firm get so reliant on hardware that instead introduced great risk.

There's a video on the UK web site about the Acme Whistle Company which is based on SBS 2000 [they should upgrade if they haven't already], but the Technology officer of the Company talks about this... their technology was a RISK to the company and not a benefit.

Top Support issues this month

TOP SUPPORT ISSUES [remember as a Microsoft partner you get access to all of these resources, log into the Partner web site, into the Support section.

Please keep in mind, I've just put these here for Google purposes and to showcase what level of support you get, it's much better to get CSS support for such issues.

ALWAYS, WHEN IN DOUBT...CALL FOR SUPPORT

How to - reinstall config database, reinstall WSS, without removing content database

Problem Symptom

After applying Small Business Server 2003 SP1, the service MSSQL$SHAREPOINT stops immediately after starting it manually. http://companyweb displays "cannot connect to the config database"

Resolution

Get a new configuration database in place by doing the following.

1.Run the stsadm.exe command to back up the current http://companyweb:

C:\Program Files\Common Files\Microsoft Shared\web server extensions\60\BIN\stsadm.exe -o

backup -url http://companyweb -filename

c:\backups\companyweb.dat -overwrite

2. Go into http://localhost:8081 and Remove WSS from companyweb, without

deleting the content databases:

 1) Virtual Server Configuration à Configure Virtual Server Settings, and

then choose Companyweb.

 2) Choose 'Remove Windows SharePoint Services from virtual Server' under

'Virtual Server Management'.

 3) Select 'Remove without deleting content databases', and then click OK.

3. Set the Configuration database server and change the name of

configuration database to STS_Config2:

 1) Get back to the main page of 'Central Administration', and then click

'Set configuration database server' under 'Server Configuration'.

 2) Change the 'SQL Server database name' to 'STS_Config2', and then click

OK.

4. Extend and create a content database:

 1) Get back to the main page of 'Central Administration', and then click

'Extend or upgrade virtual server' under 'Virtual Server Configuration'.

 2) Click to choose Companyweb under 'Virtual Server List'.

 3) Click 'Extend and create a content database' under 'Provisioning

Options'.

5. Go to http://companyweb and choose the blank site template.

6.Restore the companyweb using stsadm.exe: C:\Program Files\Common

Files\Microsoft Shared\web server

extensions\60\BIN\stsadm.exe -o restore -url http://companyweb -filename

c:\backups\companyweb.dat - overwrite

How to - Reinstall Companyweb after the SBS 2003 SP1 setup

Problem Description

After SBS 2003 SP1 installation, one uninstalls the Companyweb by using the

'Remove' feature in SBS Integrated setup; when they try to reinstall the Intranet component through 'SBS Integrated Setup', they are prompted to insert the CD 3: Insert Windows Small Business Server 2003 Disc 3 or point to location where Windows Small Business Server Setup files may be found.

However, after the original SBS CD3 is inserted and 'OK' is clicked, the

wizard then gives the error: The drive contains a disc for Windows Small Business Server 2003 with no  service packs. When the prompt appears, insert a disc for Windows Small Business Server 2003 with Service Pack 1.

Since the Companyweb (Intranet) installation part is in the SBS SP1 CD2,

The installation cannot proceed.

Resolution

I. Please DO NOT uninstall/reinstall WSS/Companyweb in the first place,

instead, we should try to figure out why the SP1 failed to install and give valid suggestions.

II. If you have to reinstall WSS as the last resort and you run into the

problem described below, you just need to change the value of 'isrunfromweb' to '2', under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SmallBusinessServer. That will make

the SBS Integrated setup program recognize the original SBS RTM CD2.

How To - Troubleshoot the issue that Backup doesn't work after the

installation of SBS 2003 SP1

Problem Description

We've seen some issues that the Backup fails after the installation of SBS

2003 SP1, the problem symptom is like the following:

1.            SBS Backup fails with event 5634.

2.            Backup log may be blank or not.

3.            Backup did succeed before the installation of SBS 2003 SP1.

The problem could be caused by any of the following:

· Driver not compatible with Windows 2003 SP1.

· RSM database corruption.

· Backup tape needs to be cleaned.

Suggestion

1. Can the backup be successfully performed by Ntbackup (utilizing the BKS

file created by the wizard)?

2. Disable the Exchange writer by editing the registry under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

MSExchangeIS\ParametersSystem:  

http://support.microsoft.com/?kbid=838183 , does the backup work?

3. Clean the tape, and then go to RSM to mark the tape as 'Clean'. Can the

backup run successfully then?

We've seen some issues that the Windows service pack 1 does not recognize

the media until the tape drive was "cleaned" (or marked as clean).

4. Uninstall the tape drive and remove it from the libraries, and then scan

the computer for the hardware changes. Once the hardware is detected, reinstall the latest driver.

5. Check if there's an updated driver and firmware for the device, if so,

apply it.

6. Rebuild the RSM database by calling product support serivces.

7. Can you successfully access the Backup snap-in in the SBS Management

console, if not, repair the backup web page by using the steps outlined in

http://support.microsoft.com/?kbid=842693 .

Issue - SBS 2003 SP1 reports error when Outlook 2003 files are missing from

clientapps

Problem Description

SBS 2003 SP1 appears to fail because the Outlook deployment files were not

installed, uninstalled, moved, or just deleted.

1. You will see the following service pack install error - "Windows Small

Business Server Service Pack 1

Setup has encountered an error. For more information, review the most

Recent entry in the setup error log in C:\Program Files\Microsoft Inetgration\Windows Small Business Server 2003

\logs\setup.log. Then correct the error and run the Service pack 1 setup again."

2. Setup.log will show all successes / no failures

3. Errorlog.txt will show "Microsoft Office outlook 2003 (ServicePack1):

[2]  : Error applying outlook sp1

MSP file to AIP

(C:\CLientApps\Office2003_sp1\office2003_sp1.msp/c:\Client~1\outlook2003\OUTLS11.msi),

(3)

4. Could be a slight variant of the errorlog.txt message depending on the

initial cause (not installed, removed, etc)

5. You will also see the following in the KB885918.log

109.468: ---- Old Information In The Registry ------

109.531: Source:C:\ClntApps\ClientApps5\Office2003_SP1\SETC.tmp

109.609:

Destination:C:\ClntApps\ClientApps5\Office2003_SP1\OFFICE2003_SP1.MSP

109.609: ---- New Information In The Registry ------

109.609: Source:C:\ClntApps\ClientApps5\Office2003_SP1\SETC.tmp

109.609:

Destination:C:\ClntApps\ClientApps5\Office2003_SP1\OFFICE2003_SP1.MSP

109.609: DoInstallation: A reboot is required because RebootRequired=1 was

specified in the inf.

109.609: DoInstallation: A reboot is required because the

ProcessesToRunAfterReboot inf section was non- empty.

109.609: In Function SetVolatileFlag, line 11576, RegOpenKeyEx failed with

error 0x2

109.609: In Function SetVolatileFlag, line 11593, RegOpenKeyEx failed with

error 0x2

109.609: UpdateSpUpdSvcInf: Source

[ProcessesToRunAfterReboot.RebootNotRequired] section is empty; nothing to do.

751.656: RebootNecessary = 1,WizardInput = 0 , DontReboot = 1, ForceRestart

= 0

Solutions

1. Install the client apps Outlook deployment

2. Correct the reg path to point to the proper location

Safely ignore the error and verify SP1 did install properly by a) All

successes in the setup.log, b) The registry value states

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SmallBusinessServer]\

ServicePackNumber=dword:00000001

Issue - Store.exe memory consumption alerts

Problem Description

After the SBS 2003 SP1 installation, you still receive the memory

Allocation alert to indicate that store.exe is using an abnormal amount of memory. This is actually the same issue described here:

867628 Monitoring programs report that the Store.exe process consumes

http://support.microsoft.com/?kbid=867628  

Analysis

The problem is that the SBS Sp1 package is not disabling the alert as

expected. So, when a customer goes through the process of installing Exchange SP1 as a requirement for SBS SP1, it will start triggering these errors that are not taken care by the SBS SP1.

Resolution

· In the SBS SP1 scenario, you can also re-run the Configure Monitoring

Wizard and it will also disable the store alert. Note that you need to choose 'Reinstall Monitoring features' when running MCW.

· Or disable the alert manually from the Health Monitoring page.

Issue - The MSSQL$SHAREPOINT service fails to start after the installation

of SBS 2003 SP1

Problem Description

Small Business Server 2003\SharePoint not working after installing the SP1

(CD1 only: Windows SP1, SharePointAP1, Exchange 2003SP1), MSSQL$SHAREPOINT service fail to start.

Following information is in the mssql$sharepoint error.log file:

Starting up database 'master'.

Database 'master' has invalid schema.

Run the following command:

C:\Program Files\Microsoft SQL Server SP4\WMSDE>setup /upgradesp SqlRun

DISABLENETWORKPROTOCOLS=1

DISABLEAGENTSTARTUP=1 DISABLETHROTTLE=1 BLANKSAPWD=1

INSTANCENAME=Sharepoint REINSTALL=ALL

REINSTALLMODE=VEMUS /L*v "C:\Program Files\Microsoft Integration\Windows

Small Business Server 2003

\Logs\Sharepoint_MSDE2.Log" REBOOT=ReallySuppress /qn

MSSQL$SHAREPOINT is still not running. Even you manually try to start

it, it will stop without obvious error logged. And you will end up failing to access http://companyweb, and failing to connect to the configuration

database.

When you try to view the properties of sts_config db in SQL enterprise mgr,

you will probably get an 'invalid schema' error as listed below:

 Microsoft SQL-DMO (ODBC SQLState: 42000)

 Error 954: Database 'STS_Contents' has invalid schema.

 Microsoft SQL-DMO (ODBC SQLState: 42000)

 Error 954: Database 'STS_Config' has invalid schema.

Resolution

1. Detach the companyweb databases from the WMSDE Sharepoint instance and

attach them to the Default SQL 2000 instance.

2. Point the companyweb site to the Default SQL 2000 instance for the

Config and content databases.

3. Restart the MSSQLServer service.

Windows 2000 sp4 update 1 re-released today

** Please note... the “high priority, non security update“ is the re-release of the Windows 2000 sp4 update 1 with a V2 version.  That's an important release so if you thought you had it easy today with no patch testing... for you Win2k folks... guess again**

New Bulletins
Microsoft is not releasing any new Security Bulletins in September 2005.

Microsoft Windows Malicious Software Removal Tool
Microsoft is releasing an updated version of the Microsoft Windows
Malicious Software Removal Tool on Windows Server Update Services
(WSUS), Windows Update (WU) and the Download Center. Note that this tool
will NOT be distributed using Software Update Services (SUS).
Information on the Microsoft Windows Malicious Software Removal Tool can
be located here:
http://go.microsoft.com/fwlink/?LinkId=40573

High-Priority Non-Security Updates on Microsoft Update (MU), Windows
Update (WU), Windows Server Update Services (WSUS) and Software Update
Services (SUS)
Microsoft is today also making the following High-Priority NON-SECURITY
updates available on WU, MU, SUS and WSUS:

KB NUMBER TITLE Available via:
KB891861 Update Rollup 1 for Windows 2000 SP4 and known issues
WU, MU, SUS and WSUS

Microsoft will host a webcast to address customer questions on these
bulletins. For more information on this webcast please see below:

Information about Microsoft's September Security Bulletins

Wednesday, 14 September 11:00 AM (GMT-08:00) Pacific Time (US & Canada)

The on-demand version of the webcast will be available 24 hours after
the live webcast at this link:

Thank you,
Microsoft PSS Security Team

But Steve, you don't understand, I'm not small business... I'm just a Little Enterprise

You know... I really shouldn't draw any conclusions when Vista is still in beta, certainly not even to the point of shrinkwrap or anything, but sometimes, Steve [Mr. Ballmer] you make it such an easy target because of the rumors and leaks and messages that don't get communicated well.

Again, referring to article, it says “the Enterprise Edition“ - “Optimized for the enterprise, this version will be a true superset of Windows Vista Pro Edition. It will also include unique features such as Virtual PC, the multi-language user interface (MUI), and the Secure Startup/full volume encryption security technologies ("Cornerstone"). There is no analogous XP version for this product. This version is aimed at business decision makers, IT managers and decision makers, and information workers/general business users. Enterprise Edition will be offered exclusively through Software Assurance.

The marketing message: Enterprise Edition provides an advanced application compatibility solution that will be crucial to many large business users, can be deployed to multiple language locales using a single image, and provides Secure Startup functionality for the ultimate in security on the go. It is the client OS that is optimized for the enterprise. Enterprise Edition reduces IT cost and complexity by providing tools that protect company data, reduce the number of required disk images, and ensure the compatibility of legacy applications.”

You know... why can't Vendors get it that even small businesses need to be run like Enterprises.. and why can't folks like Steve get it that it's a heck of a lot easier to get small businesses on the security bandwagon sometimes.  I'm not saying that all small businesses are like me, but in my firm, you don't have to go through forty million committees to get an Executive buy off.  You just convince me.  Just me.  Once you convince me, the rest of my firm comes along for the ride.

I mean ... I may be little...but that just means I'm a “Little Enterprise”.  Don't I have company data to protect just like big firms?  Don't I have just as many legacy applications that I have to ensure are compatible [which reminds me I gotta go see if Vista Beta and Quickbooks play nice...]  I mean you haven't seen legacy apps until you come into some of the farming communities that are using customized Grain programs. 

Sir, I don't need games but I do need application compatibility and security. 

But I'm little.

Just don't forget me, okay?

I mean I guess they have to have something that makes Software Assurance valuable and since I already have SA on SBS, I 'think' when I'd be getting new software I can add SA on the individual units that I purchase within 90 days of buying OEM software [at least I think I could?].   So I think I might still be able to get this for those machines I might want this version on..... but I think it's going to take another aspirin for sure.

Oooh we got updates in our release notes

Readme for Premium got updated for these:

Release notes got updated for the first message....

Readme for Standard got updated

I'm 'outting' myself

At SMBNation, Dana outted me in front of the conference attendees and said he was going to post on his blog about it, but since he seems to be busy recovering from the Dilbert [which is very funny], I'll out myself.

My laptop is lazy.

Okay... I'm lazy.

It's running as an admin.  Yup you heard it here. My tablet PC which has hung off of wireless networks from the underbellies of the Internet in the Bellagio to hanging recently off of the probably even more infectious wireless access in the Microsoft Executive briefing center is an admin.

And it is because I'm a lazy bone to reload Thunderbird to get it to work like it should because I forgot and didn't install it under the admin profile, but under the Susan one.

And what can happen when I'm an Admin.

Tons.

At SMBnation a couple of folk were saying that they were still getting malware and they were installing the networks without admin rights...but when I questioned them more, what was happening was the really WERE running as Admin.  You see they were using Power user rights.

Yo folks.  You might as well run as Admin.  You really and truly don't gain much at all running with Power user rights.

But wait you say... I can't patch my machines for software updates.  Yes you can.  Shavlik will do it, you apply Admin credentials remotely for one.  WSUS *and* Microsoft update will both do it.  Set up the machines to patch at some ungodly hour automagically and tell the folks to leave their computers on. 

Now Vista is supposed to nicely temporarily save the stuff you stupidly left open on that computer and restart it for you.

Okay, okay I'm trying to distract you from the original topic.

Which is I'm introducing risk because I'M LAZY.

Okay Dana, before the MVP summit... so I don't get outted by Steve.... I'll be non-admin.

P.S.  want to know if someone is running as admin?  Click on the time/date in the corner.  If you can change it....you are an admin.

Dear Mr. Ballmer - make the message clear

I'm not a marketing major or anything, but in reading the page about the upcoming versions of Microsoft Vista, can I just ask a favor of you?

Apparenly you have taken a page out of the US Government's House Ways and Means Committee and their never ending quest for Tax Simplification.  Those of us in the beancounter industry refer to these actions to 'simplify' as “Full Employment Acts for Accountants”.

We have in the umpteen versions of Vista - the “Small Business Edition”. Oh gawd, says I.  Includes the following unique features “Backup and Shadow copy support”.  Uh our server does that.  Castle and Server Join networking. Okay Castle is peer... if “Server Join” isn't the same thing as fully supported domain active directory full glue.... ala Small Business Server..... so help me ...

Okay so I probably shouldn't rant before having all the facts but I'm come on Mr. Ballmer...you are making it harder for us in the marketplace of Small Businesses called Small Business Server with XP Homes, this version BETTER glue and glue good to SBS boxes otherwise it should not use the name “Small Business edition”.

Don't ship anything... not Microsoft Small Business Accounting 2006, not anything that isn't fully supported without issues on a SBS box if you use the words “Small Business” in the name.

Just once I'd love it if your computer wasn't set up by Ron Markezich but instead you walked into Best Buy with a hat on your head or something so folks wouldn't recognize you and you go try to buy a computer and set it up yourself.

We already get headaches now with licensing.... don't add more.  Please.

Office, Sharepoint and Glue

From the mailbag today comes the question.... 

There's a really good whitepaper that addresses this:

·         File Save Integration – Microsoft Office 2000 provides basic integration with Windows SharePoint Services. Users can open and save files stored on SharePoint sites from their Office 2000 applications and receive alerts in Microsoft Outlook® 2000.

·         Basic Data Integration – Microsoft Office XP provides additional data integration between SharePoint sites and Microsoft Office, so users can export list data to Microsoft Excel 2002 and view properties and metadata for files stored on SharePoint sites.

·         Contextual Integration – Microsoft Office 2003 Editions add rich contextual integration between Microsoft Office and Windows SharePoint Services, integrating SharePoint fully into the business tasks that users perform every day.

Looking for even MORE Small Biz based blogs?

While the SMBnation was underway, another Blogging community opened up... the TS2 blog community.

I mentioned that I had seen that it had opened up during the Conference, but forgot to blog about it until now.

Cool!

A Picture is worth a 1,000 words

Visio.

Use Visio.  Show multiple harddrives when talking about RAID, and showcase the network to the owner that way too.  Use Visio in documenting the network to help the business owner understand what he or she bought from you and how it is meeting the business needs he hired you to fix.

Quoteworks for preparing quotes..

Standardization regarding deployments and Curtis said the Microsoft partner site is starting to have more good content to help you in this.

Curtis talked about Kaseya for monitoring for the managed plan model, but I'm not sure how SBSized the pricing is as the Chris sitting next to me said it was about $50,000.  I'll have to check on that, as I'm impressed with the fact that in their web site they give exact ports.

http://www.kaseya.com/sup1/min_requirements.phtml

Pricing folks... Vendors that want to play in the SBS space need Consulting pricing.  There are a TON of vendors that just don't get that.

Another Blogger at SMBnation

I forgot another blogger at SMBnation!

Eriq!

Growing a business

Arlin Sorenson at SMBnation is talking about growing your business via growing relationships and building business relationships with customers. 

Listen to your customer.  Understand that you are not selling techology and products, but rather fufilling a business need.  What value, what business pain point are you solving?

For SBS, the way you sell “the server”, is not “the server”, but rather to fix the pain points.

So when's the last time you “listened” to your customer?

Be careful what you ask for

Charlie Anthe was asked in the presentation earlier “when will SBS 2003 support restricted user on the desktops”

... uh... folks.. it does.  Not by 'default“, but you CAN flip those users to restricted user mode.  It's up to you to make the choice, move the mountain, hack the registry hives and make the changes.

Making the user a Power user is NOT good enough. I guarantee you, you will still get malware.  But like I told a person once, I cannot, I will not push SBSland, nor Charlie, into forcing us to 'default' restricted user until we have better, blonder tools than filemon and regmon from Sysinternals.com to figure out what the persmissions need to be changed on crappy applications that faile to work under restricted user.

Remember the web site of www.threatcode.com

You make Charlie move that desktop to 'default' restricted user and you'll see how many crappy line of business applications you have and how hard it is to wack the registry.  I won't ask him to do that.  We're not ready yet. Until then YOU make the decision to do this the right way, not Microsoft.  Our applications are not ready for this, not enough of them.  And until they are, I can't ask Charlie to do that.

Looking for more blog posts about SMBNation

Vlad's blog

HappyFunBoy's blog

Anne Stanton

DHCP issues and SBS 2003 sp1

Raymond talks about an issue he found running the CEICW and DHCP

In case you run across it, it has to do with a second IP address bound to the nics.  The CEICW does not like it one bit.

Giving feedback

One of the things that has come out of SMBnation is how essential feedback is.  If you are in the partner program, and you aren't happy with what benefits you get, what technical support you get, if you walk away and don't say what you like and what you don't like, you are doing YOURSELF a disservice. 

Things only get better when we give feedback. 

Conversely....if you don't take the time or effort to go to the partner web site and click on support and review the resources you have.... boy am I going to take my 2x4 at you guys [which yes, I did bring with me to SMBnation].

While it's your responsibility to ensure you yell when you don't like something, it's also your responsibility to take the time to understand yoru resources.

Server business down, pre-sales support, managed newsgroup, if you don't understand and take the time to utilitize what you have, you are only hurting yourself.

Having issues with the Verizon aircard and Remote Web workplace?

Having issues with Verizon aircards and RWW? 

It turns out Verizon installs a small add-on compression program to help
speed up PC connections with this card - that is NOT mentioned in the
software/driver installation script.  It screws up RWW and when you find it
(verion.exe, or something like that) and remove it (there is no option to
NOT install it) it resolves the problem and the customers now have a great
remote RWW solution back to their SBS box.

Revised - no new Security patches next Tuesday

********************************************************************
Title: REVISED: September 2005 Microsoft Security Response Center
       Bulletin Notification
Issued: September 9, 2005
********************************************************************

Summary
=======
Microsoft will not issue any new security updates on 13 September 
2005 as part of the September monthly bulletin release cycle. Based 
on customer feedback, Microsoft instituted a monthly security update 
release process on the second Tuesday of each month to provide 
customers with security guidance and updates on a predictable and 
manageable schedule. This update release process involves a 
significant testing focus to help ensure customers will receive 
updates that are of a high quality and Microsoft will not release an 
update until it meets those standards.  Occasionally, the testing 
process and our strict focus on quality can result in a month where 
no security updates are released, as is the case for 13 September 
2005.

In addition, to help customers prioritize monthly security updates 
with any non-security updates released on Microsoft Update, Windows 
Update, Windows Server Update Services and Software Update Services 
on the same day as the monthly security bulletins, we also provide:

 - Information about the release of updated versions of the 
Microsoft Windows Malicious Software Removal Tool.
 - Information about the release of NON-SECURITY, High Priority 
updates on Microsoft Update (MU), Windows Update (WU), Windows 
Server Update Services (WSUS) and Software Update Services (SUS). 
Note that this information will pertain ONLY to updates on Windows 
Update and only about High Priority, non-security updates being 
released on the same day as security updates. Information will NOT 
be provided about Non-security updates released on other days.

On 13 September 2005 Microsoft is planning to release:

Security Updates

 - No new security updates on 13 September as part of the September 
monthly bulletin release cycle. This represents a change in the 
information found in the Advance Notification on Thursday, September 
8, 2005. Late in the testing process, Microsoft encountered a 
quality issue that necessitated the update to go through additional 
testing and development before it is released. Microsoft is 
committed to only releasing high quality updates that fix the 
issue(s) in question, and therefore we feel it is in the best 
interest of our customers to not release this update until it 
undergoes further testing.

Microsoft Windows Malicious Software Removal Tool

 - Microsoft will release an updated version of the Microsoft 
Windows Malicious Software Removal Tool on Windows Update, Microsoft 
Update, Windows Server Update Services and the Download Center. 
Note that this tool will NOT be distributed using Software Update 
Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS
 - Microsoft will release one NON-SECURITY High-Priority Updates for 
Windows on Microsoft Update (MU), Windows Update (WU), Windows 
Server Update Services (WSUS) and Software Update Services (SUS).

Microsoft will still host a webcast next week to address customer 
questions. For more information on this webcast please see below:
 - TechNet Webcast: Information about Microsoft's September Security 
Bulletins (Level 100)   
 - Wednesday, 14 September 11:00 AM (GMT-08:00) Pacific Time (US & 
Canada) 
 - 
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1
032279532&EventCategory;=4&culture;=en-US&CountryCode;=US

Public Folders versus Sharepoint

A question came from the audience about the plans for Public Folders being phased out in favor of Sharepoint.

This came out from a TechEd presentation. 

Should you be concerned..... no I don't think so ... we have plenty of time... besides... Public folder infrastructure has always been a bit sucky anyway.

Sharepoint is the future folks.  And if you aren't playing with it?  Man you should.  I'll be honest with you we're just now starting to roll out Sharepoint to be our data storage for Litigation consulting documents in my office.

If you aren't looking, learning, looking at Sharepoint... man you should.

Do you?

I was talking with a fellow SBSer about how he runs their business and he said that every morning he checks a console for the uptime of all the servers that he monitors in his company.  And I asked him, “Are you charging for that?” and he said... no.

Well why not?

Everyone of you that does any kind of making sure your clients are still okay, still making sure everything is working.... it's a service that you should be charging to your clients.

Watch out Blackberry, here comes Windows Mobile

Oh, Mr. Blackberry owner, boy are you guys going to not have a reason to buy Blackberries in SBSland any more.  Exchange 2003 sp2 will have a feature pack that not only will have security features like remote wipe, but also will flip the phone to a push technology like Blackberries are.

This will be shipped in about the Octoberish time frame. 

So remind me again why in the world you want a blackberry when you can have either the Siemans or the Audiovox doing the same functionality, [if not more features], way less cost.

There's a “WOW: factor that people buy things, but at the end of the day.. why in the world would you pick anything else but Windows Mobile, when you have to buy a Blackberry Enterprise server for $1,600.

And Nathan... if you look at my blog you can see that other than me being blonde..... setting up the smart phone was more blocked by ME.  In fact when we purchased the SECOND smart phone for the office it took me less than 2 minutes to set up the second phone on the network.

Use the wizard, read the blog, and you'll see setting up  

Are you selling solutions rather than technology?

I know I'm preaching to the choir, but are you selling 'solutions' and not technology?  Elyn Yao is talking about a Go To Market push for “First Server, Right Server GTM”

Many small firms do not have servers.  As Elyn rightfully points out, many small businesses don't even understand what a server is.  I had to explain what a server was in terms of a “Dagwood sandwich” when I was in Chicago.

Christopher Goebel reminded that if you are a partner, you can get marketing resources at MSPartnerDirect.

Breakfast at SMBnation

Friday morning, wireless in the McKinley room at the Executive Center and we're eating breakfast.  First up is the Steve Gugginheimer [I'm sure I spelled the name wrong on his name] 

Here at the geek table with Chris....who I know via blogs.... and I'm sitting here going you know ... I should probably know this guy ...but since I'm not yet awake didn't realize THE “HappyFunBoy” was sitting next to me.

Duh!  Off to the Kodiak room!

The word from Harry and SMBNation

Please visit our Web site: www.smbnation.com and use it as the primary source for conference information, etc. This is where you’ll find the agenda and schedule J

FYI – the buses start leaving the Marriott Town Center Hotel at 7AM for the Microsoft Conference Center (keynote at 9AM).

Pre-Registration/Check in

One critical security patch next week

********************************************************************
Title: September 2005 Microsoft Security Response Center Bulletin
	Notification
Issued: September 8, 2005
********************************************************************

Summary
=======
As part of the monthly security bulletin release cycle, Microsoft 
provides advance notification to our customers on the number of new 
security updates being released, the products affected, the 
aggregate maximum severity and information about detection tools 
relevant to the update. This is intended to help our customers plan 
for the deployment of these security updates more effectively.

In addition, to help customers prioritize monthly security updates 
with any non-security updates released on Microsoft Update, Windows 
Update, Windows Server Update Services and Software Update Services 
on the same day as the monthly security bulletins, we also provide:
 - Information about the release of updated versions of the 
   Microsoft Windows Malicious Software Removal Tool.
 - Information about the release of NON-SECURITY, High Priority 
   updates on Microsoft Update (MU), Windows Update (WU), Windows 
   Server Update Services (WSUS) and Software Update Services (SUS). 
   Note that this information will pertain ONLY to updates on Windows
   Update and only about High Priority, non-security updates being 
   released on the same day as security updates. Information will NOT
   be provided about Non-security updates released on other days.

On 13 September 2005 Microsoft is planning to release:

Security Updates
 - One Microsoft Security Bulletin affecting Microsoft Windows. The 
highest Maximum Severity rating for this is critical. These updates 
may require a restart. These updates will be detectable using the 
Microsoft Baseline Security Analyzer (MBSA).

Microsoft Windows Malicious Software Removal Tool
 - Microsoft will release an updated version of the Microsoft 
Windows Malicious Software Removal Tool on Windows Update, Microsoft 
Update, Windows Server Update Services and the Download Center. 

Note that this tool will NOT be distributed using Software Update 
Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS
 - Microsoft will release one NON-SECURITY High-Priority Updates for 
Windows on Microsoft Update (MU), Windows Update (WU), Windows 
Server Update Services (WSUS) and Software Update Services (SUS).

Although we do not anticipate any changes, the number of bulletins, 
products affected, restart information and severities are subject to 
change until released. 

Microsoft will host a webcast next week to address customer 
questions on these bulletins. For more information on this webcast 
please see below:
 - TechNet Webcast: Information about Microsoft's [MONTH] Security 
Bulletins (Level 100)   
 - Wednesday, 14 September 11:00 AM (GMT-08:00) Pacific Time (US & 
Canada) 
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1
032279532&EventCategory=4&culture=en-US&CountryCode=US

At this time no additional information on these bulletins such as 
details regarding severity or details regarding the vulnerability 
will be made available until 13 September 2005.
********************************************************************

Support: 
========
Technical support is available from Microsoft Product Support 
Services at 1-866-PC SAFETY (1-866-727-2338). There is no 
charge for support calls associated with security updates. 
International customers can get support from their local Microsoft 
subsidiaries. Phone numbers for international support can be found
at: http://support.microsoft.com/common/international.aspx
 
Additional Resources:
=====================
* Microsoft has created a free monthly e-mail newsletter containing
  valuable information to help you protect your network. This
  newsletter provides practical security tips, topical security
  guidance, useful resources and links, pointers to helpful
  community resources, and a forum for you to provide feedback
  and ask security-related questions.
  You can sign up for the newsletter at:

  http://www.microsoft.com/technet/security/secnews/default.mspx

* Protect your PC: Microsoft has provided information on how you 
  can help protect your PC at the following locations: 

  http://www.microsoft.com/security/protect/

  If you receive an e-mail that claims to be distributing a 
  Microsoft security update, it is a hoax that may be distributing a 
  virus. Microsoft does not distribute security updates via e-mail. 
  You can learn more about Microsoft's software distribution 
  policies here: 

http://www.microsoft.com/technet/security/topics/policy/swdist.mspx

Forgot to attach your attachment?

Oh Jeremy..that is just too cool!

So do you remember to attach your attachments?

Jeremy does and so do his users.

ISA for the geeks

I personally think there are two ISA camps out here.

Camp A is the Var/Vap camp

Camp B is the uber geeky network admin/CTO/chief bottlewasher camp.

Me and Jeremy are in Camp B.  And Jeremy points to a bit of 'ease' for his end users that he did to help them with the Remote Web Workplace experience.

Very Cool Jeremy!

I think ISA is very cool, but I also think you have to be a bit geeky to run it and it's not for the SBSers who have never admin'd any kind of network before do it youself crowd.  I think you have to be a bit geeky to run it.  What do you think?

Learn another thing new from reviewing the SBS Unleashed book

I've been reviewing SBS Unleashed and here's another thing that I went.. Oh... I didn't know that...about.  I mean I knew it...but I didn't, or didn't take the time to understand how to do it.

Montoring.  I have a member server and I'd like to add it's event viewer gunk to the monitoring email of my box.

I think I can do this.

How to create and configure performance alerts in Windows Server 2003:
http://support.microsoft.com/?kbid=324752

I just need to add a counter for the 'other' computer.

To monitor counters from the computer on which the Performance Logs and Alerts service runs, click Use local computer counters. Or, to monitor counters from a specific computer regardless of where the service is run, click Select counters from computer, and then specify the name of the computer you want to monitor.

Oh this is gonna be soooo kewl.  Keeping in mind that I tend to overwhelm my in box a bit until I figure out the right way to set up the counter.

To me security is totally related to monitoring.  You can have all the security in the world, but if you are not monitoring your network, you don't have security.

BTW you can now preorder the SBS Unleashed book.

We catch up with Sam the SBS server

Hi Sam!  Been awhile, how are things going?

Uh fine... excuse me can you pass that stack of brochures?

Uh sure.  Man you look a bit busy here, what's up?

I'm getting ready for the SBS community coming to see me at SMBnation. 

Oh wow, you mean all the people that install you and watch out for you?  Your fans?

Yup all of those folks and more.  We're really looking forward to having over 500 folks come up and see where I was born, see my baby pictures, meet the folks that raised me and care for me all over the world.

Oh wow, cool.  That's a lot of folks.

Well, not everyone who watches out for me all over the world are here, just a sample of folks, but we do have some coming all the way from Charlotte, North Carolina.

Oh wow.

Yeah, that's Marie McFadden, she's really cool and is from Mothership Charlotte.

Who else will be there?

Well folks like Steve Guggenheimer.

Who's that?

He's a VP dude in charge of Small Business at Microsoft, he's giving the keynote on day one, then Jeremy Moskowitz on Group policy, Scott Colson on CRM, Level Platforms is going to talk about Managed services.

Oh wow.

And Amy Luby, that's Chad Gross's partner will be there talking about managed services along with Carlson, and then, a bunch of the folks that raised me will be in one room giving a presentation.

Who are those folks?

Tracy Daugherty, Elyn Yao, Winni Verhoef just to name a few.

Wow you got some heavy hitters in that room don't you?

THEN, we'll talk about my brand spanking new community.

What community is that?

It's the Small Business Specialist community designed for folks to showcase how they specialize in me AND with small businesses.

Oh that's very cool.

No kidding.

So whom else will be presenting?

Jeff Middleton will be talking on how to migrate to me, and then a really cool guy from the UK who is really helping to grow the community over there is going to talk, Robbie Upcroft.  I can hardly wait to meet him.

Wow.

Oh THEN, we're going to talk about the new baby in the family.... see... we didn't want to announce it before this, but we're expecting.

Expecting?

Yeah, expecting a new version of the SBS called the R2 version and Charlie Anthe and Tracy and Winni are going to talk about that and the new one after that Cougar.

Gee, no wonder you are excited.

I could go on and on, but it's really shaping up to be a fun conference.

I can see.  Well, you look like you are putting the finishing touches on things, I'd better let you go.

Thanks and just tell everyone I can't WAIT until they get here.

Thanks, Sam!

This is a SBS Community news alert

This is a SBS Community news alert.

Please be alerted that SBSers are in transit and that typically means that BSOD's, APC software or any number of things could happen.

Please be advised that this warning alert will remain in effect for the next 24 hours until every SBSer in transit will arrive in Redmond at which time things should be back to normal.

There's a running joke about when a bunch of SBSers are going anywhere ... something happens.  Here's to everyone having safe journeys and quiet networks.

If your WSUS isn't WSUS'ing

A client computer cannot receive new updates from a Windows Server 2003 Service Pack 1-based WSUS server:
http://support.microsoft.com/?kbid=905422

Get Ouch!

Need a resource to give information to your clients about Security and Phishing and Life on the Internet?

Get OUCH!  It's the SANS newsletter aimed for non technical computer users:

OUCH! is SANS e-letter aimed at helping you protect your non-technical computer users form phishing and other malicious attacks on their computers.  Among this months' warnings are Katrina Hurricane Scams, new PayPal and banking phishing and several more.

The September issue of OUCH! is now delivered in an easier-to-read format that you can pick up at
http://www.sans.org/newsletters/ouch/issue/20050906.php

All previous issues of Ouch! may be found online at
http://www.sans.org/newsletters/ouch/

You have lots of options:
  -- You may copy it to your computers and email it to your users.
  -- You may tell your users to read it at the SANS site.
  -- You may post it at your site for faster delivery to your users.
  -- You may use selected parts if you don't want to send or post the whole thing.

If you have a moment, please let us know how you use OUCH! by emailing
ouch@sans.org.

Deploying ISA client and other info for those ISAers

If you are a SBSer who is an ISAer as well, here is the info you will need to deploy ISA 2004:

• Chad Gross' Group Policy Deployment of ISA
• Amy Babinchek's Getting the Firewall client to autodetect
• The official premium instructions how to
• Throttling the memory use of the MSDE instance used by ISA

A few other items to keep in mind:

If you installed ISA 2000 previously, you need to make a few adjustments.

• Set the tcp/ip per client correctly.

After that.....

Sign up for Tristan's blog and Amy's blog!

<score one to MSNSearch over Google for finding Tristan's blog faster/better than Google did.  Nothin like having two search tool bars on your web browser>

When USBs work they work...when they don't....

One of my tasks is to get data from 'there' to 'here' inside of our network.  So on a regular basis I'm copying cdroms, usbthumb drives, to the point where the other day when I was handed data on a floppy disk I sort of sat there for a moment as my brain wrapped itself around the idea of data small enough to fit on a floppy disk.  Wow.  They can fit that on one disk?

So now I'm fighting with a Maxtor OneTouchII that someone brought in that when I first stuck it in the USB connector of my workstation it found it and 'woke up' and assigned a drive letter.  But then it reported that the drive wasn't formatted so I stuck in the Maxtor software driver cdrom.  Well that was a mistake as now I have an 'unknown device', and it won't wake back up and assign it a drive letter.

And, of course, I uninstalled the Maxtor software but OF COURSE it's still all over the stupid registry. 

Why is it that USB's either work the first time... or they screw up and drive you to drink?

So ...Maxtor.... and all you other softwares out there...when I say “uninstall” can you PLEASE uninstall?

Who can protect us from clicking?

I was earlier arguing with fellow MVP [aka the Naked one] Nick about what responsibility we have for end users.  He had a situation where folks were surfing for music lyrics and surfing and clicking and Aurora gunk was downloading right behind it.  He wanted it stopped [and rightly so].  But here's the problem I see.

Spyware is big business today.

Worms and viruses are mere conduits for getting spyware on the box.  When vulnerabilities go for $20,000 a pop, when virus/spyware writers are making six figures in a year, that's the reality of the world we live in.

Yet I still get beancounters that don't care that Quickbooks demands that they run their systems insecurely. 

It's we...the marketplace out here that has to care.  All of these software vendors are in business and they will only push security to the point at which the marketplace cares.

Right now my beancounter crowd as NO CLUE of what local admin rights are even about. 

We have to get 'us' the marketplace to care.  To push.  To say to everyone, I'm sorry you cannot code like that anymore.  I cannot run my machine like that.  You have to protect me better.

XP sp2 cannot do it.  Not by default.  They will not put resources into it.  Vista is the name of the game, Nick.

But it's us, now, that need to get our vendors on board.  They are the ones that are going to drag us down, not Microsoft.

Remember you cannot build on security afterwards, it has to be designed into the product.  We have to think about it ourselves first.

SCW, Exchange Best practices,  the XP shared computer toolkitl.   All of these are tools we have to help us.  In the home space the best tools are still Dropmyrights and not running as Admin.

“But I can't!“ We say, “my vendors won't let me!“.  So complain.  Get them to take action.  To stop setting your risk analysis. 

I mean when you get in a car, you buckle your seatbelt right?  You take precautions.  You got trained.  Where do we do ANY training whatsoever on our computers?  Even in my own office, I cannot depend on the end user understanding enough.  But maybe they should?  Maybe, just like with a car, there should be more training so that they can operate it safely?

SMBnation and transportation

From a comment in the blog from Charlie Anthe which reminds me of how you get to the transportation area of SeaTac and then on to SMBnation.

You go up to go down. 

Ah, yes now I remember, as I had to wrangle my suitcase up and back down the escalator that ends up being a bit top heavy and it ends up falling over in the process and I end up dragging it off and out of the way.

So to review... when coming from “normal” places you'll probably take a transport train to get to the terminal, if you are like me on the direct flight on Horizon, you'll be right in the main terminal.  From there head to baggage where invaribly you end up [at least in the Horizon baggage claim anyway] standing in front of the wrong baggage claim and your bag is on the other side getting seasick from circling so much.

But Charlie?  If you think the transportation is bad... you haven't come to Fresno, have you?  I had a couple of people travel to Fresno, take a taxi to my office because we're so close.  When we went to call a cab to return to the airport, every agency we called said it would be a 20 minute wait.  You could walk to the airport in about 2 minutes or less, but for a cab, it takes 20 minutes?  Because they had equipment and large bags I couldnt' take them back in my car so I ended up driving over to the airport, parking, grabbing a cab, taking it back the 1 minute drive to my office, and then going over to the airport and back.

Apparently we'll let travelers into Fresno, but they aren't allowed back out?

Dad, the arm and an Emergency room

So how did you spend the last hours of the Labor Day weekend?  I spent mine with my Dad getting his arm put in a sling.  He's fine.  We get to say I told you so, and don't get on ladders for the next few weeks as his left arm broken bone heals.  But you know me, in my usual geek blog way, I'm thinking technology as we wait for the xrays and doctors.  I mean what else can you do ....and I do have a one track mind.

For tonight we got to sit in the new Emergency room, in the new addition to the Hospital, merely a few months old, and I was seeing what had changed since they moved to the new facility.

Physical Security.

This has to be the biggest change.  Big bulletproof windows in front of the Triage areas.  A door that you have to be buzzed through.  And on the other side, once you exit the Emergency room on the other side to get an Xray, the only way back into the Emergency room is to have a nurse, doctor or attendant wand their badge through to open up the doors.  Side doors into the hospital hallways are marked on public entrances.  Public Entrances are clearly marked.  Thus ensuring that there is strict entrances and exits for patients.  Obviously major security features put in place in this section.

Patient Records.

And this has to be the item least changed.  Paper.  Binders.  They are still using mulitpart paper forms for just about everything.  While computers are used for the medical billing, a very Dos-ish looking program, running on small form factor computers [Operating System that I couldn't tell], with flat screen monitors.  They even had computer terminals out in the hallway of the ER.  This is one area where the Hipaa requirement that indicates you need to protect ePHI is balanced with the Emergency need.  I didn't see any of the computers used in the ER have password protected screensavers, nor were they unused long enough to 'kick in'  if they did. Looks to me that they didn't change a thing when they moved in this area.

And maybe that's a good thing.  For with dealing with all the changes of a new physical location, maybe you don't want to do ANY changes to the technology side of the world.  Especially not in health care like this.  Change is ...well... it's change.  And it takes training and retraining of the mind to get used to change.

But Dad is just fine.  He, well he has a bit of a change.  A cast.. for the next six weeks.

Clothes..... clothes would be good...

So whenever someone goes to Mothership Redmond for the first time they ask “So, what should I wear?” and I tell them what is the joke [but more like the reality] of what is the Microsoft Dress Code.

Clothes, clothes are good. Make sure you cover the appropriate parts.

Seriously, this is totally business casual.  Which means the following:

• Polo shirt with a corporate logo = Business Suit
• Poto shirt with a Microsoft logo = You are a geek
• Button down shirt with a Microsoft logo = Even more of a geek
• Small Business Specialist Shirt = well if it ships in time... I'll be wearing MINE too!

But if you are interested... the Jobs blog talks about the official one here.

Blowing through the myths

September 8th there will be a webcast to blow through the cobwebs.

Attend this session to learn why Small Business Server is perfect for any large business under 75 users.  This session will debunk some of the common myths regarding the reliability and scalability of Small Business Server environments.  We will also discuss scenarios on how to use Small Business Server 2003 for the most complex server workloads such as multi-server environments, line of business applications, and Terminal Services.

Haven't we been saying that for YEARS?

Score one for Google

There's one searching tool that I still need from Google.

Google Groups.

Hands down the best resource I have for the core SBS stuff is on the msnews.com newservers... microsoft.public.windows.server.sbs.  Home base for SBS community central.  And when I need to find something I'll go to Advanced Google Groups search and narrow my search there.  I still remember when SBS first launched and microsoft.public.windows.server.sbs was technically a beta group... we sent emails like CRAZY to Google to get them to include that newsgroup in their search engine.

MSNSearch?  How about you guys putting a search engine in the toolbar to search your own company's newsgroups 'eh?  I don't want to search from a web interface to the newsgroups, I want it from the Search toolbar. 

Usenet isn't dead yet you know and there's still a lot of good content there that is captured and contained no other place on the web.

Top ranked antivirus is?

So I'm doing some googling.... ummm.. I mean MSN Searching [note to the MSN Search folks...next time you name a product think of the potential for making the name of a product into a noun, verb or adjective  that ends up in the fabric of our language and name it accordingly].... on antivirus information to include in the chapter I'm writing on Desktop Security for SBS Unleashed and I come across a web site that has rankings of Antivirus products.

Does anyone else besides me find it funny that the antivirus software highest ranked is one for Macintosh?  I mean if you read the reports, Macintosh's that due to their reliance on and separation of Root/Admin from regular user has more built in protection mechanisms. 

I mean shouldn't a top ranked antivirus be one on Windows where all the viruses are? 

Maybe that's why it's ranked so high?  It doesn't have to work so hard? 

I still think [and am writing about it in the book] that we are way too re-active to viruses and not pro-active.  That means nly allowing in those attachments that you absolutely need for business.  Quarantine those attachments that are marginal.  And make sure you monitor and adjust and make changes when needed to what you accept, and what you don't accept as acceptable risks to your firm.

A bit of robustness

Okay so at home here I have a Linksys router that also has a wireless ability in it, but because my real DSL router broke a bit ago I shoved it in there as a temporary router .... oh... a couple of months ago.  Being the lazybone that I am I haven't gotten around to reconfiguring the wireless.  I turned off the DHCP on that router because I want my SBS to be the DHCP'er. 

So I have my new workstation that I have yet to migrate to set up with a static IP on that same router.  And on that standalone workstation is a vmware of a SBS box... so get this ...the IP address of the static workstation is 192.168.1.3 so it can talk to the router of 192.168.1.1.  My “real” SBS is at the default of 192.168.16.2 and the VMWare SBS is also 192.168.16.2.  Now in the past, I've had to manually assign this laptop a static wireless IP address and enter in Pacbell's dns info.  So imagine my surprise that when I turned this laptop on, turned on the wireless button to enable wireless, that the machine it picked up an IP address and was able to connect to the Internet.

It's hanging off that VMware SBS that is somehow tunneling back to the Linksys wireless to hand out IP addresses.  I am sitting here scratching my head wondering what insecurity I just set up with whatever tunneling I set up between the 'real' workstation and the VMware SBS box.  I will say though, it's not the most robust connection as every now and then it drops the connection.

I'm still scratching my head as to exactly what I've done to get it from the Pacbell to the Linksys/router/wireless where the DHCP is turned off to the standalone workstation to the vmware running an SBS box who is clearly the device giving me my IP address.  Fortunately I do have WPA set up on the router so it's not like I'm broadcasting to the neighborhood, I just can't figure out how a vmware can be powering this connection when it clearly is.

Speaking of robust... you heard about what Microsoft did to help the Red Cross with their donation servers that were straining under the weight of hits?  They've stepped up and are hosting it on MSN servers to help offload the load.

There's that Evil Empire at work again....

By the way.. donate, give blood... it doesn't feel like I'm doing enough... but at least it's something.

Something new

Okay I've been challenged to try MSN search for a week and if I can't find everything I normally find with Google, to let that person know what I don't find.  I'm putting it on this laptop and giving it a spin.  I'll let you know how it works.

Trying something new.

Somthing that my CPA world needs to take a page out of.  This week the Small Business Accounting 2006 software is launching, and my CPA world that I hang around with will barely give it the time of day.

Order a trial kit. 

Try something new.  I've been challenged to try something new.

How about you?

Need to change the password via OWA? And how do you set the 'change password' timeframe?

In the newsgroup someone asked how to allow people change their password via an OWA interface and you have to adjust some settings that are discussed here. 

You know what I want in a password policy?  More flexibility when the passwords are changed.  Right now if you set up a 'change passwords' it's measured in days.  Well I work in a cyclical industry that has due dates in certain times of the year.  So ..for example.. I try not to change passwords between January and April 15 and then I want to change them before the end of July but not around August 15.  And then around December.  See how I really want to have some sort of 'calendar' interface on my password policy and not change it “every 30 days” or “every 60 days”, but rather on THAT day. 

Yeah..  I know.. this is where the business/admin side of Susan butts heads with the paranoid Security Susan.  I want to change passwords for security purposes, but I also realize that it has to fit with the business flow cycle. 

And sometimes....changing passwords right before a key critical due date in the firm, just is not the right answer.

Blackberry on SBS

<with the caveat that I have not done this>

In order to support Blackberry's on a SBS box you need to purchase SBE Blackberry Enterprise Server 4.0 for Exchange.  The docs say it's not "supposed" to be installed on the same server that Exchange is on.  But SBSers in the newsgroup report doing so.  So while SBSers 'have' done it on SBS, here's my response:

Talk that owner/user into an Audiovox 5600. SOOOO much easier to set up it's not funny.  And the cost?  Only the cost of the phone.

The cost of the Blackberry Enterprise Server Small Medium Edition 4.0?

... googling now as I'm not sure what it goes for.... WOW

Oh my goodness... you guys are actually spending $1,499 $1,600 [including taxes and shipping] for a 5 user blackberry when I can get the same functionality and more for the price of a smart media phone?

Are you guys insane?  You have to be nuts to pay that for adding that to your network when for the mere price of a PHONE you can get everything that the Blackberry does and more?

I mean check out the Siemens SX66.  $499 and a slide out keyboard like the Blackberry's.  The Audiovox was in the $200 range.

Man, I'm sorry but those Blackberries better do something more than “oh the other Attorneys all have them so we have to have them” for that price.  Not when you can get the same functionality in the phone and everything else is automagically in the box ready to go in the SBS 2003 sp1 platform.

P.S.  Wow... that Blackberry better be really worth $1,600.  Personally I can think of a lot better way to spend a technology budget.

Getting to Mothership Redmond and SMBNation

For those of you who have never been to Mothership Redmond and SMBnation before, there's one trick to getting transportation to the area.

When you get there... you have to get there.

You see you have to be on the third floor to pick up the taxi's or Express shuttles...but when you walk out of the baggage claim...you aren't on the third floor.  I think you are on the 4th floor if memory serves me right.  Exit the baggage claim, walk over the pedestrian bridge, and get to the 3rd floor.  So you have to then manuver your luggage down an escalator or ... like I do...take the elevator and then pick up the transportation.

More info on the airport, the area, restaurants in the area is HERE.

By the way if you scroll to page 6, we'll be in the Executive Center, Building 33, it's really cool.

IE Add in Blocker - good idea..but ...

So I'm working on a chapter on Workstation Security for the SBS 2003 unleashed book and I'm showcasing fellow SBS MVP's knowledge base article about a really cool feature in XP sp2 and group policy where you can better protect the IE by only allowing certain Active X browser add ons...

The knowledge base article is here:

But like even in the XP sp2 firewall settings that we have where you can add your own program and port exceptions [see here], but it needs to be easier for the admin to add the exclusions. 

So the group policy setting it great in it's idea... for me.. not quite so great in deployment.  Supposedly you are supposed to be able to see those GUID information merely by lauching IE, than tools, then IE blocker, and then on the top of the window, right mouse click and enable ClassID.  But the problem is, I don't think I can copy and paste from there.  I don't know about you but typing in GUID codes is not exactly something I do for a daily fun and excitement.

So?  Do you know of any easier way to track down GUID codes for an Active X?  I googled and found this KB that states:

Determine the CLSID for the ActiveX control that you want to disable. If you are not sure of the CLSID for the control, contact the manufacturer.

...okay... so .... imagine me calling up .. oh.. I don't know... Intuit and asking them for their CLSID's for Active X?  Maybe I'll call up their help desk just to see if they'll know what I am talking about.

Feel free to ping me at sbradcpa-at-pacbell.net if you know of an easier way.  My googling is failing.... maybe I should MSN instead?

Did you know that?

Small firms in the United States

• Represent 99.7 percent of all employers.
• Employ half of all private sector employees.
• Pay 44.3 percent of total U.S. private payroll.
• Generate 60 to 80 percent of net new jobs annually over the last decade.
• Create more than 50 percent of nonfarm private gross domestic product (GDP).
• Supplied over 23 percent of the total value of federal prime contracts in FY 2003.
• Produce 13 to 14 times more patents per employee than large patenting firms. These patents are twice as likely as large firm patents to be among the one percent most cited.
• Are employers of 39 percent of high tech workers (such as scientists, engineers, and computer workers ) .
• Are 53 percent home-based and 3 percent franchises.
• Made up 97 percent of all identified exporters and produced 29 percent of the known export value in FY 2001.

Sources: U.S. Bureau of the Census; Advocacy-funded research by Joel Popkin and Company (Research Summary #211); Federal Procurement Data System; Advocacy-funded research by CHI Research, Inc. (Research Summary #225); Bureau of Labor Statistics, Current Population Survey; U.S. Department of Commerce, International Trade Administration.

That new blue icon over there on the right hand side

There's a new logo/icon in town.  Over there, under the Yoda and the SBS logo is a new one.  Don't recognize it?  It means I'm a Microsoft Small Business Specialist.  Someone who has demonstrated a foundation in understanding the needs of Small Businesses.

John Q. Businessowner?  You need to look for that logo because it means that this person cared enough to 'brand' him or herself someone who caters to, deals with, handles, knows better than anyone, Small Businesses.  Someone who decided to put resources into your small business marketplace.

At SMBnation, many of us newbie Small Business Specialists will be meeting up, and some folks will be taking the exam to become one. 

Oh, and another thing... more often than not... a Microsoft Small Business Specialist already IS a small business owner themselves.  Who better than to install your network that someone who knows you are are already?

So how do I subscribe to the blog?

I've gotten enough of these requests from the mailbag, so I decided to build a 'how to page'

What am I talking about?  I freak people out with that 'login' up there.  They think it means there's this secret society or something behind the login portal.  Truly it's not.  It's just the place that I enter a username and password so I can rant...ummm.... I mean post to the blog. 

The other day someone asked something and I said “don't read the blog do ya?” and he said “No I haven't visited in a couple of days” and I realized that some folks may be 'surfing' to this blog... and that's not how blogs should be 'consumed' at all.  Blogs aren't web pages... I mean yeah, if you are reading this at www.msmvps.com/bradley or www.sbsdiva.com rather than a newsreader, it kinda works on a web page, but you really shouldn't be doing it that way.  You really need to have the feeds come to you....the SBSway....automagically.

So...here's what I did... I typed up a web page that shows how I 'subscribe' to a blog feed.  I put it here.  I hope that it will help to showcase how easy it is to get blog feeds to come TO you, so that you don't have to GO TO it.

Another way you can read blogs is by using RSS readers inside of a web page... take for example the beta of www.start.com.  See those columns?  Those are RSS feeds being 'sucked' into that browser.  Sign up and register and you could have a 'portable' reader as well.

So...any questions?  Does that help to let you know how you can “consume” feeds a lot easier than you are now doing it?

No I really haven't lost my mind..

So I'm googling for some info to get a 98 attached to a SBS 2003 box for ...what else... a beancounter.  A beancounter that SHOULD be signed up for the Microsoft's Accountant Network and not forcing his IT guy to jump through hoops as he'll be able to get Win XPs' and his 98 desktop won't SCREAM  “I don't care about the security of my data” to every client that walks by... so anyway I googled this...  and here's the funny thing... when I emailed it of to the person asking for it... it bounced back...

Your e-mail was rejected by an anti-spam content filter on gateway.  Reasons for rejection may be: obscene language, graphics, or spam-like characteristics.

You know... I think I quite agree ... having Windows 98 info inside of an email is obscene isn't it?  Especially in a SBS 2003 network... it just works soooooo nicely on XP... Remote Web Workplace... man you just do not know what you are missing out on when you don't have XP sp2 on that network....

Definitely I think I agree with the spam filter... definitely obscene to put a 98 on a SBS 2003 network.  It's like making an Indy 500 race car driver drive an... oh I don't know...an Edsel or something...

Make sure that you specify WINS as the internal ip address of the server.
Also, if using DHCP, enable the support for updating to DDNS, for all legacy clients, 
by entering the DNS tab in the properites of the server.domain.local in the DHCP Console.
 
The supported client OS for SBS 2K3 is Windows 98, Windows 2K, Windows 2K3
and Windows XP Pro edition. Windows 95, Windows Millennium are not officially
supported in Windows 2003 (which includes SBS 2K3) environment  although
you may be able to join them into the domain
 
Please also note that although you can use a Windows 98 clients in the
domain, they won't have full functionality (won't have full functionality
of WSS/companyweb either due to not being able to use Office 2003,) and you
will have to manually configure clients networking  configure it to logon to the 
2003 domain (you will not be able to join the Win98 clients to the domain 
by using the "connectcomputer" web site).  In addition, there are many
 other issues with legacy clients as mentioned in: 823659 Client, Service, and Program
Incompatibilities That May Occur When You -
.
It is also recommended that you install the updated DSclient (the one
included in the SBS 2K3 setup CD cannot be installed on 98 clients) on the 98 clients.
 
More detailed information can be found in the KB article below:
 
323466 Availability of the Directory Services Client Update for Windows 95
and http://support.microsoft.com/default.aspx?scid=kb;en-us;323455 
 
226144 NetBIOS Domain Name Field Has a 15 Character Length Limitation -
http://support.microsoft.com/default.aspx?scid=kb;en-us;226144 
After installing the updated DSclient on 98 clients (you may need to wait
for some time after the 9x clients' start until the computer lists are
synced,) I can then view and share the shared computers in 'Network
Neighborhood' ¨¤ Entire Network ¨¤

SMBNation ... a little Community with a Capital C

I'm a big fan of community with a Capital C.  And next week at SMBnation you will get that Community with a Capital C.

Peer talking to Peer.  Been there talking to Done that.  And a little bit of lived through that as well.

If you want to share rides, log in when you are arriving and coming and going, we've got a Community portal set up for such.  Fellow SBS MVP Steve Foster will be in attendance and has set up this portal site:

http://dnn.portals.virtual-isp.net/smbnation

Register to see the travel data (figured I ought to keep that secured just in case). I've entered the first few names that have posted here - if that's an issue for any of those people, please yell (or register & delete/amend).   If you want to add yourself, please enter the arrival date in the format  "YYYY-MM-DD HH:NN" so that the sorting works, and the dates are evaluated correctly no matter what region (and if you want more locales, yell!).

Any other suggestions, yell out...

--
Steve Foster [SBS MVP]

So log in.  Figure out when you'll be arriving with someone else... share a cab, an express van, heck even a limo.

Don't forget to check out Nancy's SMBNation Update that lists transportation options:
http://msmvps.com/bradley/archive/2005/08/26/64309.aspx

Heads up on Email pointing to website with Malware threat [Hurricane Katrina scam]

So this morning I get this email.... and the antenna goes up.... CLICK HERE it says for more info...yeah right.....so I asked some fellow Security MVPs to look at it and sure 'nuff....malware.  Variant of JS/ObjID.C trojan.

The ISC has just posted on this new malware threat
Katrina Malware
http://isc.sans.org/diary.php?date=2005-09-01 '

<How sick is our world that these malware writers have to play on our compassion for Hurricane victims?  Read this Washington Post article and see how Spyware isn't just pop ups anymore...this is BIG BUSINESS.  Sick big business as well.  To the folks behind this one....sick guys....really sick... you know how much small businesses are going to need geek/IT help in the coming months and all you guys can do is to code up stuff like this?  How about donating to the red cross?  How about volunteering to help a small business owner displaced by Katrina reset up MX records, A records?  How about doing something useful instead of this stuff?  Okay rant box off>

 -------- Original Message --------
Subject:     Re: x6 80 percent of our city underwater.
Date:     Thu, 1 Sep 2005 09:44:45 -0500
From:     Vesna Garmon <garmonkuvesna@eoi.es>
Reply-To:     Vesna Garmon <garmonkuvesna@eoi.es>
To:     Edie Prescott <sbradcpa@pacbell.net>



Just before daybreak Tuesday, Katrina, now a tropical storm, was 35 miles
northeast of Tupelo, Miss., moving north-northeast with winds of 50 mph.
Forecasters at the National Hurricane Center said the amount of rainfall
has been adjusted downward Monday.

Mississippi Gov. Haley Barbour said Tuesday that Hurricane Katrina killed
as many as 80 people in his state and burst levees in Louisiana flooded New
Orleans.

Read More..
http://malwareinfestedwebsite that I won't point to here