Sam the SBS Server reviews the year

We interview Sam the SBS server who's getting ready to celebrate New Year's Eve with his network

Q.  Hi Sam, how's it going!

A.  Not bad. Can't complain, keeping a watch on things here, getting ready to celebrate the New Year.

Q.  So this has been a big year for you hasn't it?

A.  Oh no kidding, two major milestones this year, my Service Pack came out and now I have my own patches on Microsoft Update that are unique to me.

Q.  That's pretty cool.

A.  No kidding.  In 2006 the next version of SBS 2003 called SBS 2003 R2 is coming out and Patching will be built inside of me.  I'm really exciting about that.  I can't go into details...but I'm really excited about it.  I'll be able to control and manage the patches on all the machines under my control, so I'll be even more better able to protect Samantha the SBS Workstation.

Q.  That's really cool.

A.  And let me bring this up again, last year Samantha and I talked about this and we did some of this..but really not enough at all.

Q.  Enough of what?

A.  "This" meaning where I'm doing a lot more of the managing and protecting of her.  Like for example... take the bad stuff on the 'net today.  Many of these bad things can be mitigated or lessened if she doesn't have rights over what she does and runs as a 'regular' user'.

Q.  But isn't this hard to do with some of the applications that she is running?

A.  Oh, no kidding, but we have to do this.  Samson, the new Vista operating system is going to be joining us at the end of 2006 and he's going to be helping out in this LUA or restricted user, but we really have to push our vendors now to do this.

Q.  You really feel strongly about this don't you?

A.  Yes, I do.  People always say that I don't do 'best practices' and this is one area that I can do best practices.  Because my owners are much more agile than big firms they can get rid of old operating systems, ensure that I have only machines that I control that help me secure and don't hinder me.

Q.  Edward the Windows 98 machine is really causing issues with you isn't he?

A.  Oh, no kidding, I can't control him at all, he has no sense of security whatsoever and he's really frightening me these days with all the risks he takes.

Q.  So we'll keep this brief as I see you are getting ready for your party...but in closing...

A.  In closing, I'd say that for 2006 I'm making a resolution to get more secure this year.  Better on patching.  Better on Control.  There are a lot of things I can do best practices on...and helping Samantha the SBS workstation be more secure is one I can do.

Q.  Happy New Year Sam!

A.  Happy New Year to all in the SBS communities as well.

Getting good information

...so we're in the car driving to Los Angeles and the radio DJ talks about an upcoming story on radio

"A problem in Microsoft Windows?  Nahhhhhhhh" she says.......

The chatter on SBS listserves today is one of disappointment.  This security issue points out the problem we have down here in SBSland.  The "test" problem.  For large firms they have the resources to test, to have matching images on the desktops, to try to understand the risk for their firm.  Down here we rely on the guidance we get from official sources. 

So the gang is now stratching their heads as to how we went from "DEP" works to one where only "Hardware DEP" works.  They are seeing that antivirus and spyware bloggers first brought up the issue that software DEP wasn't working [especially on real world boxes]. 

Getting good info is hard....and unfortunately this event just pointed out how hard.

Just a heads up the Security Advisory was updated

 *I have DEP enabled on my system, does this help mitigate the vulnerability?*
Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may work when enabled: please consult with your hardware manufacturer for more information on how to enable this and whether it can provide mitigation.


http://www.microsoft.com/technet/security/advisory/912840.mspx

....so what am I going to do? Nothin' for now because the office is closed and the machines are off so they are as protected as they can be..... ask me next Tuesday and I'll let you know what my risk tolerance is then.... for now... I'm sitting tight....

------------ 

 Shavlik Provides Workaround For Zero-Day WMF Exploit

On December 28^th , Microsoft announced a Security Advisory (912840) for a zero-day exploit that could allow an attacker to execute arbitrary code on a user’s system by hosting a specially crafted Windows Metafile (WMF) image on a malicious Web site. Malicious code on a number of web sites exploited the vulnerability on users’ machines. Microsoft has not issued a patch for this security exploit at this time. Users running a fully patched version of Microsoft Windows are still vulnerable to attack.

For administrators that cannot wait for Microsoft to issue a patch to protect against this vulnerability and need an immediate workaround, Shavlik Technologies has released updated XML files for Shavlik NetChk Protect, its patch and spyware management solution, to help users protect against this attack. Shavlik NetChk Protect allows users to un-register the SHIMGVW.DLL files that enable the malicious code to attack systems on Windows XP and Windows 2003. This is a workaround recommended by the United States Computer Emergency Readiness Team (CERT) as an option for vulnerability protection. Shavlik Technologies cannot validate this as a proper fix. To read more about this vulnerability, visit the CERT web site at _http://www.kb.cert.org/vuls/id/181038_.

Shavlik Technologies recommends that administrators determine their security needs and implement this workaround only if it offers an acceptable solution to their individual security needs and all risks are understood. By offering this workaround, Shavlik Technologies puts the option for protection in the hands of the administrator. Users should be aware that by un-registering the .dll file, other applications that use this .dll file can break, but this is the only workaround available at this time, as quoted from the advisory.

For Shavlik HFNetChkPro™ users, Shavlik Technologies has developed a workaround to help administrators address this vulnerability. For more information visit Shavlik’s Support Forum at _http://forum.shavlik.com/viewtopic.php?t=2731_

The Microsoft Security Advisory affects the following operating systems:

         o Windows 2000 SP 4
         o Windows XP
         o Windows Server 2003

More information on the Microsoft Security Advisory can be found on Microsoft’s Web site at: _http://www.microsoft.com/technet/security/advisory/912840.mspx_.

Users are affected by either navigating to web sites that contain a link to a Windows Metafile that exploits this security vulnerability, or opening an email attachment that exploits this security vulnerability.

When Microsoft releases a patch to protect against this vulnerability, Shavlik NetChk Protect will include this patch and will allow users to re-register the .dll file, returning the system to its previous state.

For further information about this zero-day exploit, visit Shavlik’s Security Center at _www.shavlik.com_ <http://www.shavlik.com>.

Blogging will be a smidge light...

As I'm on my way to Disneyland for the New year.....

Everyone have a happy and safe New Year!

You'd think I'd learn by now

HA!

See that?

That's a Dell OEM with a Nvidia driver up in the "High Priority" patches.

I do not do video drivers via Microsoft update just because I've had bad personal luck with them... but I never get a video driver up there in high priority on a box that I've flattened...yeah yeah... I know... I should just flatten these guys and start again...you'd think I'd learn...

Oh let's just rip out those dll's shall we?

One of the suggestions I see on many of the Security sites are to unregister certain DLL's to ensure that this WMF vulnerability can't be exploited.  Now maybe it's just me...but unregistering DLLs that break image, thumbnails and what not... and especially if I have to worry about registering those files and sticking them back in seems to me a bit drastic.  To me the saner approach is to ...again...use our Risk Analysis view....

Which machines in my office are most at risk.... uh... honestly?  Mine.  But do give extra protection for all in the office...what's an easy protection mechanism that I can do on my network?

Steps I've already done...block files at the mail gateway ....block image types at the firewall.....

Okay so what else can I do on my machine.... Enable DEP protection for all programs.  Viruslist says that DEP is marginally effective and doesn't work if you have image viewers like Irfanview.  Yo.  Folks.  Irfanview is a known image program in the forensic biz that can view ANYTHING.  I don't define it as the 'viewer of choice for many'.  Geeks maybe.  But my Mom and Dad?  No.

Do I have it on any other machine except for mine?  Nope.  Does it appear that enabling DEP for all programs is effective for mere mortals that have normal software at this time?  Yes.  Can DEP be enabled without major impact?  You bet your bippy.  Working just fine here and so I'm thinking...why the heck am I leaving it at the default?

P.S. Knowing my luck I'll probably find out that bippy means something obscene....

On the topic of paranoia today....

Since we're in paranoid mode today...did you catch this statement in that NPR article?  "They can prepare to work from home, in case it becomes hazardous to be in contact with other people. "

Guess what we have inside every SBS 2003 box that is married with XP sp2 workstations?  The ability to easily work from home.  Remote Web Workplace is truly the killer app of SBS 2003.  Dave even said that his boss is making his employees manditorily work from home one day in the future to test their ability to have all the technology needs at home addressed before they are required to do something like this [even if it's not due to something like sickness or whatever].  His boss just wants them to 'test' it before it's needed for real.

WMF and blocking

As many have pointed out ...the instructions for blocking 'just' the WMF extensions won't protect me if the threat vector comes in via renamed files.... but I think folks are missing the point here.  NPR the other morning had a news report on the communication regarding the potential for a Bird Flu Pandemic.  They discussed how there's a fine line between communication and 'freaking someone out'.  And they said that when a person get communication that helps them act on something so that they feel part of the solution, that person feels calmer. 

I think this occurs in Security communication as well.....that's exactly what's going on here...there's a psychological affect of "me" taking proactive measures to block what I know I can easily do at the border.

"Lanard and Sandman say risk communicators must walk a tightrope. On one side is the risk of promoting irrational fear. On the other side is irrational complacency. The goal is to instill appropriate fear that gets people to take appropriate precautions.

Lanard says accomplishing this means presenting information that is accurate, complete, and often frightening.

"Good information should increase the level of fear in people that haven't been thinking about it at all," she says. "It should decrease the level of fear in people who are over-imagining how bad it could be."

Sandman and Lanard say that in the short run, individuals can do far more than the government to protect themselves.

For example, he says, people can keep extra food in case a pandemic disrupts distribution systems. They can prepare to work from home, in case it becomes hazardous to be in contact with other people. They can learn proper hand washing techniques to keep from spreading the virus.

And Sandman says there's another reason for the government to involve the public in any bird flu preparations.

"Everything that's known about the psychology of fear tells us that people can tolerate more fear if there is something for them to do," he says. "So it's not just inaccurate for the government to imply that the government will take care of it. It's not only getting in the way of the public's beginning to take preparedness more seriously. It's getting in the way of the public's ability to endure the threat of the pandemic itself.""

...see the correlation between Pandemic communication and Security communication here?  So give me something to do...even as stupid as building a block for WMF files and I won't feel as scared.  Give me a role and I feel like I'm helping.  Make me feel dependent on things I can't control and I do freak out.

Communicate with me...give me something to do....and I feel better.

Blocking those WMF's at the email border

Okay so even before I blocked the WMF's via ISA server so that they are blocked while surfing...the first thing I did [because I knew easily how to do this] was to go into my antivirus program that protects my Exchange server and add WMF file extensions to be blocked at the server [in fact why do I need them anyway... I think I'll leave the setting exactly like that from now on]

So on my Trend Exchange a/v it looks like this:

So what if you were insane, stupid, or too cheap to buy a Antivirus that covers your Exchange server?  And boy you have to be all three these days not to get an antivirus suite that does this....but say you were... what else could you EASILY do on your SBS box to block those kinds of files....

If you've never done this before... you rerun the "Connect to Internet Wizard" and rerun the wizard to add file type blocking at the server...remember it looks like this:

Click on "add" to add the WMF file blocking:

And click OK...but what if you already did that and you don't want to rerun the wizard?

No problem... just follow this prior post...but here's a trick I found... Nathan said to right mouse click and click on "edit" but on my newly pristine server... I had no edit and Notepad sucked as an XML editor.  So I brought it over to my workstation where I have Frontpage, right mouse clicked on Edit, opened it in Front Page, clicked on "Reformat XML"

And edited the page in a much more user friendly format

<Attachment Enabled="True" Extension="wmf" Description="WMF Zero Day"/> which looks like this

Remember these are kinda like those backwards group policy settings where "True" is a good thing.... so when we get all done, I saved the file on my workstation and then stuck it back up on the server and it looks like this:

My resulting XML file.... is copied below:

===============================

<?xml version="1.0" encoding="utf-8" ?>

<SecAttsConfig>
    <Enabled>True</Enabled>
    <SaveToFile Enabled="False" Location=""/>
    <UnsafeAttachments>
        <Attachment Enabled="True" Extension="ade" Description="Microsoft Access project extension"/>
        <Attachment Enabled="True" Extension="adp" Description="Microsoft Access project"/>
        <Attachment Enabled="True" Extension="app" Description="FoxPro generated application"/>
        <Attachment Enabled="True" Extension="bas" Description="Microsoft Visual Basic class module"/>
        <Attachment Enabled="True" Extension="bat" Description="Batch file"/>
        <Attachment Enabled="True" Extension="chm" Description="Compiled HTML Help file"/>
        <Attachment Enabled="True" Extension="cmd" Description="Microsoft Windows NT Command script"/>
        <Attachment Enabled="True" Extension="com" Description="Microsoft MS-DOS program"/>
        <Attachment Enabled="True" Extension="cpl" Description="Control Panel extension"/>
        <Attachment Enabled="True" Extension="crt" Description="Security certificate"/>
        <Attachment Enabled="True" Extension="csh" Description="Unix shell script"/>
        <Attachment Enabled="True" Extension="exe" Description="Program"/>
        <Attachment Enabled="True" Extension="fxp" Description="FoxPro file"/>
        <Attachment Enabled="True" Extension="hlp" Description="Help file"/>
        <Attachment Enabled="True" Extension="hta" Description="HTML program"/>
        <Attachment Enabled="True" Extension="inf" Description="Setup Information"/>
        <Attachment Enabled="True" Extension="ins" Description="Internet Naming Service"/>
        <Attachment Enabled="True" Extension="isp" Description="Internet Communication settings"/>
        <Attachment Enabled="True" Extension="js" Description="JScript file"/>
        <Attachment Enabled="True" Extension="jse" Description="Jscript Encoded Script file"/>
        <Attachment Enabled="True" Extension="ksh" Description="Unix shell script"/>
        <Attachment Enabled="True" Extension="lnk" Description="Shortcut"/>
        <Attachment Enabled="True" Extension="mda" Description="Microsoft Access add-in program"/>
        <Attachment Enabled="True" Extension="mdb" Description="Microsoft Access program"/>
        <Attachment Enabled="True" Extension="mde" Description="Microsoft Access MDE database"/>
        <Attachment Enabled="True" Extension="mdt" Description="Microsoft Access add-in data"/>
        <Attachment Enabled="True" Extension="mdw" Description="Microsoft Access workgroup information"/>
        <Attachment Enabled="True" Extension="mdz" Description="Microsoft Access wizard program"/>
        <Attachment Enabled="True" Extension="msc" Description="Microsoft Common Console document"/>
        <Attachment Enabled="True" Extension="msi" Description="Microsoft Windows Installer package"/>
        <Attachment Enabled="True" Extension="msp" Description="Microsoft Windows Installer patch"/>
        <Attachment Enabled="True" Extension="mst" Description="Microsoft Windows Installer transform; Microsoft Visual Test source file"/>
        <Attachment Enabled="True" Extension="ops" Description="FoxPro file"/>
        <Attachment Enabled="True" Extension="pcd" Description="Photo CD image; Microsoft Visual compiled script"/>
        <Attachment Enabled="True" Extension="pif" Description="Shortcut to MS-DOS program"/>
        <Attachment Enabled="True" Extension="prf" Description="Microsoft Outlook profile settings"/>
        <Attachment Enabled="True" Extension="prg" Description="FoxPro program source file"/>
        <Attachment Enabled="True" Extension="reg" Description="Registration entries"/>
        <Attachment Enabled="True" Extension="scf" Description="Windows Explorer command"/>
        <Attachment Enabled="True" Extension="scr" Description="Screen saver"/>
        <Attachment Enabled="True" Extension="sct" Description="Windows Script Component"/>
        <Attachment Enabled="True" Extension="shb" Description="Shell Scrap object"/>
        <Attachment Enabled="True" Extension="shs" Description="Shell Scrap object"/>
        <Attachment Enabled="True" Extension="url" Description="Internet shortcut"/>
        <Attachment Enabled="True" Extension="vb" Description="VBScript file"/>
        <Attachment Enabled="True" Extension="vbe" Description="VBScript Encoded script file"/>
        <Attachment Enabled="True" Extension="vbs" Description="VBScript file"/>
        <Attachment Enabled="True" Extension="wsc" Description="Windows Script Component"/>
        <Attachment Enabled="True" Extension="wsf" Description="Windows Script file"/>
        <Attachment Enabled="True" Extension="wsh" Description="Windows Script Host Settings file"/>
        <Attachment Enabled="True" Extension="xsl" Description="XML file that can contain script"/>
        <Attachment Enabled="True" Extension="wmf" Description="WMF Zero Day"/>
    </UnsafeAttachments>
</SecAttsConfig>

So if you have ISA here are some things you can do

So.... let's see..... we have a Zero Day WMF exploit nailing even fellow MVPs .... websites that nail you with malware so bad you have to flatten and rebuild....that merely visiting the web site..no clicking.... will nail you.... and Trend [and most a/v companies] has the definition for this in there 'beta' def but not their released one....so what's a gal to do?

So I already blocked WMFs in email in the Trend Antivirus

• I don't want to pull down a beta def file
• I'm not sure I want to unregister a dll.......shimgvw.dll
• So how about looking at what my ISA server can do 'eh?

Jesper's Blog : Blocking certain extensions in ISA server:
http://blogs.technet.com/jesper_johansson/archive/2005/12/28/416565.aspx

Very cool huh! And how about we block those wmf's via ISA server.

So we go into the ISA management console..and we access the SBS Internet Access Rule [on mine this is rule 23]

• Click on Protocols
• click on Filtering
• Click on configure http
• Click on Extensions
• Choose "Block Specified Extensions and allow all others" and then put the list in you want to block
• Click "add" and put in wmf.

Click OK, click apply and now when i go to the test page... voila...the image doesn't show up.

Is this cool or what?  Now I feel a lot better since Trend hasn't updated yet.

SBS 4.5 is officially dead on 12/31/2005

Peter reminds us that on 12/31/2005 SBS 4.5 is DEAD and is no longer supported as an operating system.

http://www.microsoft.com/lifecycle

Rest in Peace SBS 4.5.

Rock on SBS 2003!

"A good bug wasted on a malware site"

On the security listserves, there's discussion of a image vulnerablity that uses WMF files to inflect/inject malware... and one of the posters had a line about it that had me laughing ... "a good bug wasted on a malware site".

The discussion of this bug [for which at this time, there is no patch] is discussed on

http://www.f-secure.com/weblog/archives/archive-122005.html#00000752
http://isc.sans.org/diary.php?storyid=972
http://www.heise.de/newsticker/meldung/67794

And as reported by Andreas Marx, some A/V companies are already creating signatures for this.....

AntiVir TR/Dldr.WMF.Small
Dr Web Exploit.MS05-053
F-Secure Exploit.Win32.Agent.r
Fortinet W32/WMF-exploit
Kaspersky Exploit.Win32.Agent.r
McAfee (BETA) Exploit-WMF trojan
Symantec (BETA) Download.Trojan

If you enable DEP to cover all programs the WMF exploit attempt will result in a warning as per www.incidents.org but folks are recommending a blended protection:

• Using up to date antivirus
• Enabling DEP
• Teaching users not to click on suspicious links
• Blocking wmf files at the border

Kerberos errors revisited

So remember my Kerberos Errors post the other day?  J.P. posted back with the final resolution to his last one remaining Kerberos errors that he was getting.....and sure 'nuff... HP printer toolbox software... I'm blogging his resolution here for the next person who ends up with Kerberos errors all over their log files and time sync isn't the resolution....

Well, plugging right along, I eliminated the other three remaining kerberos
errors on login.  They were caused by (you guessed it), HP monitoring
"Toolbox"  software. 

With some trial and error on the client end with MSConfig I was able to
narrow it down to the HP Toolbox printer monitoring software.  In researching
the Toolbox software and it's known issues, I came across an article
describing the exact setup.  SBS Premium, XP SP2 workstations, kerberos
errors with firewall on, none with it off, HP printer on a workstation and
shared.

The fix was to go to a command prompt, navigate to c:\windows\system32 (or
the default system32 folder for your OS) and then enter the following command
"hpbpro.exe -regserver" (without the quotes) and if you still have the errors
follow the same process except use the command "hpbpro.exe -service"

A temporary 'out the door' policy in ISA 2004

Okay so you wanna do a temporary "anything out the door in ISA 2004"?  Just so you can see if something works, or temporarily allow something out and you'll figure it out later?

No prob....just go to the Firewall Policy in the ISA console and then the SBS Internet access rule and add "All Users" in addition to the "SBS Internet Users" and click okay and then "Apply" at the top.... now anything inside will go outside.....

To undo it just take out all users and you are back to the normal SBS default rule set/setup.

Two follow ups...

ONE - this is TEMPORARY and I'll wack you upside the head with my 2x4 if you leave it permanently...now with the ISA monitoring ...man there is NO NEED for you to leave this like this... as you can tell what is being blocked.....

TWO - Obiwan had a great idea to build another rule set and leave it disabled and just 'enable' it when you needed to rather than messing with [and possibly screwing up] an existing rule.

So I get the TechNet Magazine today...

....free subscription to US only [sorry about that check out www.technetmagsubs.com/zout] and on the cover is the ad for an article inside that says "Security Alert:  Disable your admin account" and I first thought...okay.... who's come up with that idea.... as do that on a SBS box and you'll find that when you apply Service Pack 1 the SBS part of the install won't work....

...so I flip to page 75 and .... oh...it's him.

Giving that he's now an honorary SBSer guess I'll cut him some slack now. 

:-)

We're losing the war on the home front

...so we ask around the communities that I hang in and the consensus comes back that while 2005 was a good year for the Admin and business crowd, it was not for the home front.  Just today a client brings in a computer that I needed to post some journal entries to the accounting program and she says "it does some wacko stuff when I go on the Internet" [she's on dial up] and I notice that she's got Xp sp2 waiting down in the system tray to be loaded up.  Knowing that Xp sp2 doesn't like malware on the box 'before' installing it, I attach it to an external access to our dsl and plug in the RJ 45. 

The second it has a tcp/ip connection and I launch IE is when the fun starts.  I first install the MVP hosts file to get it to a state where I can even work with the system as IE freezes up too much without that.  Then I boot into safe mode and use Counterspy, Microsoft Antispyware, Windows Safety live and Trend's Housecall, and each one finds a new little critter that the other one didn't find.

I boot into normal mode and now the popups have stopped and the machine appears ready enough for the Xp sp2 application.... I also notice on this box that had the firm's accounting application on it was AOL's IM program that was pretty obviously used by a teenager and it reminds me of the cardinal rule of mixing "business with pleasure"

Buy a computer for your teenager and have them screw that machine up.

In the home office security checklist...it makes this clear but doesn't stress this enough...

"Don't let children use your business computer without your supervision. Ideally, you should not allow your children to use your home office computer. If your computer needs to serve both your business and family, be sure to supervise your children whenever they use it."

I would say don't let them use it period...buy a new computer....don't let them near the one you use for business or the office.

When is free wifi not always a good thing...

Matt talks about an experience I've noticed as well... you get to an airport and you say "Hey, free wifi, that's so cool!" and then you realize that some ports are blocking and you can't do all the things you wanted to do in that time your plane is held over.  It gets back to that net neutrality again, where the pipe you log on to is able to allow you to do what you want it to do. 

I always carry my Cingular Wireless card for the PC so that no matter where I'm at, if it can get cell phone connection, I can get online...and if I'm at a place without cell phone coverage...man that is roughing it way too much for my level of comfort.

Yes it really does need activation

...so I'm calling product activation because I'm doing a migration from an old wheezy computer to my new HP here at home and I love it when I have to explain with first the Product Activation people and then with the Licesning number ( 888-352-7140 ) people that yes, SBS requires activation, and no I'm not calling about Windows XP.

...there are times that embracing the "spots" ... i.e. the differences of SBS are very rewarding ...as in the remote web workplace that we have that one one else has.... and then there are times when you have to point out to Microsoft employees themselves, that no, we're SBS... we're different...every version of SBS needs activation...yes, even if it's Action pack or MSDN or Volume license.... that the spots get just a smidge frustrating.

Kerberos errors and NIC software

A post in the newsgroup today reminds me of something I saw after the application of Service Pack 1 on my server.... I had this insane number of Kerberos errors in the log file of the server, but not on the workstation.  So I looked at what was on that workstation that was 'different' than the other workstations and there were three things.....

1. Extra NIC helper software over and above the standard NIC software [management software]
2. HP printer software that loaded up an apache monitoring web app.
3. Outlook BCM [and I don't use BCM] that came from the OEM image

Bottom line I ripped out all three of the software that was unique to this platform and it shut up.  Now my strong guess was that it was the NIC management helper software, but it points out that the more I standardize, the easier it is to troubleshoot.

Mobility = Opportunity

Watching a show on Cspan today reminds me that technology has allowed us a lot of opportunity.  Having the ability ....for even a small firm.... to be a flexible employer means that you can be more responsive to keeping and retaining employees.  The fact that with a relatively small dollar investment even small firms can have [and I would argue easier] remote connectivity than big firms means that we as small firms are tons more flexible and responsive.

When you set up remote connectivity, much of it is based on policy.  It's cheap to ensure that you have a business machine to remote into the office as well as a "teenager" machine.  Or how about upgrading the computers at the office and then 'handing down' the old computers from the office to the home workers. 

When you think about it, ensuring that your customers and clients that are still using a peer network are aware of the flexibility that having a network that is built for mobility means that that client is now much more ready for keeping and maintaining employees.

OOF messages

This time of year, people have a ton of out of office messages and they don't realize how much they 'leak' good social engineering information about their offices [or even a lot of funny information]

This was suggested as one way to combat the OOF messages that end up on listserves:

Microsoft Exchange Server: Suppressing Out-of-Office Generation:
http://www.microsoft.com/exchange/techinfo/tips/mailtip01.asp

The point is that OOF messages are not automatically set up to go outside the domain.  Exchange, by default, does not send them out the domain.

Why are they a security issue?  Because they disclose information that could be used to do Social Engineering in a firm.  Thus ensuring that only those people that NEED the information about out of office should get it.

To be honest with you, with my Audiovox 5600 Cell phone, I'm hardly out of touch to need a "Out of Office Message"

So my Dad has this card for a $1,000 online shopping spree...

And the first clue that this should be suspect is that on the card it says "Visit our website by typing into the address in your browser bar, do not use a seach engine to find the site"  Hmmm...now that's interesting that they say to type in the address and not use a search engine....

Maybe it's because the "word of mouth" out there is that this is a scam?

So what are the clues this is bogus?

1. The car dealership that Dad got this from isn't a major car dealership but one of the "sub" dealerships
2. The fact that they wanted us to just go to the site and not use a search engine

When getting these too good to be true offers... remember that they ARE too good to be true.

Okay so now that Sis has the Video Ipod

We have to get a case to protect it...and we're surfing on http://www.vajacases.com/ for a case to do it justice.  She was going to get one with a hook on it rather than a normal "knob" thing that hooks into a belt clip because we find in Cell phones that that "knob" holder will weaken over time and the cell phone ends up dropping on the ground.

I don't think we want a video ipod to drop on the floor.  Our gang at the office likes the sideways cases that the Audiovox 5600 has as they don't get popped off the belt loop when the person sits down.

So I'm listening to Vint Cerf on CSpan

...and he's saying that he's predicting many more things on the net.... but he reminds us that searching the 'net should be the 'start' of our research, not the end of our search.  Another interesting concept is 'net neutrality' where the Internet pipe won't be limited by what it's transmitting.  It reminds me of how I take it for granted that I can find an ISP to give me a business connection to let me do what I want and need to do.  Vint Cert argued that the Internet is what it is because it was not limited by what people did with it.  That the best ideas comes from people who just do stuff on the web and are not limited by what they can and can't do.

He talked about when the Internet first started there was a single hosts.txt file that kept track of the connected systems....but that they realized that it was too cumbersome to keep it up to date all the time.....

...my a lot has changed hasn't it?

My grownup Christmas wish

So the inlaws are in town and you needs something to divert your attention, eh?

As always, Vlad comes to the rescue with the SBSShow.  It features Eriq Neale about the latest book in the SBS family, "SBS Unleashed".

(with the caveat that I wrote two chapters in the book so, as usual I'm going to be a smidge biased here)

Someone asked in the blog yesterday as to why they needed this one if they already had the others, well, for one, if you have, or are thinking about adding ISA 2004 to your product line up, this is definitely the book on that as no other book has the "ISA Diva" Amy Babinchak in it.  Then, it has Eriq's own Mac integration specialties in the book.  There's no other 'interop' book in the market.  So if you have that one client with a Mac, or are starting to get questions about adding Macs to your SBS network, this will be your bible.  It's got a chapter on patching and WSUS which isn't in any other book, that I think, to get ready for R2 that will have WSUS in it.

But listen to Vlad's show as to why, I think, that one can never have enough SBS books. 

Sam the SBS Server says "Merry Christmas and Happy Holidays" to the SBS Community

We welcome Sam the SBS Server to our blog for a special Christmas interview....

Q.  Hi Sam, Merry Christmas!

A.  Merry Christmas to you!

Q.  So are you ready for the holidays?

A.  Just having my owner take an offsite backup, log files look good, disk space very nice, daily email says I'm looking good.

Q.  Sweet!

A.  So you have your Christmas shopping done/

Q.  Uh..no... I think I might have to see if there's any late online bargains as I have a few folks to shop for.

A.  Online shopping is cool...

Q.  Yeah, so Sam, I'll let you lead this interview as I think you said you wanted to wish some folks a Merry Christmas"

A.  Yes I do.  There's some very special folks out there that I'd like to take the opportunity to thank.  First off, right back to SeanDaniel.com I'd like to wish a Merry Christmas to the fine hardworking folks that gave birth to me, the SBS Product Team.. 

Q.  They are a pretty cool bunch of folks, aren't they?

A.  Yes they are.  Then there are the gang of the SBSPodcast team.  Man they have really rocked this year with all of their hard work and expertise that they have been giving to the community.  So much so that I've heard some folks say that they wished other teams did the same thing and provided the deep technical dive like they do.

Q.  That is an excellent resource isn't it?

A.  Oh, no kidding. 

Q.  You have other podcasts done about you, right?

A.  Yup, Vlad Mazek, Chris Rue and Susanne Dansey have been hosting a wonderful SBS podcast called SBSShow.com.  So good in fact that the two shows on Disaster Recovery even got a shout out on a SANS.org newsletter.

Q.  Wow.... that's really cool!

A.  No kidding.  Then I'd like to really wish all the Microsoft partners that either have already stepped up to the plate and gotten the Small Business Specialist credential or are in the process of getting that.  Knowing that there are folks that want to indicate to their customers that they specialize in Small Business is really cool.

Q.  You have a lot of great community members as well.

A.  Oh, no kidding ...from Eric Ligman and the gang at Mssmallbiz.com to all the the guys and gals of the TS2 community, I hope that everyone realizes all the really cool energy of all of these groups that support the Microsoft Partners.  Now I must admit that I'm based in the USA, so I don't know all the cool people all over the world, but the ones I know locally here are really cool.

Q.  You even have international partner groups don't you?

A.  Oh yes, it's pretty amazing, I have folks around the world at www.sbsgroups.com.  Much of this energy started from the Community that came out of www.smbnation.com and it keeps growing and growing.

Q.  It is pretty amazing how world wide your SBS family is isn't it?

A.  Yes it is, I have people around the world that care for me and watch out for me, from Marie in Charlotte to Wallace and the gang in Shanghai, I have a worldwide community of folks that take care of me. but remember you get all of this if you are registered Microsoft Partner.

Q.  Does that cost?

A.  On no, that's a free sign up to all those resources and benefits.

Q.  Oh wow.

A.  Yeah it's pretty amazing....there are just so many people that do so much out here... I just know I'm going to forget someone, so consider this a 'Thanks" and "Happy Holidays" to all of my community members out here all around the world!  Happy Holidays to all!

Q.  You do have an impressive community out here.

A.  I do indeed......so I'd better let you get on with your Christmas shopping... hey ...what are you doing?

Q.  Uh... I was going to use you for some online shopping.  Mind if I borrow your Internet Explorer and do some online shopping?

A.  Yes I mind, very much so.... you know the rules, you don't surf on me. You've got your own laptop that you've got Internet access to that I've given you rights to, you know better than to use me to surf on.

Q.  Oh... yeah....sorry... uh... sorry Sam... Merry Christmas Sam.

A.  and a Happy Holidays to you and all of the folks that care about me....

Need some reading for Christmas?

The SBS Unleashed book is now out, but I still haven't gotten mine from Amazon.com.  (With the disclosure that I wrote two chapters in this book) If you are building a SBS 2003 sp1 box 'today', this is the one...the only one in fact that covers SBS 2003 sp1 and does it justice.

There were so many times as I was reading the chapters that I kept saying...Oh I didn't know that....Not sure if it's in bookstores yet...and I know that I haven't gotten it from Amazon yet.

Vmware versus VPC

I've been building some virtual boxes lately for testing purposes and I gotta say that first off I'm more comfortable with Vmware than VPC.  I'm a subscriber to the VMWare subscriber bundle and have used the Vmware virtualization products longer.  But due to some issues I had where Vmware was not liking the version of a DVD encoder program, I downloaded VPC to try that.  Now either I set up something wrong, but the installing and loading of the operating system on VPC versus VMware is vastly different in my experience.  VMware was nearly like a real machine install with an average of about 2.5 hours... whereas Virtual PC... I swear it sat at 9 minutes to go for about an hour.

After I got the security update for VMware and the update for the DVD encoder software, VMware worked a lot better and I'm back to that platform to build my virtual machine.  Once you build an image, I'd make sure you back it up and snap an image so that you can reuse it without having to go through the hours of building that server.

Patching Webcast for your viewing pleasure

View Recording

Recording Details

    Subject:              Patching your network - how to get started
    Recording URL:        https://www.livemeeting.com/cc/winserver_usergroup/view
    Recording ID:         B3H4JQ
    Attendee Key:         N"}P_8b

If you want the slide deck, it's at www.sbslinks.com/WSUS/WSUS.ppt 

Year end review...how was your year in Security?

Microsoft and Computer Security in 2005: Real progress was made by Microsoft and its industry partners in 2005.:
http://www.microsoft.com/presspass/features/2005/dec05/12-21Security2005WrapUp.mspx

Forget that Diet: Microsoft Encourages Consumers to Resolve to be More Secure Online in 2006: Q&A: Amy Roberts of Microsoft’s Security Technology Unit discusses the “Protect Your PC in 2006” resolution and other Microsoft consumer-security efforts.:
http://www.microsoft.com/presspass/features/2005/dec05/12-20Security.mspx

--------------------------

As we close the year... think of your security related issues in 2004 versus 2005

How was your year?

Better?
Worse?
Why?

(and please comment to the blog as I'd love to see your thoughts)

Quickbooks update [for those suffering through 2006]

Loaded up Exchange 2003 sp2? Enable those updates!

You Had Me At EHLO... : Intelligent Message Filter Updates:
http://blogs.technet.com/exchange/archive/2005/12/14/416070.aspx

How to update the Intelligent Message Filter version 2 in Exchange Server 2003 SP2:
http://support.microsoft.com/default.aspx?scid=kb;en-us;907747

...okay ... I gotta say this about the features and functions in Exchange 2003 sp2....

I gotta reghack myself up to 75 gigs.... I have to manually enable IMF..... now I have to manually enable updates though the registry?

Exchange team?  Do you not like gui or something?  What's up with the registry hacking in that platform for this stuff?  I'm a GUI gal... I got a decent video card in the server.  Why not use it and build something more GUI to support this? 

And ... where is this detailed in a downloadable release notes on the web?  I only have one Exchange server and the fact that I have to load it [and it's not uninstallable mind you] in order to get to the online only help file I think is asking a lot of us SBSers ... at least those of us who'd like to read and understand before deploying it on our one and only Exchange server.

You don't want spam? You want to listen to this podcast

You need to listen to this podcast and check out the articles on Vladville.com regarding Spam prevention

The Official SBS Support Blog : Inside SBS Episode #13 - Spam Prevention on SBS 2003:
http://blogs.technet.com/sbs/archive/2005/12/20/416320.aspx

I screwed myself up

You know the other day when Mr. Murphy visited my firm and the boss didn't have access to CompanyWeb?  Chad thinks I might have done this to myself by cleaning up the Sharepoint templates out of my "Shared Workspace" contact section.  You see I didn't like those templates showing up in my Live Communication Server fed contact list so I took them out... in doing so... we think I broke the wizard template that adds a user automagically to Companyweb.  I'll be setting up a couple of new users and we'll see if this is indeed what I did.

There are times that technology doesn't like me

So I'm trying to build a new VMware version of a SBS 2003 sp1 image to play with as I build the old version too small... so I go to clean up my old images and I deleted the vmware images... and I go to build a new one with a larger drive space and every time I get to a certain spot it blows up on me... not blue screen mind you... but total power off black screen.

Microsoft Online Crash Analysis - response:
http://oca.microsoft.com/en/response.aspx?SGD=3405b86d-cd0f-4bc4-9c86-053d10474daf&SID=234

And I've just downloaded InterVideo 7 but that doesn't seem to be helping...oh well... maybe I'll try vpc or something.... what's weird is how it worked before when it was a 8 gig virtual SBS, but now that I'm trying to make it a 20 gig virtual SBS it keeps blowing up.

Oh well... I always have my spare baby server that I can load this up on if need be....

Summary of Quickbooks 2006

Call me wacko but the sight of this thrills me ....

Windows SharePoint Services components may be deleted after you reinstall the Intranet component of Windows Small Business Server 2003 SP1:
http://support.microsoft.com/default.aspx?scid=kb;en-us;909988

Look at this... it's our first automagically deployed SBS critical patch... isn't that COOL!  Do you realize how long and far we've come from the day I sat across from folks and explained to them how patching was one of the worst things I did on the SBS 2000 box?  Do you realize how far we've come from when I first read about a 99 page white paper from Jeff Middleton who suggested that patching needed to be done monthly?  Do you realize how far we've come from when Jeff explained the qchain process and the dependancies and how it was a mess?

We've come a long long way.....and yes.. that patch is SBS approved [pretty obviously SBS approved since it's specifically for us]

So my sister says.....

So the Eriq Neale SBS Unleashed book shows up today and I'm flipping through the pages...which looks really cool by the way.... and she reads the title  "SBS 2003 Unleashed" and she says......

"SBS 2003?   Isn't that old?"

I nearly started laughing....this is something that we had talked about that the VAR/VAP would get but the business owners' wouldn't.  They don't get that a book called SBS 2003 Unleashed that is based on SBS 2003 sp1 is 'indeed' the latest book on the latest version of that operating system.  That it is the most up to date.  There are times that mere words make a customer get a view of the product.... and right now ...my sister thinks I bought an old book.  :-)

Mr. Murphy - Zero - Me and Microsoft support WINNERS

Mr. Murphy lost today... I got my workstation fixed...it was the WEIRDEST thing as the login for the person having the problem was not working with the right permissions to companyweb.  And I checked the default web permissions....and I reset the users permissions...and I..... well I checked everything but the right thing.

For some reason this user was not an authorized user at all for Companyweb.  Binu opened up a live meeting/shared session and drilled down in the Sharepoint Companyweb Console....and there.... buried under there was the fact that that one user was not set up as a Sharepoint user.  Now how that happened.... I have no clue.....

But just goes to show you ....

If you've

• Checked user permissions
• Checked the web site permissions
• Checked that it works for another user

Go to another workstation, log in as that user and if that doesn't work...double check and make sure that the user is set up to to access Sharepoint as a user in the first place under the Sharepoint console.... it could be something as dumb as just that....

SBSShow and way to go Vlad

SBSshow number 10 is online 
http://www.vladville.com/sbsshow/2005/12/sbs-show-10-sbs-weekly.html

Along with the "hey Vlad, way to go!"  blog post ...of course like I was telling HappyFunBoy on IM... with 8 years of dating?  Girl.. you've got community property rights already built up in him.

;-)  We beancounters think of such things you know....

Congratulations to you both.... and a wonderful place to pop the question as well.

Andy Goodman SBS Live Chat tomorrow

http://chat.mcpmag.com/chats/default.asp#chat

Tuesday
12/20/05 - 4:00 PM
(16:00 PST)

Tomorrow at 4 p.m Pacific join our own "Handy Andy" as he leads the SBS Live chat with all your SBS questions!

Mr. Murphy at work again

So I'm loading up a new Dell computer at the office and I connect it to the network via http://servername/connectcomputer as I've done so many times and I go to change the home page from being not http:\\companyweb [as it's a little slow to pop up and folks like msn.com anyway.... and wouldn't you know it.... I've been beating my head on this one screen for hours now.

DNS/DHCP is coming off the server, everyone else can log into companyweb just fine throughout the entire office, I can log into companyweb just fine using another profile on that one workstation..... it works just fine on the existing computer.......but not with THAT user account on THAT new workstation.

I've reset the permissions on that user account

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon account: user

Source Workstation: Annoying_computer_that_I'm_about_to_throw_through_the_window

Error Code: 0x0

And nothin...... it acts like the three login/permission on the entire web site issue...but the perms on the web site look good.

There are times that Mr. Murphy loves to play head games with us, doesn't he?  It would be the boss' new computer too wouldn't it?

...off to google... I'll let you know what the resolution was..if ...the computer survives that is....

Sometimes it's embarrassing to be an Accountant

Truly there are times that when I'm at geek events I drop the "CPA" credential because second only to Attorneys, my profession has a reputation of being behind on technology.

These days I'm embarrassed as well by the Accounting applications... between ones that won't support patches past a Security patch in 2004, to my favorite poster child of Quickbooks that to this day requires local adminiatrator access, for a profession that prides itself on Accountability and SOX and all that control stuff....we sure don't know how to code up an application worth beans.

So in addition to the information here on how to get Quickbooks to share data on a server, and here, Stefan reports on the smallbizit listserve that to get the program to share out properly, he had to give the Quickbooks service account full control of the directory where the data is residing.  Also he had to exclude the service account from the password policy and set it to 'password never expires'.  Then you had to stop and restart the service.

Okay so I don't know about you but the fact that with a $39.95 password cracker program from www.elcomsoft.com I can hack the passwords of Quickbooks in mere seconds, the fact that they still require local admin rights in the 2006 version, that they won't even address the local admin issue until 2007, doesn't give me all warm fuzzys that that application is sitting on my domain controller.

When is the backbone of business, the accounting application, going to step up to the 'secure coding' initiative here?

Guys, this is embarrassing when it's the accounting applications leading the pack here.

Setting up automatic updates

This blog post started when someone insisted that Windows update 'forced a reboot' on a system, and I argued that it did not.  Sometimes I wish there was a handout with each new computer that would in picture format explain exactly how to secure a system, how to patch, how the process worked...because I think there would be a lot less folks thinking that Microsoft 'forced' things on people.  BTW the entire contect for this post came from inside the help file of a XP SP2 machine

Options for setting up Automatic Updates on your computer

To choose when and how updates will be delivered to your computer, you have four options:

Automatic (recommended)

Download updates for me, but let me choose when to install them

Notify me but don't automatically download or install updates

Turn off Automatic Updates

 Notes

• To open System, click Start, click Control Panel, click Performance and Maintenance, and then click System.
• Installing updates before you shut down your computer is another way to keep your computer up to date and more secure. This option is available only in Microsoft Windows XP with Service Pack 2 (SP2), Microsoft Windows Server 2003 with Service Pack 1 (SP1), or an x64-based version of a Windows Server 2003 or Windows XP operating system and only if important updates have been downloaded but not yet installed. Do not turn off or unplug your computer while updates are installing. Windows will automatically turn off your computer after the updates are installed.
• Only users with administrator privileges may add or remove programs, including Windows updates. It is strongly recommended that you log out of the computer administrator account when you are not performing tasks that require administrator privileges. If you are logged on as an administrator when your computer is the target of a virus or malicious user, the attack can cause extensive damage. For example, it might be able to reformat your hard drive, delete all your files, or create a new administrator account so the attacker can take over your computer. For more information about user accounts and why you should not run your computer as an administrator, see Help and Support.

Troubleshooting tips from the Partner newsgroup

Just another nagging reminder of why you should be a MS partner if you install SBS boxes....

RECENT ISSUES & TROUBLESHOOTING TIPS
-----------------------------------------------------------
Issue 1
=======

Problem
---------
Folder redirection enabled through a Group Policy. Sometimes, when when you
atempt to copy the files to the redirected folders, you may receive a
message that the 'disk is full'.

Cause
-------
Disk quota on the drive which contains the redirected folders.

Resolution
------------
Disable the quota settings: 326212 HOW TO: Manage Disk Capacity and Usage
Using Disk Quotas in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;326212


Issue 2
=======

Problem
---------
CEICW fails with the following error in the icwlog.txt file:

Error 0xc0040393 returned from call to Saving ISA2k4 changes().
Some configuration changes were not applied. See the Windows event viewer
for more details. at InteropFPCLib.FPCArrayClass.Save(Boolean
fResetRequiredServices,
Boolean fReloadConfiguration) at
StingrayManagedUtil.StingrayUtil.SaveChangesAndRestartServices()
Error 0xc0040393 returned from call to CStingrayCommit::CommitEx().

Cause
-------
The Firewall Service stopped due to incorrect permission on
%Systemroot%\Documents and settings\All Users\Application
Data\Crypto\RSA\MachineKeys.

Resolution
------------
Assign Full Control permissions to Administrator and System on the folder
and install the hot fix 896495. [free call for the hotfix]
http://support.microsoft.com/default.aspx?scid=kb;en-us;896495

Issue 3
=======

Problem
---------
Unable to send fax to a distribution group. When faxing to a distribution
group, the faxes fail because the "recipient number" is in format: "John Doe
@+1 (508) 555-5555" when selecting a distribution list to send faxes.

Cause
-------
A user changed a contact and the change applies to all the contacts.

Resolution
------------
1. Within Outlook, checked the contact list under public folders - found
that telephone numbers are not in canonical format (+1 [ Area code ]
Telephone number )

2. Within Outlook -> Actions -> Call Contact -> New Call -> Dialing Options,
'Automatically add country code to local phone numbers' check box is already
selected.

3. Exported the contact list to a .csv file. Created a new contact folder
(New Contact List) and imported the data from .csv file to new folder - Now
the phone numbers are coming in canonical format.

4. Created a test distribution list under that. Tried sending test fax to
that new distribution list - all okay.

5. Copied the new contact list to public folder.


Issue 4
=======

Problem
---------
Server Tools failed to install. In the Errorlog.txt file located at
C:\Program Files\Microsoft Integration\Windows Small Business Server
2003\Logs, if you see the follow errors, the problem is probably caused by
missing Display Identifiers in Active Directory. The error 0x80072030
actually means "Object not found" as the SBS Setup searches for specific
Display Specifiers.

[MM/DD/YY,HH:MM:SS] Server Configuration: [2] An error occurred while
accessing domain information. Open Active Directory Users and Computers, and
verify that objects appear. Rerun Setup.

[MM/DD/YY,HH:MM:SS] Server Configuration: [2]
CSuiteHelpComponentRoot::PreInstall: RefreshAdmin failed with error
[80072030]!

Cause
-------
There are missing Display Specifiers.

Resolution
------------
Add the missing Display Specifiers follow the section "Rebuilding
Non-English Display Specifiers" in the following article: 308592 How
Dcpromo.exe Adds Display Specifiers to Active Directory Forests
http://support.microsoft.com/?id=308592

If this does not resolve the problem, run the command below to register the
agrpdll.dll, re-run the SBS Setup, as the problem may also occur if the
AddGroup Committer is not registered:

regsvr32 "%sbsprogramdir%\administration\agrpdll.dll"



NEW & UPDATED KB ARTICLES
-----------------------------------------------------------
911595 The My Documents folder is empty after Group Policy is configured to
redirect the folder to a new shared location in Windows Server 2003 or in
Windows Small Business Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;911595

889714 Some files are lost after you perform an RIS volume restore in
Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;889714

835734 Many unexpected outbound e-mail messages appear in the SMTP queue in
Small Business Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;835734

896424 Microsoft Security Bulletin MS05-053: Vulnerabilities in Graphics
Rendering Engine Could Allow Code Execution
http://support.microsoft.com/default.aspx?scid=kb;EN-US;896424

829114 How to remove and how to install the Windows Small Business Server
2003 SharePoint Services companyweb Web site
http://support.microsoft.com/default.aspx?scid=kb;EN-US;829114

894199 Description of Software Update Services and Windows Server Update
Services changes in content
http://support.microsoft.com/default.aspx?scid=kb;EN-US;894199

911302 Microsoft Security Advisory: Vulnerability in the way Internet
Explorer handles mismatched document object model objects could allow remote
code execution
http://support.microsoft.com/default.aspx?scid=kb;EN-US;911302

908372 You may receive an "Access denied" error message when you try to join
a client computer to a Microsoft Windows Small Business Server 2003 domain
by using the ConnectComputer Wizard
http://support.microsoft.com/default.aspx?scid=kb;EN-US;908372

Knowledge base articles of interest

So what's the best Antivirus?

I get asked this alot... what's the best antivirus for SBS 2003... and to be brutally honest... I'm not sure I know anymore.

You know the other day Vlad made a comment that the Microsoft Blogs being "filtered" and he says that I'm brutally honest..but you know what...there are times that even I hold back until I find out all the facts.  "Power brings with it great responsibility" and the SBS Podcast gang understand that.  So I totally respect that they are not ranty and fly off the handle and do what I do sometimes...just like today... this post is hard for me to do, because I know I have to be brutally honest.

If you would have asked me a month ago what I thought the best antivirus for SBS 2003 was I'd probably way less neutral than I am today.  From the 'chatter' on the newsgroups, the spam filtering on the version 3 of Trend's CSM suite, it's just not comparable to the version 2.  That combined with the fact that you have to watch the compression issue on the default web site and that some folks are ending up with Trend's firewall on the workstations [which shuts down traffic] and well... if you are looking to deploy version 3 on an existing 2.0 client... you might not want to do that...... you might want to hold off.... and if you are deploying a new client, you might want to ensure that you get a code that works on the version 2.0 and deploy that one.  Folks are having to install the Exchange IMF along side the version 3.0.  The issue is how Trend has place the handling of spam squarely in the hands of the end user in the version 3.0.  The problem is for some firms like mine... we want it centrally managed.  My boss doesn't want to handle the spam, he wants me to.  And while spam isn't exactly virus related...in his mind it is.

So... after hearing Hilton talk about this... and seeing stuff on the web... I think it's time I download some trials and take a look around.  I know that Eriq and Marina love Sophos, and Handy Andy loves Symantec [not the yellow box but the corporate version] ......

so..what's the best antivirus for SBS 2003?  I'll let you know... as I'm not sure....

The UI grab

...so if you've downloaded the patches and not rebooted the computer annoyingly about every 5 minutes or so reminds you that you haven't rebooted....

But here's the problem... on the XP annoying reminder... you can't see that there are two letters that will make the system thing you have said "yes, go head and reboot"

But you CAN see them on the Server version of the same.

See that "N" and "L"?  So if you are typing away and the Annoying 'Restart now" grabs the focus of the computer on you...and you just happen to type an "N"...guess what... there goes your system with anything you had open and running at that time and it's rebooting whether you like it or not.  Now on my laptop, if a patch has come down, I've opted on shutdown to choose the "don't install" but on shutdown there is a "install on shutdown" when the system has been set to detect patches.

I don't think all these choices are made clear enough, because so many people think that these options are force on them...and they aren't... they just don't understand what they are 'opting' into, that's all.

Well I'm patching the server in my jammies today

I had patched all my workstations earlier this week [remember ... I put Internet Explorer on high priority on the workstations, low priority on the servers] and this time I did it via Microsoft update versus my normal Shavlik just to point out a few things as a follow up to the Patching Podcast

First off... remember I said I always do the "High Priority" updates... this month the server needs the IE update and the fixer for the update mechanism.  I also do the monthly software removal tool.  Did you see the article that more of the malware found by that cleaner tool is rootkit based stuff these days?

I sometimes might do the optional... since I have no apps at this time that need .Net Framework 2 or Smart Card... there is no need at this time to add those.  I never ever do a driver from Microsoft update, but I do use it as an indicator that I need to go to the HP website and find a new one.....

Uh..note to self... go to HP and look for update NIC driver...

And the thing that I never do is the following setting:

See that "Automatic and install them automatically [and thus force a reboot]?  I never do that.  Now Chad and others, do select the "Download updates for me, but let me choose" which ends up with an icon in the system tray that looks like this:

So then, when you are ready you can click on the button and install the patches, but just be ready to reboot as the system will remind you that you are not fully patched unless you reboot for certain patches.  Rebooting isn't mandatory for all patches, but this month, to be protected you need to reboot.

Embracing our Spots.

You see that down there?  Windows Small Business Server in the Microsoft Update category?  Do you have any idea how cool that is to see that down there...ready to go... ready for any patches that are unique to SBS.

You know sometimes I think we SBSers argue so hard [too hard] that we are just like our big brother servers.  And you know what.... we're not.  And that's okay.  We have unique stuff just to us and they don't.

So make sure you flip youself over to Microsoft Update by going to Windows update and on the right hand side clicking on the button to switch to Microsoft Update and get all tingly when you see that "Windows Small Business Server" category.

What's on your To Do List?

1. Disaster recovery/business continuity
2. Employee awareness programs
3. Data backup
4. Overall information security strategy
5. Network firewalls
6. Centralized security information management system
7. Periodic security audits
8. Monitoring employees
9. Monitoring security reports (log files, vulnerability reports and so on)
10. Spending on intellectual property protection

According to this, This list further reinforces the reactive nature of information security. Awareness programs often score high as a strategic priority because they’re relatively low-cost.  One should expect number 10 on this list will shoot up in priority next year, given the steady stream of identity thefts and other major information crimes.

Now this is a bit "big server land", but i think even us SBSland folks can take a page out of this. This has been a year of disasters.... we started out the beginning of the year with the tsumani of last Christmas, we're ending the year with the Hurricanes that hit the USA. 

Think SBSized... but how are your clients on that list?

So I called and shut down two credit cards today

So as a result of my SB1386 notification, I called and shut down those two credit cards to ensure that they could not be used in any fraudulent transactions.  While there I was checking out some of their fraud protection stuff....

.... I can just see it now... 'Ms. Bradley... we're seeing expenses to Frys, NewEgg, CDW, Amazon, CompUSA and Sephora all one one day... and we think the Sephora has just got to be the fraudulent transaction as all the other vendors are pretty typical transactions.....'

Is McAfee [and other preloaded software] a virus?

So it's that time of the year that we look around and ensure our systems are up to date before busy season and get new computers if needed.  So I go and I buy the Dell Optiplex line, this time making sure that I bought the extra PS2 port option which isn't really 'extra' per se at all as it doesn't come standard with the box.

So I boot up, get it up to a workstation mode [before joining the domain] and there's my first lovely Red Mcafee window that hits me in the face.... well...says I.... let's get rid of that since I have the firm antivirus.....and I realize that there's no "x" in the corner to shut down this annoying configuration wizard.  You have to go through about four screens before you can finally get to a place to cancel.  Then to rip it off the box, you have to remove about three McAfee programs that are on the system....and I don't want McAfee in the first place!

The major insult to injury is the fact that in being installed on the Optiplex, it has with it's McAfee Security Center, taken over the duties of the XP sp2 Security Center.  Even though the a/v is out of date, there is no little red icon of Windows down in the system tray telling me "I'm screwed", instead there's the 'normal' McAfee red icon that tells me nothing.  So I uninstall that... reboot the machine...and the XP sp2 security center does not restart... I ended up having to restart the box 'again' to get the Red shield down there like I wanted it to be, being the indicator of the patches and the antivirus.  I still don't have my fully functioning antivirus that I want... and everyone that I tell this rant to said "oh just flatten the box, those preinstalled things are like a virus".  But how's the Mom and Pop non geek person going to handle this?  They don't need a McAfee security center... how are they going to follow Microsoft guidance for how Microsoft update and patching works when there's no shield in the corner?  No icon? 

Mr. Dell?  I bought this computer.. I didn't give you the right to shove the antivirus that you made a corporate deal with down my throat.  It's getting to the point that I'd pay more for a plain computer, because quite frankly I've had enough of this.

Dear Susan Bradley, we are writing to inform you....

We are writing to inform you that on December _ of 2005, we discovered a security breach of our electronic records.  We quickly investigated the incident and determined that in November of 2005, a hacker penetrated our perimeter defenses and obtained unauthorized access to one of our servers, which contained our database of customer records.  That database contained the credit card numbers.......

uh oh.....oh yeah.... one SB1386 notification that I personally got today from a software vendor that.... well... lemme just say that I would be totally freaking if I were in their shoes right now.

Here's what they are doing...they contacted the U.S. Secret Service and is fully investigating the incident.  In the mean time, they deleted all of the credit card data from that database.  The recommended that I call the three major credit bureaus and put a 90 day fraud alert on my account and review the accounts for any unusual transactions, and request a free credit report.  They recommend that I keep a close eye on my accounts for the next several months and report any suspicious activity to the banks.  If I think my ID is being improperly used in any manner, that I should call the Federal Trade Commission at 1-877-IDTHEFT [877-438-4338].

Equifax

P.O. Box 740241

Altanta, GA  30374-0241

www.equifax.com

To request a credit report call 1-800-685-1111

To report fraud call 1-800-525-6285

Experian

P.O. Box 2002

Allen, TX 75013

www.experian.com

To request a credit report call, 1-888-EXPERIAN (397-3742)

To report fraud call the same number.

Trans Union

P.O. Box 1000

Chester, PA  19022

www.transunion.com

To request a credit report call 1-800-888-4213

You know...sending out a letter to your clients with this kind of information during the holiday season just might be a nice proactive feature to do.  There's a lot of potential for fraud these days. 

Bottom line folks... this isn't a trivial matter and while I know nothing about the underlying nature of the breach, it gets back to the threads of doing all you can to be proactive on security.  I'm not saying that this kind of event is at all likely to happen to a Small Business like it did this much larger one, but folks... if your small business clients are still running things like Windows 98 and Windows NT and they have confidential client data that includes potential identity theft data?  Boy I'd be sitting them down and getting them on XP sp2 and SBS 2003 as fast as I could.

The Screwdriver versus the Forbes Magazine Subscriber

This Christmas, I want you to buy yourself a present.  A book.  Now before you start reading this book, I want you to take this book and flip to the ending.  Don't worry you won't wreck the storyline.  I want you to start at page 287 under the section of "Goals" and take a test.  It will be a quick test.  Now that you've taken it, I want you to start over at page one and read the stories there.

Now ...hang on..before you start reading... I want you to visualize the image of a screwdriver and a Forbes magazine.

Got that visualization? 

Now as you read this book, I want you to ask yourself ...if you are a screwdriver or a Forbes Magazine Subscriber.  Time and time again at SMBNation I heard this from a lot of the VAR/VAPs.  They had the "screwdriver" stuff down.  What they didn't have was the stuff in the "Forbes Magazine" side.  The business track. 

Now mind you, all of these people who said this you would have proabably thought were quite successful already.  But to get to that next level they had to take stock and figure out their weaknesses and their strengths.

I've seen this before in business books where the point is made that to grow from the 'Screwdriver" to the "Forbes Magazine Subscriber" that you have to put down the screwdriver.  That you have to let go.  That we end up hurting ourselves when we try to do both.  Now I'll be honest with you, when I got to that part of the book, I stopped and thought to myself...but wait... do we have to make a choice?  Why do I have to choose between a Business Networking Meeting and a User Group meeting [especially if it's a SBS meeting that has a lot more peer business sharing?]  Shouldn't I, if I am going to be a good "Business consultant" to talk about ROI to the small business owner, should I have at least a small bit of a screwdriver to make sure that when I discuss technology options to a client that I know what I'm recommending actually works?  That I can speak just a little bit from the "been there, done that" side? 

Throughout the book, keep that in mind, and ask yourself... where are your strengths?  Where are you stuck at?  Where do you want to be?  

Do you agree that there has to be a choice between a screwdriver and a Forbes magazine?

Go read the book, called "Making it big in Small Business in 2006", and for the record, no I'm not getting any royalities out of this blog post as a result.  But I think, as we end 2005, and start 2006, I think that you should make a present to yourself to take stock of where you are at and where you want to be.

.... and while you are taking stock.....start with page 287.      

Whomever you are Mark, you passed the test

So I was mean today.  You see I called 1-800-426-9400 and punched the numbers to ask for a licensing specialists for small businesses [less than 50 desktops] and I asked "Mark" some questions.  You see ...it was a test... I knew what the answers were... I just wanted to see if the Microsoft Licensing department knew the right answers as well.  Outside of the US, you can call the phone numbers here.

It was a test actually... to see if I could find a resource for 'mere mortals' to find info on MS licensing that was SmallBiz sized.  Now we already have the wonderful information from the Mssmallbiz.com portal but I was looking to see if a customer could find out this info.

So here's what I asked...and what Mark answered:

On SBS what's the first five cals?  Are they user or device?

How can I add SA to the OEM product?

Can OEM software be bought without hardware?  Can I buy it say...with a mouse?

What's the difference between user cals and device cals?  Which one should I choose for the Small Business Server platform?

And Mark, whomever you are, you knew your stuff.  And if somehow this blog post gets back to you.... sorry for being a sneak and putting you on the spot, but I was seeing if I could find a person who had enough SBSized information about licensing.  And Mark did.

Mark said that the first five cals are either user or device cals.  That you decide which way they are.  That all you had to do to add Software Assurance to a product you bought via OEM channel was to add it within the first 90 days after purchase.  He said that to buy OEM software, that you had to buy an entire computer, that it was attached to the system.  That I might see some system builders out there that were selling them with a cord or a mouse because that used to be how some of the wording was, but now days only system builders could sell OEM software to other system builders without a 'system' to go with it.  He said that it would be wise to stay away from such places, that I still might see them on the web.  He then talked about User versus Device cals and how, in my Small Business Server which has Exchange, and thus Outlook Web Access, that I might want to pick User.  In fact he went on to say that most small businesses buy "user cals", because we tend to have flexible users that can access things from many devices, but that there might be a time that I would want "device cals" if say... I had 50 desktops and 100 employees and they all used those 50 devices.

Sometimes, just knowing who to contact and get the right informtion is the key element in success.  I'll give another example of this...a source for buying the licenses once you've figured out what you need that I like is a vendor who specializes in nothing but.  Sometimes I think we end up trying to wear too many hats.  Software Licensing is sometimes [okay a lot] confusing, but I know that I have had a lot less headaches since I've been in the habit of sending off an email to the gang at softwareone.com and just telling them what I want and they come back with the SKU numbers I need.

So how about instead of getting that licensing headache... you instead pick up a phone and make a call.

Say hi to Mark for me, will ya?

The logging of ISA

When I installed ISA 2004 on my server I ended up ...well... due to the fact that the antivirus that I had totally forgot that was on and held IISAdmin up and running, my install kinda got messed up.  So in the process I ended up installing ISA 2004 'cleanly'.

Little did I know that my 'blowing up' ended up turning out to be one of the best things that ever happened to me because I didn't have to go back and tweak as much as those folks upgrading from ISA 2000.

For one, I didn't have to adjust my tcp/ip connections per client as they were already at 160 [rather than the upgrade value of 40].

For two, I ended up with my ISA logging to a MSDE database.  I couldn't figure out why some ...well most ...folks on Dana's ISA dashboard beta survey kept saying they were logging to W3C format and I had a MSDE format.  The reason that 65% of them were running as W3C format and only 35% are running as MSDE is all those 65%'ers were already on ISA 2000 and it just picked up the same database engine as it had before even though it installs a MSDE engine.  The other 35%ers like me either blew up during the install, or they are new SBSers with new ISA installs.  Honestly, even with the memory hog of the ISA/MSDE platform [which is easily stomped on anyway], I really prefer the msde format as ... I think... it provides a lot more flexibility in database mining.

But the good news is that Dana's new beta now supports the W3C format so you can see how cool this his whether you blew up your ISA install [like me] or not.

Solving all the needs

If you haven't seen it before a while back I did a "Us versus Them" page that compared SBS to 'normal' Server.  The other day another person posted in the newsgroup that they couldn't understand why the Server OS was the price it was and SBS...with all those other things on it... was so much cheaper.

Seeing a comment on the SBS blog talking about the SBS 2003 R2 choice of SQL 2005 Workgroup reminds me that the marketplace of SBS serves many people.  For me, and my industry, the very first time I've ever used SQL server was for Sharepoint in the SBS 2003 platform.  Prior to that I didn't even install it. 

The other day a consultant had a problem with a server and it majorly affected active directory.  When he came up for air long enough to reflect on his weekend, lack of sleep and pain to that customer, he asked for one thing...

"I have some concerns about Small Business Server", he said.  "Make it simplier"

So here on the one side of the marketplace is a Consultant who want less of the complexity, less of the glue, less 'stuff' to make it easy to recover, easy to backup, easy to ensure it's up and running.  And then on the other side is the Consultant that wants all the complexity, all the features, all of the functionality of the big database of the huge platform. 

Can't have it all, can we?  And you know what... I think the marketplace will understand the pricing of the platforms that small business can handle and they will choose what platforms they code on accordingly.

I am a small business.  And for now I am very happy to be on the SBS platform and you know what.... there are times that I won't get everything that I ever read about in a glossy brochure.  But you know what?  I know I can't afford a Rolls Royce.  I drive a Acura [it's like a Honda] and that's just fine for my needs. It's a comfortable mode of transportation and I'm quite comfortable in it.

So maybe I'll have to balance a bit of complexity of SBS with not getting a SQL that does an Oracle replication.  Because after all it's my applications that normally tell me what database they want, not me telling them what platform they need to code for.  I think they'll know that in my sized industry to pick the right database. 

But that's just what I think anyway....

Good Enough Security

The blog post is here.

The article is here.

Okay read both? 

The other day in a listserve someone asked about Tools to check the security of a server and he asked if MBSA was good enough....and I said....

Define your role and your boundaries.  If your job is to just look at the security of that server operating system and nothing else then yeah, MBSA would be a good start.
If it's the security of your network, I would argue it's not enough.

All MBSA will tell you is the status of patches and passwords and a few other 'baseline' security things.  In my little SBSland...here's what it doesn't tell me about the security of my servers.

It doesn't tell me if those servers are running Sun Java and need a JRE update [I don't run Sun Java on them for that reason...but in case I had it on my servers it doesn't tell me that]

It doesn't tell me about the patch status of the applications on my box.

It doesn't tell me if I was running Veritas Backup exec that there's a vuln in that.

It doesn't tell me that my AV is either up to date, working as it should, has a vulnerability, etc etc...

It doesn't tell me if someone has compromised my system, has cracked the admin password and is now relaying out spam email out my server.

It doesn't tell me if malware has infested my server and I'm now got a back door or root kit that has me owned by some former drug syndicate that is now making more money on malware than it did on drugs.

It doesn't tell me if my Secretary has downloaded something from NakedDancingPigs.com because on average 80 to 90% of my systems are running as local admin and has introduced a trojan into my system.

It doesn't tell me that the sales guy that has the Windows Mobile Audiovox 5600 cell phone just left it behind in the Burger King at the airport and it has on it a domain username and password.

It doesn't tell me that someone used a Kinkos kiosk computer to log in remotely to my network and a keylogger just grabbed a username and password.

It doesn't tell me how many of my staff are VPNing in over unsecured lines, with malware and virus infected machines ready to pounce on my servers.

You know what I think keeps me secure?
Paranoia.

Not tools, but paranoia.

http://www.protectyourwindowsnetwork.com/  is an excellent resource and book I think for kicking up that paranoia.

BTW two security bulletins out yesterday including one for that IE zero day and MBSA will indeed tell you which machines need that.

Number one on 'how to get your network hacked' as per Dr. Jesper Johansson and Steve Riley, NFC, is "don't patch".

Bottom line security isn't about absolutes... it's about balancing risk, isn't it?

Trend needed hotfix to send Perf reports out after V3

Wayne in the newsgroup reports that .....

FYI..There is a patch for Trend Micro V3 which corrects issues with SBS2003 Reports and other not being sent to external domains.

For more information read the thread Trend Micro V3 Issues 12/04/05

For  others who may have this issue you need; Client Server Messaging Security 3.0 - Messaging Security Agent Hot Fix - Build 1157

The zip file is; Smex_7.2_11571.zip

Which includes; csm_30_smex_72_win_en_hfb1157.exe

Which fixes:

"This hot fix corrects an issue that some MIME formats could cause    Message Module(TMMSG) to convert the original SMTP message into a wrong format. Converting the SMTP message into the wrong format  might cause Outlook Express to time out when retrieving email messages using the POP3 protocol."

Applies to SMTP too. Once the hotfix was applied SBS2003 Performance reports go straight out and Meeting Requests arrive intact.

Wayne

Okay I gotta rant... come on Trend "Request the smex70_win_en_hfb1157.exe file from TREND MICRO Technical Support.

Premium Support Program (PSP) clients can contact their Technical Account Manager (TAM) directly

No, Trend, you put a patch like that in a place that those of us who live in a 24/7 world work and live in can get to it.

[btw that wasn't Wayne ranting...that was me, Susan as usual!]

Issue with SUS Servers

This Alert is to make you aware of the release of Microsoft Knowledge Base Article 912307, Synchronizing SUS 1.0 SP1 Servers with Windows Update after December 12, 2005 may cause previously approved updates to be unapproved.

Microsoft is aware of an issue affecting Software Update Services 1.0 users where all previously approved updates, including security updates, have had the approvals removed and replaced with a status of 'updated'.

Microsoft is currently investigating the issue and has found that Windows Server Update Services users are not affected.

Microsoft has published a knowledge base article providing workaround information for customers who may be impacted by this issue. 

Microsoft will continue to investigate this issue to help ensure SUS administrators can deploy Windows updates properly. 

More information can be found at:

http://support.microsoft.com/?kbid=912307

Managing those iTunes

Darryl the other day posted about an issue he had with My Music.  No ...not "my" music, but the My Music folder.  You see it seems like all these folks were loading up iPod and iTunes and dumping music in My Music...and of course...they had roaming profiles... so guess what?  Yup.  They were sync'ing and dragging around Desparate Housewives First Season all the time. 

So if your roaming profiles suddenly take a long time to roam...and your backups are filling up like crazy... you might just want to check what is in that My Documents folder.....

And given that yes... we have six Audiovox 5600's and soon to be a two iPod office... I just might need to be aware of this myself and proactively make sure folks are not abusing that Internet use policy around here that says "no" to such things.

WSUS IMF patch expiration

If you saw that ...and wonder what it was and what happened to it, this is that IMF patch that the SBS podcast gang were talking about that was the bogus patch.  Just mark it off and continue your patching.

Speaking of IMF...they will be having their deep dive on IMF next Monday!

John's Backup comment that's too good to be hidden in the comment section.....

This was posted as a comment to the Oferized [TM] backup and is too good to be down in the comments

re: An Oferized [TM] backup

Info on Trend CSM 3.0 suite upgrade

Need some resources for Trend's new 3.0 suite?

Check out this link!

So far the biggest issues I've seen is that it doesn't like compression turned on the web site [which WSUS has turned on] and that the firewall is supposed to not be turned on the workstations via deployment but sometimes gets enabled.

Have you WSUS's sych'd today?

Courtesy of Tom Alverson on the WSUS listserve via www.patchmanagement.org

New Update Alert

The following 26 new updates have been synchronized since Tuesday, December 13, 2005.

Critical and Security Updates

Non-critical and non-security Updates

New Updates Today

MS05-054: Cumulative Security Update for Internet Explorer (905915) Rated: CRITICAL
http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx

MS05-055: Vulnerabilities in Windows Kernel Could Allow Elevation of
Privilege (908523) Rated: IMPORTANT
http://www.microsoft.com/technet/security/Bulletin/MS05-055.mspx

Other non security patches released today:

Update for Windows XP (KB910437) Install this update to prevent or resolve an issue in which Windows Update and Automatic Updates can no longer download updates after an Access Violation error occurs when using the Automatic Updates service.

Update for Windows Server 2003 (KB910437) Install this update to prevent or resolve an issue in which Windows Update and Automatic Updates can no longer download updates after an Access Violation error occurs when using the Automatic Updates service.

Update for Windows XP (KB908521) Install this update to resolve various issues that can occur when you use remote procedure call (RPC) for client/server communication in Microsoft Windows Server 2003 and Microsoft Windows XP.

Update for Windows Server 2003 (KB908521) Install this update to resolve various issues that can occur when you use remote procedure call (RPC) for client/server communication in Microsoft Windows Server 2003 and Microsoft Windows XP.

Update for Windows Server 2003 (KB896427) Install this update to resolve an issue in which you cannot view the contents of a subfolder on a network share. This issue becomes apparent after you install Microsoft Security Bulletin MS05-011: Security Update for Windows Server 2003 (KB885250).

Update for Windows XP (KB835409) Install this update on Windows XP Service Pack 1 systems to resolve an issue where System Restore may not work correctly or certain services may not function properly after using System Restore on SP1.

Updated Malicious Software Removal Tool
http://support.microsoft.com/?id=890830

An Oferized [TM] backup

There's a gentleman in the SBS community that is reknown for his robust solutions.  So reknown that we're telling him he should trademark them.

Oferize [TM] your network is something that I think we all need to do that we are not doing.  This a Oferized [TM] trick that I'll be adding to my network.  So what is it?  It's a special script to kick out a system state backup in ADDITION to the normal SBS backup.  This is a key element in making sure that you have a double backup for that AD glue. 

So here Ofer's best recommended guidelines to star this process of making sure your AD glue is better protected....

Option 1

Use Scheduled Tasks and the GUI for NTBACKUP entirely in Windows - it would be like your normal SBS Backup wizard that once you complete you go to the Scheduled Tasks and you see that it appends itself to the list - look there and see that its called BACKUP SMALL BUSINESS SERVER

Option 2

Use Scheduled Tasks and call up a batch file of command line switches - for the sake of illustration, let me make some assumptions:

- [Perquisite] - The account or BACKUP account you are signed in as has ADMINISTRATOR level privileges

- [arbitrary] - Your external USB or Firewire backup drive letter is Drive G and is connected to SERVER

- [arbitrary] - The file name you wish to backup to is called SERVER_SystemState.BKF

- [arbitrary] - The batch file itself is called SS_BACKUP.BAT

I document my batch files - so the syntax within the batch file I use goes something like this:

@ECHO OFF

CLS

REM -------------------------------------------------------------

REM  NAME.....: SS_BACKUP.BAT

REM  AUTHOR...: Ofer Shimrat, SOUNDOFF Computing

REM  CLIENT...: SOME CLIENT...........

REM  PURPOSE..: Backup System State of SERVER

REM  FREQUENCY: Every FRIDAY at 10:00 PM

REM  MEDIA....: External Western Digital USB Drive

REM -------------------------------------------------------------

IF EXIST G: GOTO BACKUP_YES

IF NOT EXIST G: GOTO BACKUP_NO

:BACKUP_YES

C:

CD\

NTBACKUP BACKUP SYSTEMSTATE /F "G:\SERVER_SystemState.BKF"

:BACKUP_NO

EXIT

Then you use Windows Scheduled Tasks and you call that batch file, and in the case above set it to frequency ONCE weekly and every Friday at 10:00 pm

Option 3

Use AT command line and call the batch file

For Option (3) above, using the SAME assumptions, you would call the same batch file but now as a CMD file, you would NOT use the Windows Scheduled Tasks GUI - instead you would do something like this at the command prompt:

AT \\SERVER  22:00 /EVERY:f "C:\SS_BACKUP.CMD"

If you look carefully, the command file completes and echoes back:

"Added a new job with job ID = 1"

If you go to the Scheduled Tasks GUI you will see a new item called AT1 and its set at 10:00 pm every Friday. So its all inter-connected - command line and GUI. Since I am a command line kind of person I like the flexibility of doing one or the other depending on the situation.

There are MANY switches and options for the NTBACKUP program in command line mode - like /V for verify or /A for append - if you use NO switches then all the of the functions of NTBACKUP go to DEFAULTS - if you wish to tweak it further then read more about it at the following link:

http://support.microsoft.com/default.aspx?scid=kb;en-us;814583

So the moral of the story for me, as far as backups, is to:

(1) do the SBS backup from the MMC

(2) do the System state backup as described above

(3) turn on VSS, make sure all of the clients AND the Administrator have it enabled - that way the Administrator has access to PREVIOUS VERSIONS tab

(4) mimic a tape array on the external drive by creating a MON directory, TUE directory etc and batch file backup each days backups into the day's slot - then rotate AT LEAST 2 external drives regularly every week

Recently, I am also bringing in 1 GB USB flash drives and backing up the system state to that on a regular basis and take it offsite and burn CD's of them and keep it in the client file. Just like real estate is LOCATION, LOCATION, LOCATION then our job is BACKUP, BACKUP, BACKUP

I hope that helps.

Regards,

Ofer Shimrat, MCPS, MCNPS

SOUNDOFF Computing

URL: www.soundoffcomputing.com   

"We welcome the opportunity to be of service"

Vlad wants to get arrested

Seriously.

He needs your help.

He wants to make 100,000 downloads and thus get on the RIAA watch list or at least / .'ed.  [that's Slashdotted for those of you not in the biz]

Vladville - Vlad Mazek's IT Blog:
http://www.vladville.com/2005/12/sbs-show-8-patch-management-with-susan.html

The SBSshow.com this week has the show about Patch Management on it.  Oh that reminds me.. I forgot to tell Vlad one of my other favorite resources for patch management and that's the listserve of www.patchmanagement.org.

The hardware issue

We need to lay a few foundations ... a few rants before we post the "how to Oferrize[TM] your box" blog post [don't worry this will all make sense in time].

We're not buying the right equipment in my opinion.  I love the active directory glue.  But in doing so, I know that I must rely on my server more.  When I do this I know that I must buy a Volvo versus a Hyndai.  Between myself and my office I've personally been involved in spec'ing out three servers.  One is my 'real baby'.  An HP box that when the temperature on the motherboard fluctuates it emails me that it has.  One that I didn't need to find any drivers because I used the HP Smart Start to load it up.  One that had redundant power supplies and drives.  That alerts me should one fall off the array. 

I then have the cheapest SBS OEM box I could find.  I bought it for a test server for the OEM SBS platform.  And quite honestly it's a desktop.  An overgrown desktop.  And yet, it's being sold as a server.

I now just have for home another server.  Still a low price range but better quality than the cheapest OEM I could find.  And while this system is fine for my micro-small network at home of two people and a dog sharing a network, there's no way I'd be installing this in my office.  

We depend on technology.  Therefore I have a 'sweet spot' of hardware that I like to have.  Redundancies.  Fall over.  Hardware Raid.  And an expectation that I will look at this hardware to be my 'main system' for only about three to four years and then I'll slide it down the ladder of system tolerance and not trust it as much anymore.  

There are times in our small offices with too cheap of a budget that I don't think we should be installing SBS.  As much as I love the power it gives me both at the office and at home, I know that I need to invest in technology to make it invest in me and give back to my firm.   

Putting our eggs in one basket means we buy a better basket.  Server quality means the fan is louder, the inside doesn't look plasticy, the system 'looks' like a server.  It doesn't look like they took the chassis of a desktop and turned it into a server.

What's the min spec of a SBS box?

Totally depends on the office and what programs they are running.  I don't think there's a right minimum spec out there, to be honest with you.  It depends on the business you are putting it in.  For a small firm, you can get away with 1 gig especially if you are not running ISA and SQL.  Get a big bigger and 2 gigs is my comfortable minimum.  Get more programs that hook into databases and what not?  3 and 4 gigs of memory.  Hard drive speeds?  7200 rpm is for desktops.  For servers, it's 10,000 and even 15,000 RPM.  I just bought two new Dell workstations and bought 10,000 RPM SATA drives.  Therefore my server spec's should be no "less" than that.

Bottom line, let's do a sanity check on the hardware we are buying.  Are YOU confortable running YOUR business on the hardware you just installed in that firm?

Think about that the next time you sell hardware. 

A must listen to podcast

Well we are finally back online and on the new Community Server engine.  I've got a few posts that have been itching to get out [mainly on hardware] but if you have not already done so, I strongly urge you to go listen to the SBS support gang's ISA on SBS podcast.  While all of their podcasts are excellent, this one just had a lot of really great nuggets of information for the Premium firewall that I prefer on my box in addition to a hardware firewall on the outside.

Afterwards download the white paper on what you can't do with ISA

If you haven't tried out ISA 2004, this is the time to do so.  The monitoring tab functions make it so much easier to handle.  To me ISA Server is just another layer of my defenses and one that gets a ton more monitoring of it than my hardware firewall.

Check out the Official SBS Support blog and the podcast!

Sam the SBS Server is very upset today

I was going to interview Sam the SBS server for this ...but right now he's yelling and is so upset I can't calm him down enough for the Interview.  He's very upset that a year after he was deeply embarrassed by what he did that it happened again.  That people still have the original code on their systems and have not patched.

Server bug cripples Dublin law firms | The Register:
http://www.theregister.co.uk/2005/12/10/server_bug_cripples_dublin_law_firms/

He said that when this first happen it was Microsoft's fault.... now this is yours.

We now have this patch on the Microsoft update site.

You now have no excuse whatsoever to not have this patch on SBS 2003 boxes.  All you have to do is flip that server from Windows Update to Micrsoft update...which ... if you've ever WU'd that box it now recommend that you do so.

If these servers were installed by an IT Pro?  This is your job.  Both Sam and I cannot understand how the IT pros of the world not at LEAST know about Microsoft update, not trying to be learning WSUS, not be proactively helping your client to patch.  Want to know one of the ten ways to get your server hacked as per Johansson and Riley's book “Protecting your Windows Network“?

Don't patch it.

If this is a DIY setup, okay I'll cut you a little slack ...but even still... you don't even have to install WSUS... all you have to do is visit Microsoft Update as those SBS patches are now offered up.  I cannot believe that just as we reach the milestone of patches now being offered up on our boxes, that someone cannot find their way to Microsoft update... I cannot believe that they went this long without updating...that's RTM code of October of 2003 that hasn't been updated.

Let's review class of exactly how easy it is to visit Microsoft update.... start, click on Windows Update.

There?

Now on the right hand side, see that Microsoft Update box?  Click there and go through the process of installing it.  Download what it tells you to.

Heck, turn on autoupdates, because I'd rather you have unmanaged patches being installed on your box than none at all.

I'm sorry but I'm in a mood.... if you buy a computer READ THE INSTRUCTIONS.  It's our duty these days to patch.  It's our responsibility to learn the power of the technology we have.

Learn to patch.

Go to Microsoft Update.

Sam the SBS Server was ashamed of what he did the last time... today he's ashamed of us.   That we can't take the time to understand enough on how to keep him running.

If you don't have Microsoft Update 'flipped' to being the update mechanism on the server[s] you have and control, do it today. Make Sam the SBS Server proud of you and not embarrassed that you couldn't even keep him up to date.

Whoo hooo another SBS Support Podcast

The Official SBS Support Blog : Inside SBS Episode #12 - The ISA Server Meltdown:
http://blogs.technet.com/sbs/archive/2005/12/09/415881.aspx

The SBS gang have another podcast just in time for the weekend!

I need more granularity in my audit logs

Eric Fitzgerald is going to hate me.  I want more details.  More granularity.  I want more codes in my audit logs.  Why?

Because in order to figure out who is accidentially sliding files and folders underneath another one I have to track a couple of audit entries and I think the tracking of access needs to be way more granular than it is.

I had to set up auditing of Object Access and then enable the auditing of the folder for delete and write in order to track when a folder was accidentially being slid.  The events that show up in the audit logs indicate an access of “synchronize“. 

I don't think the number of audit codes are enough.  And I think kicking up the auditing is getting more and more important.  The Wall Street Journal has an article on how compliance is pushing a tech industry.

Bottom line.... I want more detail and more default auditing turned on, and I want to filter out for those events I don't need to audit. 

Does my filtering software have to be part of the native OS?  Not really.  Given my issues and needs and given this is now a “business issue“ this is where I go “okay I need to purchase a solution“, so I'm looking at GFI's SELMonitor.  But should the operating system natively be able to turn on more granualarity... I think so.  I think we're going to need a lot more codes than what are now available...but that's just my thoughts....

Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560

    Object Name:    F:\client data\Susan Bradley\Client
  
    Accesses:    DELETE
           SYNCHRONIZE
           ReadAttributes
              Privileges:    -
    Restricted Sid Count:    0
    Access Mask:    0x110080


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



---------------------------------------------------
Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560

    Object Name:    F:\client data\Susan Bradley\Test
       Accesses:    SYNCHRONIZE
           AppendData (or AddSubdirectory or CreatePipeInstance)
              Privileges:    -
    Restricted Sid Count:    0
    Access Mask:    0x100004


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Write them down

You've seen it haven't you?  Documentation that says how to select a password and many times is says “Oh, heavens, don't write it down!“

My sister refuses to write down the password to her online banking accoount.   So what happens?  She forgets it and she has to reset it which normally means a long hold time on a lovely help phone line as by this time she's locked the account out.  Afterwards when we argue that she should write it down I remind her that every time we have this argument about her not writing down the password is each time she has to call and reset it because she can't remember it.

Have you read the article about writing down your passwords?

Writing down a password means I pick a better one.  Writing it down would mean I wouldn't argue with my sister each times she does online banking.  Writing it down is not the end of the world.

Setting passwords and password policies are, I think, one of the hardest things to do.  Why?  Because look at what happens with me and my sister.  I end up arguing with a person who is a very educated and talented person because she'd bought into the “don't write it down“ line.

It's okay to write down your passwords...just protect where they get written down to.

Cutting over to CS

We're about ready to cut over to Community server so we might be offline a bit tomorrow

In the meantime you can check out the Official SBS Support blog and SBSShow.com

The end of the year

The end of the year means a beginning of a new one... and for those of you running your businesses, this time of year should be when you start looking at your records and expenses in a new light.

For in America, if your business year end is December, it's time to start seeing where you are at, and seeing if you need to buy things to get a deduction.  There's a concept called 'ordinary and necessary' business expense.  So all of those books, the DSL connection, all of those supplies are ordinary and necessary to your business.  Your phone is an expense as well... and hopefully by now it's one of those uber geeky phones so it's marketing as well as a business tool. 

The expenses related to you going to SMBnation.com is a deduction.  Any books you bought there are an expense.  And of course, something we call Section 179 which is where we can immediately deduct the cost of equipment as long as it doesn't exceed certain boundaries.

All of this advice and comment is freely given and is not meant to be a replacement for advice and council of going to a tax professional.  Because if you did, you just might get more information and advice about setting up retirement and benefit plans and a whole bunch of other stuff that I'm not including in this post.

December 31st is tax planning time.  Are you ready?

We suck at communication

For the last couple of days I've had a project where I've had to read emails.  Emails that were not my own.  And I must say that email is damaging our business communcation.....

FOR SOME OF US WE CONSIDER THAT SHORT EMAILS IN ALL CAPS IS APPROPRIATE LEVELS OF COMMUNICATION

for others they consider that all lower case is the way to do email

4 sum its uzing shrt wrds

The sad thing is, much of what I'm looking at is business correspondence, and yet emails are treated like instant messages, with short comments that if you attempt to go back later on and review the conversations, much of the meaning is lost.  We don't need to put a Gettysburg address in email, or a Federalist paper dissertation, but I think we need to be a lot more professional in our business email correspondence.

What happened to the rules of letter writing?  And why has the “Instant Message“ method of email become the standard communication means?

It's made me look at my correspondence in a new light and make sure I'm not “IMing“ when I should be giving good business communication.

Dear Microsoft Licensing People

Dear Microsoft Licensing People...

When giving information to SBSers... make sure you are not giving them “Big Server Land” information.

It's Friday and I'm in the mood for a rant....

In the newsgroup today someone was trying to download a copy of a trial version as overseas they couldn't get the software through customs worth a darn, and so someone told them to buy SBS under Volume licensing and they said “oh yes that if you had Open value that they could get downloadable media..... they said... and I quote from the post...

'I have a confirmation from Microsoft that though it was not possible to download the media through eOpen, it is in fact possible to download licensed media through Open Value at the MVLS site. This is confirmed for US only.'

Well I AM an Open Value customer and I can confirm WITHOUT A SHRED OF DOUBT that it's not available for download.  Folks, this is why the media gets sent to me automagically because we need a product key.

See this download screen?

Do you see the fact that there is NO SBS 2003 on that listing? 

Folks when you talk to Microsoft in any way shape or form, especially when it comes to licensing, can you say to them “can you check and make sure your information that you are giving me pertains as well to SBS?”  And if they say there is no difference, don't believe them, because when it comes to Software Assurance and other small business licensing information, I can assure you that we are unique, we don't get all the benefits and for many folks that you call on Microsoft licensing, they really don't have a clue about the small business licensing.  Hands down the best resource for Smallbiz licensing is Eric Ligman and company on the Mssmallbiz site and the official Microsoft Mssmallbiz yahoogroup.

So ...want to know the real scoop of what I get with software assurance?  Check out this grid.

Okay let's review...since I have 2 servers and less than 50 desktops....

• For the Open Value that I have that doesn't go through the Eopen site but instead through MVLS site, I do get version upgrade rights.  So I'll be getting SBS 2003 Release 2 [WSUS, SQL server 2005 workgroup and Exchange 2003 sp2].
• I do get media for the server sent to me automatically [mainly because I can't download it]
• I will get Windows Vista uprade rights and a copy of Virtual PC Express edition for every Windows software assurance license I have.
• I don't have 50 Office licenses so I won't get training.
• I do get a cdrom called the Information Worker eLearning cdrom 
• I get a Windows eLearning cdrom
• I get a Server eLearning cdrom [it's not SBS specific though]
• Office gets home use rights
• Desktop - for every $200,000 of SA for Office and Windows I get one phone incident [translation... I get barely get one phone call at that conversion rate]
• Server for every $20,000 of SA I get one phone incident for servers.
• I get “cold server rights“.
• I get one user ID for Technet Managed newsgroups [I think I have enough newsgroup access :-) so I might pass on that one]

Someone said that Microsoft themselves internally should not necessarily pay for licenses but be required to track their compliance. 

Bottom line folks...whomever told that SBSer that we can 'download' a copy of SBS... is ...well... flat out wrong.

ISA Server Best Practices Analyzer

The Microsoft Internet Security and Acceleration (ISA) Server Best Practices Analyzer Tool is designed for administrators who want to determine the overall health of their ISA Server computers and to diagnose current problems. The tool scans the configuration settings of the local ISA Server computer and reports issues that do not conform to the recommended best practices.

Just out today is the ISA Best Practices Analyzer.. and lets just flat out admit up front that we flunk.  But it's okay because like we've said before, for what we do and who we are and the other practices we put in place, I can accept that I'm not running in a “Best for ISA” setup.  It's a best for me setup instead.

What's one place that we flunk? 

This recommendation:

This ISA Server computer is not hardened. We recommend hardening the Windows operating system running on ISA Server 2004 array members and Configuration Storage servers. A guide that describes how to harden the Windows operating system running on an ISA Server computer can be found here .

Actually for who we are and what we do we are about as hardened as we can be.  To get any more hardened we have to peel roles off...and I'll be honest with you ... until everyone of us is running with some sort of MOM Express managing multiple servers, I'm not convinced that a nicely monitored one server is less secure than three or four ignored ones.  I'll still argue that it's my daily 6 a.m email [and now my nightly midnight Scorpion Software firewall report] that make me secure.  The more things that are 'in my face' the more secure I am.

I'm also concerned that we're blindly wacking off some settings in ISA when we should be drilling deeper under the hood and understanding what's going on.  There have been some recommendations to wack off Strict RPC on that ISA and I think a bit more granular pruning of the RPC filters would be wiser.

The result of the Firewall Dashboard

So yesterday I found out via the Scorpion Software Firewall “in your face” Dashboard that my router had been pinging me to death.  So I “un RIP'd“ my hardware firewall on the outside about 9 p.m last night.

So what does my 'attack' radar look like today showing yesterday's attacks? 

It looks like someone ate a piece of Mince or Pumpkin pie is what it looks like.  Look at the reduction in pings.

And so far none of the annoying notifications that I was getting before.... ISA Server name: DOMAIN  -- ISA Server detected a port scan attack from Internet Protocol (IP) address 69.225.175.113. A well-known port is any port in the range of 1-2048. ..... that I would get... so we'll see if that fixes that issue.

The SANS “Application Security Hall of Shame” first inductee is Quickbooks

The SANS “Application Security Hall of Shame” first inductee is Quickbooks

In response to Newsbites' recognition, Brad Smith, senior vice president of QuickBooks, confirmed on December 2, 2005 that this problem will be fixed in the next major release (QuickBooks 2007), scheduled for delivery within 12 months.

And in one of my CPA lists, a poster asked “so we have to risk our machines because some of our clients are running 2006?  2007 is a long way off”.  To which I responded that we are risking our machines NOW.  Can you install software on your system now?  If so you are already running as an administrator and that means that malware can easily get in now too.

More info can be found on www.threatcode.com [and yes I need to add more to the nomination list and update the QB as non admin section]  You can see that more and more folks are saying that they don't want to hack up registries anymore.

Where I live and work

Where I live and work used to be a lot friendlier.  I could leave my defenses down.  I could leave my doors and windows open.  I could be open and friendly with everyone.  I could share out everything with all my neighbors.

But then 'they' moved in.  Criminals moved into where I live and work and now make more money off of my neighborhood than when they sold drugs.  I can't live and work the way I used to.  I now have to put locks and protection in place.  I can't be the trusting person I used to be. I must be more protective and proactive to secure where I live and work.

Think I'm taking about the house that I live or the office where I work?

I'm not.

I'm talking about the computer I use.  Criminals now make more money from cybercrime than drug crime.  So why in the world are folks still running an operating system who's threat level was build back when we trusted everyone, considered everyone our friend and had no paranoia.

This month's Redmond Magazine has an article about Anti-Spyware and one of the top five gripes is.....

Dearth of Support: Windows AntiSpyware runs on XP and 2000 machines. Users say they would like to see it run on Windows 98 machines as well.

Windows 98?  Folks... back in July of 1998 the AICPA journal ran an article about whether it was time to upgrade to NT from Windows 95.  Given that this is now 2005, almost 2006, I think the time has come folks. 

If where you live and work is a Windows 98, it's not safe enough or secure enough.  It's dragging down your neighborhood if you have it in your network.

Be a good cybercitizen and do your part.

Two security patches next week

Microsoft Security Bulletin Advance Notification:
http://www.microsoft.com/technet/security/bulletin/advance.mspx

Two patches next week and three non security updates on Microsoft update/WSUS next week.

Remember .... Second Tuesday of the month .... it's patch Tuesday.

So you want to know two ways you can check for issues with patches?  The first is right inside the article itself in the 'caveats' section.  Click there and there's the known issues.  The second is the "community method".  Go to www.google.com and then Google Groups and put in the KB article number and do a search.

Now you'll sometimes have to weed a bit through some postings, but if there's a trend of 'dead bodies' where folks are having issues, it should show up via that search of Usenet.

Upgrades to SBS 2003 R2?

Adam says he just talked to the MS Concierge and they said the only way to get R2 was to buy the 'whole' product again, as there were no upgrade options.

Adam?  Tell that Concierge-y person to go listen to the SBS weekly show where Guy Haycock 'aka the buck stops here' SBS Product Manager says there will be. 

Guy's post and that podcast should clear up any confusion.

One correction to Guy's post though.. he says that if you have SA for a nominal fee you'll get the media... for those of us on the three year SA plan it gets automagically sent to us.

And Adam?  The web site you were pointed to was Windows 2003 R2 pricing, not SBS pricing.  We don't have SBS pricing yet.

My ISA Server just got a smidge better [okay a lot better]

So I ran a test install of the Scorpion Firewall Dashboard on a VMware SBS 2003 [yes with ISA as you can do two nics] at home and the install was so nice and clean and easy and just sooooo cool...and well while the reports were fun.... well.. being a vmware stuck behind a real SBS box and a firewall meant that ...well, quite frankly the logs kinda boring ...that I wanted to see was it was like on a more 'production' system.

Now keep in mind that at the office ISA is 'behind“ a hardware firewall... but it's one that quite honestly I don't patch that one as well as I do the ISA server one.

So imagine my surprise when the graph that came up indicates that the hardware router I have on the outside is pinging my poor SBS box to smithereens.  Dana says it looks like every 30 to 45 seconds a RIP request is being fired to the SBS box.  He said that there should be a setting in the router to not do dynamic routing on the internal interface.  That should stop all that icky traffic like that.

Did I know that was doing that?  Nope.  Once again proving the power of “in your face“ email reports.

Suddenly I get this overwhelming urge to go stand up ISA servers all over the place to get more data.  This is cool.  If you haven't checked it out.. do it... and while it works on other firewalls... you know me I'm kinda partial to ISA server.

Sign up for the beta...and get more 'in your face' reporting from your firewall.

P.S.  I'm now RIP-less... I'll let you know what the updated firewall email looks like.

Paranoia for Laptops - it's already here

Abhi asks...when will we get the same level of support for a remote wipe of stolen or lost laptops....Abhi?  We already have the tools, we're just not using stuff already in the marketplace or stuff under our noses.  Steve Riley did an article on security of laptops and I already bought a service that monitors traveling laptops.

You know what?  We have these products now and sometimes we ask Microsoft for too much.  Let them do the core technology, but do we have to ask them to do everything including the kitchen sink around here?  I mean there already is technologies and services that do this?  Why are we needing more than the marketplace has already has in place.

So you want remote wipe?  We've got that.

You want security of data?  It's called EFS or PGP Drive.

Bottom line, it's already there.

When you might want to have a backup

From one of my CPA listserves comes the word that Intuit's Quickbooks 2006 is causing issues in the registry during some isolated cases, causing issues with the computer that take some time to fix.  Given that the software is out there and being installed and the underlying trigger hasn't been identified, the best advice I can give you is a reminder that we probably don't back up our local workstations like we should, so if you really and truly need Quickbooks 2006, back up the location you are installing it on.

When you are doing any sort of Software application upgrade you should ask yourself if all the other plugins that are needed for this app are also upgraded.  I know that some of the payroll plug ins have not been upgraded to work with the new version.

Now given that the 2006 version has to be installed “on” the server if you want to share the database [unlike the prior versions], you might want to keep this in mind when updating.  Get a good backup in place before you do this.

If the issue doesn't happen upon initial install, it won't happen.  But if it did/does.  Call Quickbooks support and ensure that the call is escalated to tier 2 or 3.  Larry in the listserve [who's a Lacerte Customer Council member] said as of now there isn't a fix.

It gets back to that ...you know...you don't have to be first in upgrading software.

Paranoia for Phones

The Exchange Server ActiveSync Web Administration tool is designed for administrators who want to manage the process of remotely erasing lost, stolen, or otherwise compromised mobile devices.

The Microsoft Exchange Server ActiveSync Web Administration tool enables administrators to manage the process of remotely erasing lost, stolen, or otherwise compromised mobile devices.

By using the Exchange Server ActiveSync Web Administration Web tool, administrators can perform the following actions:

• View a list of all devices that are being used by any enterprise user

• Select/De-select devices to be remotely erased

• View the status of pending remote erase requests for each device

• View a transaction log that indicates which administrators have issued remote erase commands, in addition to the devices those commands pertained to

The Microsoft Exchange Server ActiveSync Web Administration Tool is designed for use With Exchange Server 2003 Service Pack 2 and compatible mobile devices.

The last part of the puzzle is devices that support this... I'll have to see if my Audiovox's can be flash'd updated.  So far I've installed a word doc reader and pdf reader on them...

By the way..just a heads up ...this isn't SBSized as it sets up another default web folder, wants to go on port 80.  To put it on a SBS box you need to have it pick a new port ...say 8072...and then on the new default web site that it built, adjust the home directory to use the same settings as the MobileAdmin part.

You may want to not rush out and install this except for in a test network.

Yes Virginia, sometimes USB Drives do go bad

So I've been using Lacie harddrives to do my backups and this morning I get the message that the backup failed and in the log file is this:

Verify Status
Operation: Verify After Backup
Active backup destination: File
Active backup destination: G:\Backup Files\Small Business Server Backup (01).bkf

Verify of "C:"
Backup set #1 on media #1
Backup description: "SBS Backup created on 12/6/2005 at 9:00 PM"
Verify started on 12/7/2005 at 12:37 AM.

Error: An inconsistency was encountered in the requested backup file.
Verify completed on 12/7/2005 at 12:41 AM.
Directories: 3549
Files: 44138
Different: 0
Bytes: 6,328,598,216
Time:  4 minutes and  36 seconds

So notice that it's in the verify?  [See, this is why we leave the verify on].  Now remember what it says -- For more information about failed backups, see the article on troubleshooting your backup at the following Web page: http://go.microsoft.com/fwlink/?LinkId=18414

So I went there, and it says for that error --

Backup fails, reporting "An inconsistency was encountered."

Cause:  You are backing up to a UNC path on the local computer that is currently being backed up.

Solution:  Use the Backup Configuration Wizard to change the destination of the backup to another location. Alternately, you can use the wizard to exclude the UNC path from the backup.

Which doesn't make sense, since it's the same backup routine backing up to a drive letter on the server.  So I start poking around the event logs and find this right around the same time as the failed backup....

Event Type:    Warning
Event Source:    Disk
Event Category:    None
Event ID:    51
Date:        12/7/2005
Time:        12:41:35 AM
User:        N/A
Computer:    DOMAIN
Description:
An error was detected on device \Device\Harddisk2 during a paging operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 ba 00   ..h...º.
0008: 00 00 00 00 33 00 04 80   ....3..?
0010: 2d 01 00 00 a3 00 00 c0   -...£..À
0018: 00 00 00 00 00 00 00 00   ........
0020: 00 fe ff ff 1f 00 00 00   .þÿÿ....
0028: 15 a1 65 04 00 00 00 00   .¡e.....
0030: ff ff ff ff 01 00 00 00   ÿÿÿÿ....
0038: 40 00 00 84 02 00 00 00   @..?....
0040: 00 20 0a 12 40 03 20 40   . ..@. @
0048: 00 00 00 00 0a 00 00 00   ........
0050: 00 90 ed ec 40 a3 43 88   .íì@£C?
0058: 00 00 00 00 e0 88 a7 88   ....à?§?
0060: 00 00 00 00 ff ff ff 0f   ....ÿÿÿ.
0068: 28 00 0f ff ff ff 00 00   (..ÿÿÿ..
0070: 40 00 00 00 00 00 00 00   @.......
0078: 70 00 02 00 00 00 00 0a   p.......
0080: 00 00 00 00 04 00 00 00   ........
0088: 00 00 00 00 00 00 00 00   ........

And of course Disk2 is none other than my Lacie Harddrive when I open up Computer Management.  I don't think my issue is a UNC path. I think one of my first Lacie's is throwing off issues.  I had a  gig USB thumb drive die on me the other day.  I plugged it in and nothin'.  I took it around to like three machines and nothin'.

So I'm going to swap out this Lacie and see what's up.  Based on the error message I'm sure it's not an Exchange corruption, but I don't think it's UNC path either.

But I think I will poke around that health mon and see if I can add a counter to look for Disk warnings on those harddrives.  I have monitoring software for the HP to tell me when it's not optimal, but don't for the Lacie's.

P.S. which reminds me I need to set this backup for earlier in the evening, I normally like to not do things in the midnight to 2 am window [probably an old wives...or geeks tale...but it's my understanding there's maintenance stuff that goes on then so I try to stay outside of that but I had pushed back the backup the night before to do something on the server and forgot to reset it for my normal time.

Small Business Specialist webcast

Microsoft Partner Readiness:
http://www.msreadiness.com/WS_abstract.asp?eid=15003015

Join your host Eric Ligman every month to discuss the latest and greatest in the Small Business Specialist Community. Eric will have guest speakers discussing the different technical, sales and marketing, product, and offer highlights in the Small Business Specialist Community

12/13/2005 - 9 a.m. Pacific

Yo, the ExRAP is in the house

Learn how administering the Microsoft Exchange Server Risk Assessment and Health Check Program (ExRAP) helps customers to preemptively look for and resolve common issues and overlooked vulnerabilities in their Microsoft Exchange environment.

Besides suddenly getting this mental image of Vlad suddenly starting to do Rap..... this white paper it sort of interesting as it points out how many best practices we already do.  So big server land has to have a support agreement to do this....let's see how many of these we do in SBSland...

• Antivirus - make sure it's Exchange aware.  Yup .. we always say ... Trend, Sophos, Symantec [corporate not yellow box], NOD, whatever....but GET ONE that is Exchange aware
• We tell you to exclude the Exchange files when setting up the a/v to make sure that you don't accidentially quarantine your Mailstore
• Uh oh...the /3 switch....here we go again.  Let me go on the record as saying I have 4 gigs on my baby, and will have 2 gigs on my brand new baby and I don't have nor plan to do the /3 switch.  Down here, as long as the Motherships of SBS recommend not to, I'm not doing it.  'Nuff said.
• Our maintenance is just always done and I've never done a special online maintenance and really don't see a need at this point.
• Disk space.  This probably our big issue right now since our mailstore can now go to 75 gigs.  Remember though a default setup SBS box has all those annoyine mail rules so we shouldn't run of of space anymore, and truly if you need to store your mail for compliance purposes?  Don't do it in the Exchange store would be my recommendation, use something like GFI.com's product to dump it out.
• Cluster configuration?  Nope don't have to worry about that one.
• Backup monitoring?  The other day somone said they set up their SBS boxes cleanly and wanted to remove the SBS monitoring.  If I were their client I would have tanned their hide.  That's my 6 a.m., yes my backup completed successfully email. 
• Exchange Best practices [EBPA] can be run on a SBS box
• Disk performance.  In comparing the innards of my 'real' baby ...which is a true server ...to a small business HP to my 'cheapest Dell OEM I could buy', I must say folks... there are servers and then there are servers.  If you want a box to chug 24/7.... get a real server.  If you open up a model and it looks like a desktop... you get what you pay for folks.

But do you get the idea that many of these “best practices” have already been build into SBS from the get go? 

Pretty cool, huh? 

Need a step by step on configuring Faxing?

This guide helps you configure and use the Fax service on a Microsoft® Windows® Small Business Server 2003 (Windows SBS) network. It provides you with step-by-step instructions for configuring the server, configuring the client computers, and sending faxes.

Hey another step by step guide!  Check it out!

Connecting Point of Sale and RMS to SBA 2006

Download details: POS Connector for Microsoft Office Small Business Accounting 2006 and Microsoft Retail Management System:

Download details: POS Connector for Microsoft Office Small Business Accounting 2006 and Microsoft Point of Sale:

For a split second I read this as “POP connector“ and was wondering what?  Actually this was a MUCH requested add on to the Microsoft Point of Sale system... now Point of Sale connects to Small Business Accounting!  This was the number one asked for feature at the TS2 presentation.

So what about SBS?

Windows Server Division WebLog : Windows Small Business Server 2003 R2 - Get the details here!:

So Windows 2003 R2 released and you are probably going..okay...so what about SBS?  Well the answer is kinda interesting actually.  Especially on the CAL side of the offerings where we can add additional SQL servers without having to buy SQL server cals.

Check it out... remember if you are a SA'er like me you get this automagically.

So a client doesn't pay?

So a client doesn't pay and you normally hand over the Admin passwords upon payment, right?  So what do you do when a client doesn't pay the bill do you without the passwords until they do?

Is this an ethical thing to do?

And you do realize that with physical access to that server, you can merely reset the Administrator's password [keeping in mind that doing this on your AD/domain controller is very risky and not recommended but if the client is that dead set on not paying the bill.....]

If they bought the software, and owe you for the labor, is the password part of the Operating system that they own, or part of the labor that they still owe you for?

Do you include an arbitration clause in your engagement letter?

Do you screen potential clients?

Do you educate your clients?  Do you send an engagement letter regarding your billing and payment policies?  If your billing practices are vague and irregular, your clients are more likely to pay in that manner as well.

Do you review your client base?  If you have staff get their feedback.  Sit down.  Which clients are your “A” clients?  Which ones are “B”s” and “C's” that need to be upgraded or fired?  Yes, you can fire a client.

The better an engagement letter is, the better your understanding is up front.  An engagement letter helps to solidify money arrangements.

[log onto smallbizit's yahoogroups in the file section for examples of engagement letters and contracts]

THE be-all-end-all how to install SBS 2003 sp1

So in the mailbag today comes the request that someone is “looking for “THE” this is how you install sbs 2003 sp1...any ideas?  All I see is bits and bobs here and there”

Haven't seen this, have you?

How to install Service Pack 1 for SBS 2003:
http://www.smallbizserver.net/Default.aspx?tabid=236

That's THE how to install SP1 on a SBS box be all and end all documents.

Now these days we have been installing Exchange 2003 sp2 instead of SP1 with success as you get the 75 gig mail storage [18 gig default, bump up the rest via reg key]

KB articles of interest

When standardization isn't a good thing

Sometimes standardization is good, and sometimes it's not....

Ed Foster's Gripelog || Dell Won't Recall Defective Motherboards:
http://www.gripe2ed.com/scoop/story/2005/8/30/0141/79530

Between the motherboard issue from the past, to a more recent issue we are tracking with fans going out on the Dell GX 280 CPUs.  When you start seeing a batch of hardware start acting flaky... ask around... you might not be alone and thus you might need to start looking a little closer at that system.

The importance of System State backup

When you perform a system state backup on a domain controller that is running Windows Server 2003 with Service Pack 1, Backup may fail:
http://support.microsoft.com/?kbid=909265

The moral of this KB is? 

Don't move the log files.

I haven't seen too many of us hit this...but nevertheless I'm beginning to think that systemstatebackup which is a normal part of the SBS backup...well it wouldn't hurt to do an extra one every now and then.

So why is it important?  Because it's the glue of your network.  The important stuff.  All that active directory stuff that counts.

The size of the logs

The default size.  You probably haven't even looked at these have you?  The default size for the event logs can be pretty small.  And the size of this one in particular, the Directory Service event log of 512 KB means that I don't have any entry prior to when a SBS box freaked out on a Consultant.

So can we adjust that?  Sure can.  What's the max?  A heck of a lot more than 512 KB.  Just remember we should not go more than 64000 KB as that will cause issues with our backup, but man I sure wish that Directory services event log would have been set a lot higher than 512 KB. 

The more of this story?  Partition off your C: drive appropriately, move off data folders, but man, mess with the default size of those audit logs, 'cause you never know when you'll need to have the data that those logs will give you.  All we have now is confirmation that that box was freaking out.  We don't have anything in that log file right 'before' what looks to be the start of the 'freak out'. 

Ensuring you have the data you need when you need it...well that extends to the log files as well.

Change Management SBS style part II

I forgot another person who may introduce 'change management' unknowingly in a SBS system.  The LOB app vendor.  Now this is where me and my fellow MVP Dave Nickason are lucky.  We have pretty self contained LOB apps that don't need some add coder to go mucking around your servers.  But most of you are not so lucky.

And when they do want remote access, they don't want to use the built in Remote Assistance tools but instead insist on PCAnywhere or VNC.

As a newsgroup who's seen one too many line of business installer come in and start disabling things and ripping out stuff they shouldn't, talk to your client.  Make sure they know to call the consultant in that handles the SBS box.  Instruct your client to 'freak out' when Copier/scanner vendors ask for administrator passwords, when LOB app vendors ask to install third party programs, when they start removing things they shouldn't.

Get yourself in that Quarterback role of Change Management in that network.

The restore

Always what comes up is the question of “do you test your restore?”

But how do you test that restore?  The SBS podcast gang make the point of testing the restore... and I'll be flat out honest with you... I've renamed files off my box and restored that, but if you came into my office tomorrow and said “how about we back up that system, erase everything, and we test that restore process” I'd say to you.... “how about let's not.”

As a business owner I would not want you to 'practice' on my box.  That doesn't mean you shouldn't practice a restore process for YOUR home box however on YOUR test network.  But to ask a small business owner that depends on that server to allow you to practice on it?  Not gonna happen.

The best you can do is try [and given that we don't buy boxes in quantities] to get a play server somewhat close to your clients, but that's even asking a lot.  What you can do is take the system state from one box and restore it to a to another box you have at the office.  Or you can practice a restore process on your home system. 

But to ask a business owner if you can back it up, flatten it, and practice a restore?  Boy I'm not sure you could sell that to me even as paranoid as I am.  I won't mind you testing to restore the system state to an alternative location, but you'd better be practicing a restore on another box or your server.  Flatten my baby?  I don't trust you enough to do that.  You do it on your own box and you assure me that you've done the process, and you test my backup by restoring the system state to another system, but flatten mine and do a dry run?  I'll trust in the process rather than risk the disruption.

And we're still arguing the merits of an additional domain controller over a monthly Image [like Paragon's drive image].  Most of us have a member server for the external terminal services box, right?  Okay so we know that having a domain controller also be a terminal services in app mode box is insane.  So now we're going to ask that box to be a TS box 'and” an additional DC as well?  Doesn't that put some additional risks back into our firms that we didn't have before?  Granted in big server land they cannot image a domain controller when there are multiple DCs due to USN rollback issues, but in our single DCs...we can get away with it.  Is simplicity of design better than redundancy? 

See how there's not a 'right answer' for every firm?  We're to the part of computing when we have to throw out the checklists.  You have to look at the risks of each firm and not cookie cutter out the answer for each, I think.

Sit down that owner.  Listen to his pain points.  Solve them.  Fix the processes, don't just shove a tool in there.  And you flatten your box and test.  Not theirs.

Change management SBS style.

Change management.  The hardest task [I think] for a VAP/VAR/Consultant is “Change Management”.  In a big firm change management is this multi tiered process where any change to the system is tested, reviewed, approved and then and only then is change introduced into a system.

Now come to SBSland where 'change' is more likely than not to be introduced by the receptionist, or by the Son of the owner who “knows a few things about computers”.  Now for the VAP/VAR/Consultant I know you document your change management.  You do it to ensure you bill for the task.  But do you ensure that you have your client track what has been done to a box.

So many times you'll get the “Oh we didn't do anything to the system.....except maybe.....”  For some they control change management by having the Administrator password and the boss/owner doesn't have it.  For some VAP/VAR/Consultants... we know some of the users passwords even.  Going back through the event logs sometimes is the way you check for 'change management'.  But if you can?  For those that you do allow to be somewhat of admins of their systems? Do you place a notebook by the server to ensure they document what they did [or think they did?].  Do you have an admin account login for them so you can track what they did and when they logged in?

The webcast part of the SBS Podcast

Hey how did I miss this...this is the webcast part of the SBSpodcast:

http://www.msreadiness.com/WS_abstract.asp?eid=15003426

http://www.msreadiness.com/WS_abstract.asp?eid=15003427

During this hour we will be picking the brain of Microsoft Product Support Gurus for Small Business Server 2003. Having supported SBS, they will be sharing best practices and seldom documented resources to more expediently root out issues with Small Business Server 2003. Don’t miss this rare opportunity to hear it from the folks in the boiler room! An intermediate understanding of Small Business Server is necessary to get the most from this webcast. Also, be sure not to miss part 2 of the series directly after this presentation since we’ll be building upon what we’ve discussed here

Don't let the Error file name fool you

The SBS podcast gang talked about this tool...what they didn't say is that it's called the Exchange Error code tool.

So what should be in our toolbag?

• That tool.
• A subscription to www.eventid.net
• Google [and not MSN search as google has usenet database]
• Sysinternals.com stuff like filemon/regmon.

{sorry messed up the sysinternals.com link..now fixed}

Can I delete KB###### files?

You've seen them.  In the Windows subdirectory if you've been a good paranoid person, you'll find these KBinstall/log files all over that subdirectory.  Chris in the SBS podcast said that yes you could delete all these log files these especially if you knew the patches were installed.... and I'm going to disagree just a little bit.

Here's what I do... for one... make sure that C: drive is big enough that you really don't care, but since you do, go into add/remove programs and write down all the Windows KB article numbers in there on a piece of paper.

Now go into your windows folder that has those KBarticle numbers that correspond to all the patches on your box.  Delete the ones that YOU DON'T find on your listing.

What this allows you to do is easily remove any patch that is active on your system just in case you need to and review the log files.  The KBs that you don't see in that add/remove have been replaced with other patches and service packs. 

So I won't remove all of those log files....just some of them....

Deploying a third party cert

So someone the other day asked me about installing a Certificate authority on a SBS box.... and I argued with them and pointed to the post I had done the other day about self signed certs.  So today I realized that all we needed to know about how SBS handled the Certs and where it saved them was in the “More information“ click box inside the Connect to the Internet wizard.....

You'd think I'd learn to read by now wouldn't you....

Web Server Certificate

Several of the Web services require Secure Sockets Layer (SSL) to secure communications between a Web browser and your Web server. For the wizard to configure SSL, you must either have the wizard create a Web server certificate or you must provide a certificate file from a trusted authority.

A certificate is needed to establish identity and create trusts for the secure exchange of information. The certificate must be signed by a certification authority (CA). The wizard can create a certificate signed by your server, or you can obtain your own certificate signed by a commercial CA, such as VeriSign.

Option Description

• Create a new Web server certificate Click to create a self-signed certificate, and then type the full Internet name of your server that is used to access your server from the Internet.
  The certificate expiration period is set to five years. The certificate will also be saved as SBScert.cer in the Clientapps\SBScert folder so that it can be deployed to client computers by the Client Setup Wizard.
• Use a Web server certificate from a trusted authority Click to use a certificate obtained from a trusted authority, and then click Browse to locate the certificate.
  If you do not have an existing certificate from a trusted authority, but would like to obtain one, you must create a certificate request using the Web Server Certificate Wizard in Internet Information Services (IIS). To do so, complete the following:
  
  To create a certificate request
  
  Open Server Management.
  In the console tree, click Advanced Management, click Internet Information Services, click YourServerName (local computer), and then click the Web Sites folder.
  In the details pane, right-click Default Web site, and then click Properties.
  On the Default Web Site Properties page, click the Directory Security tab, and under Secure communications, click Server Certificate.
  On the Server Certificate page of the IIS Certificate Wizard, click Create a new certificate.
  On the Delayed or Immediate Request page, prepare a request to be sent later or immediately as needed.
  On the Name and Security Settings page, in Name, type a name for the new certificate. Next, select the appropriate bit length based on your organization's requirement. Verify with the CA that they support certificates of the corresponding encryption strength before submitting the certificate request.
  On the Organization Information page, in Organizational Name, type the legal name of your organization. In Organizational unit, type the name of your division of department. If your organization does not have a division, you can type the legal name of your organization.
  On the Your Site's Common Name page, type the common name for your site exactly as it appears to the external users, such as www.mydomain.com.
  On the Geographic Information page, type the required information.
  On the Certificate Request File Name page, type a file name.
  On the Request File Summary Page, click Next.
  Click Finish.
    Note
  
  To open Server Management, click Start, and then click Server Management.
  Once you have completed the process for obtaining the certificate, the organization will send you the certificate along with instructions for installing the certificate. You must then rerun the Configure E-mail and Internet Connection Wizard to change your Web server certificate settings.
  
    Notes
  
  This certificate is not deployed to client computers as is it already a trusted certificate.
  If you want users to securely access their Internet e-mail on the server using either Wireless Application Protocol (WAP) 2.x devices or Microsoft Smartphone 2002 or Microsoft Pocket PC Phone Edition 2002 mobile devices, either the server must have a commercial certificate from a trusted CA or you must follow a procedure so the device works with a self-signed certificate that you create. This procedure decreases the security of your mobile device. Therefore, the recommended and more secure method is to use a commercial certificate. For more information, see “Connecting Mobile and Remote Users” at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=33539).
  The 2003 versions of these mobile devices do not require a commercial CA for the higher level of security.  [The Audiovox 5600 will easily accept the self signed certs]
   
  Do not change current Web server certificate Click if you are rerunning the wizard, and you do not want to change the settings specified the last time you ran the wizard.

I'm in podcast heaven

Is this a great weekend or what?  A two-fer this weekend from the SBS Support Podcast gang

The Official SBS Support Blog : Inside SBS Episode #9 - SBS Best Practices, part 1:

The Official SBS Support Blog : Inside SBS Episode #10 - TS2 Simulcast SBS Best Practices, part 2:

I'm in Podcast heaven....

WSUS settings

One of the confusing things about WSUS are the settings.  On my home server, I have it so that all the systems can 'detect' patches, but only the workstations and the 'unassigned' computers can actually get automatically patched.  The main setting should look like this:

See how I'm wanting the Server to not get automatic approvals?  I also did not check 'all' of the kinds of downloads, just the security patches.

...but bottom line I still think WSUS is confusing.  But if you are a consultant...now's the time to install it and get used to it.

Two white papers on Blaster and Malware

Anti-Malware Engineering Team : Anti-Malware White Papers Posted:

From the Anti Malware blog and the Microsoft Download site are two whitepapers ......

• This white paper provides deeply quantitative details and statistics that Microsoft has observed regarding the initial and continued effects of the Win32/Blaster worm on the global computing infrastructure and Internet users worldwide.
• This white paper proposes a new method of dealing with polymorphic malware

Two SBS Support Podcasts this weekend!

Man is this going to be too cool or what?

A two for one from the SBS Support podcast gang!

I can hardly wait!

[and you can check out some views of the Support gang]

Declaration of Administrators and End Users for installation of software and patch standardization

Sun Microsystems:
http://www.sun.com/2005-1004/feature/
read that link regarding the Google toolbar being now included in runtime updates

I hereby put forth a Declaration of Administrators and End Users for installation of software and patch standardization.

If software companies can do End User License Agreements, I can have my own agreement and declaration of rights.

Dear Software Vendors.

When updating me, you will not bundle in technologies that I didn't realize you were partnering with.  You will not make it confusing to my Mom and Dad when keeping their computers safe.  This has got to stop.  You say that this is being done to support free and open source software and all it is doing is adding tool bars I don't want, software I don't need.

I refuse to install any Sun Java Runtime as long as you bundle software with it.

I don't want to have the Yahoo toolbar with Adobe reader either.  I don't want MSN desktop search with my MSN IM.  I don't want to have to constantly monitor every single application for options, uncheck boxes or any other ways I have to constantly monitor for unknown applications entering into my networks, my parent's computers.

As an administrator, as an end user, I demand that you do not make me have to ensure I read every screen, click every click to only get the software that I thought I was getting.

I agreed to install one application from one vendor.  I did not give you the right to insert a tool bar that gathers information from me.  I did not give you the right to precheck "yes" to installing additional software.

I want all of my vendors to start agreeing on a patch installation standard.  I want them to publish in a database their supported versions, where one can easily go to see in the registry what version one has, and other such standard procedures to audit the application of patches.  I want to be notified via email or rss feed when you are releasing patches for my applications.

You want my trust?  So that I'll buy products from you?  Use your software?  Then you be way more transparent and accountable to me.

I'm the user of your software only as long as I want to be.

Remember that.

Susan Bradley
Admin

Yeah I know... it's Friday... I'm in a mood.....so....anyone know the email address for Scott McNeally?

Knowing what you need

What if you heard a story about a person who had a laptop so infected that it needed to be flattened but they couldn't find the original cdroms to rebuild the machine?

What if you heard a story about a person who moved a file frome one machine to the office machine and ended up infecting the office network.

What if you heard a story about a computer guy who was supposed to write a database program, asked the business owner to buy a server from Dell, a Business server...and it sat around for like 60 days and when the programmer finally came in he said “you got the one with SQL right?” and the business owner said “I don't know?”

What if I told you that when they called in another person [a college student] to work on the server when the first guy walked off, no one knew the password so they had to use a cracking program to reset the admin password?

What if you heard a story about a person who was considering setting up only one machine in the network as the Internet machine because he didn't want to risk infecting all the rest of the machines?

What if I told you all these people..... are the same business owner?

The stuff I take for granted...most business owners don't know about.  They don't know that original cdroms should be kept for just this reason, but better yet they don't know the way to KEEP their systems from getting into this mess in the first place.  I make sure all email get scanned at a gateway before it comes into my office.  I buy antivirus for our employees at home to keep their machines clean.  And above all else, I would have hired the right person.  You get someone who has installed networks for small businesses.  Not someone who does this on the side.  Not someone who's a college student majoring in computer science [unless of course they have indeed installed SBS boxes before], you get someone that knows SBS boxes.

You don't need someone who has worked in large enterprises, you need to have someone who has handled the issues of a small firm before.

Mr. Business owner?  You go to an appropriate professional when you get services done, right?  A doctor for medical needs.  A mechanic for car needs.  Why do you feel that 'anyone' can work on computers?

Don't change the way you set up your computers, change the way you hire your computer specialists.  You set up your network to be your defender not your infector.  You get someone who understands the needs of a small business.

You get a professional.

SBS on WSUS and MU

Steve Mattox posted to the newsgroup.....

The SBS team is proud to announce the availability of Windows Small Business Server (SBS) on Microsoft Update (MU) and Windows Server Update Services

(WSUS).

Today, fixes to issues that are found in the SBS product will now be available through MU and WSUS.  Also today you will notice a change in the SBS download Center web page.

The Windows Small Business Server team is recommending Microsoft Update or WSUS to be the method for keeping your Windows Small Business Server network

Up-to-date and Secure.  For guidance and information, please visit the SBS download Center

(http://www.microsoft.com/windowsserver2003/sbs/downloads/default.mspx ).

If you are interested in installing WSUS, please refer to "Step-by-Step Guide to Getting Started with Microsoft Windows Server Update Services on

Windows Small Business Server 2003"

(http://www.microsoft.com/downloads/details.aspx?FamilyID=28c43d57-2e15-47b2-9a6f-1514aa3ed05f ).

What updates are available now?

There will only be 2 updates available through MU\WSUS at this time and they will only apply to SBS 2003.  These updates are not new; they are the

existing updates previously available through our Download center.

Hotfix for Windows Small Business Server 2003: KB 833992

·         Description: This download address a particular way mail downloads can fail when using the POP3 connector in Small Business Server 2003. This issue causes the process IMBDOWNL.EXE to be hung with the CPU utilization at 25, 50 or 100%. A warning with event ID 1067 will be recorded by the POP3 server in the event log when this error occurs.

·         Security/Critical/Recommended? Recommended

·         Available sources:  MU, WSUS, and DLC

·         New update/Changes to existing update? Re-release of old Update which was previously released through DLC

Update for Windows Small Business Server 2003: KB 835734 [my comment -- yeah finally the patch for .....yes, your SBS box is sending out all those emails patch]

·         Description: There is a problem with how the POP3 connector processes certain messages downloaded from a POP3 server. This problem could

result in the POP3 connector accidentally re-sending certain messages to recipients who are not part of the SBS server e-mail domain. This may happen

only in the cases where the POP3 connector is used to download mail from an external POP account. Customers using Exchange to host their mail internally

will not experience this problem. This update resolves this issue. All SBS customers are encouraged to install this update.

·         Security/Critical/Recommended? Recommended

·         Available sources:  MU, WSUS, and DLC

·         New update/Changes to existing update? Re-release of old Update which was previously released through DLC

What Updates will be available in the future?

All updates that SBS releases will be available on MU\WSUS.

What other products that SBS ships will be available on MU\WSUS?

The major products now supported are: Windows Server, Exchange Server, SQL, SharePoint Services and Outlook.  ISA will be supported from their ISA 2004

SP2 and on (Feb 06).  More products to come in the next wave.

How do I configuring WSUS?

As some of you have seen, SBS is now a category in WSUS Admin.  This category only covers SBS specific fixes.  You will need to select the other

available applications that are on your SBS server so that the updates for those applications will also be downloaded.

Upcoming Updates:

Yes, we are working on a Critical update to be released on 12/13.  This is an issue that was found were reinstalling Windows SharePoint Services will

randomly delete a document library.  This will only be applied to SBS SP1 Slipstream installations, not web downloads.

Ensuring those foundations are there

When you build a house in California, you pour a concrete slab and then build from there.  When you install a SBS 2003 system you install it on a server.  The foundation.  The slab.  And as long as your foundation is good and solid, you are good to go as well.

On my HP at the office is the HPSmartStart software that helps to make the SBS install easier and installs all the hardware monitoring software.  Yes, the HARDWARE monitoring software. It's checking the condition and status of the RAID array underneath.  So if I drop a drive it will let me know.  My older server has a lovely, so wonderful, screeching sound that the Adaptec card gives off when it drops a drive.

To me I consider hardware raid a normal part of a server install.  You just have a hardware based raid period for a good solid foundation for your network. 

People in the newsgroup have seen us post about SBS 2003 sp1 and they say “gee I depend on this server so I don't want to break it”.  Well, if you depend on it, ensure two things.

1. Good solid server hardware and that includes RAID, and that preferably includes monitoring software that alerts you to issues
2. A good backup, a drive image, something.  Les is raving about Paragon Drive image these days saying that it's worth every penny of the Server price tag [and when “Les is more“ says something is good, he doesn't give that recommendation lightly.  Remember that while the AD guys go pale when we drive image our DC's, because we are a single DC we can get away with it.

So folks... get those foundations in place and you won't worry abou the server breaking.  You'll know proactively when things occur, and you'll have a disaster recovery plan in place should something occur.

I got my backup wizard back

If you remember from the other day my backup wizard wasn't working ... well got it all fixed up.  Now I'm not going to tell you what was done to fix it for two reasons....

one... the chances that a real nicely maintained and well cared for SBS box is ever going to see what I did to my box is very very slim to none....this issue was on my old, beat up, beta bugged, so many betas that it permanently has “build number“ in the corner box.

for two... this isn't a fix that was found lightly.  A debugger had to be set up on my system to figure out what had gone wrong on it... needless to say it was a registry key that ..once gone.... kinda screwed a few things up.

The moral for this story is?

No amount of googling, newsgroup posting, searching would have solved this.  I could not have solved this.  This took someone to set up a debugger on this box to determine the underlying cause.  I needed Microsoft product support services on this.

Furthermore, this was an issue that was worth every penny of a support call.  If this had been a real box, this was one sick little puppy on our hands.  As it was I opened up the case because it was a stumper of a case.  Folks that say “I can't afford to call product support“ ... I'm sorry but if you business is like mine and it depends on technology, you can afford a reasonable amount of maintenance.  People will put gas, change the oil, get their car tuned at the mechanic but consider calling support something they don't do.

Well it's time you made sure you include Product support in your toolbag.  Notice as messed up as this little guy is we didn't reinstall it, we didn't flatten it.  Even as messed up as it was, it was not bad enough to force a reinstall.  Those who say “I come into installations not knowing the issues so I just reinstall“, take the issues one at a time.  Look in the event logs,  Google up the obvious errors, go to www.eventid.net for the harder ones, ask in the newsgroup.  But when you can tell from your googling that you are hitting a brick wall, you call.

We have another blog link today

Just adding another SBS team member link today...

Tech Talk with Stephanie Doakes, Ed Gomes & Roderick White:
http://blogs.technet.com/sdoakes/

Another girl for the bathroom!  So Cool! *

* This refers to the fact that whenever I walk into the bathroom at a tech event the women's restroom is nearly or is totally empty.

So now you have a server... what do you monitor?

I'm stealing a post from the newsgroup from fellow MVP Dave Nickason with my comments in italics...

FWIW, this is what I do:

• check all logs daily for errors or possible problems (or as close to daily as I can) [yup so do I - but remember your daily email will alert you... read it!]
• make sure the backup ran successfully, and that the designated person changed the tapes, also daily  [these days it's a usb harddrive]
• monitor the AV software to make sure it's updating the servers and workstations as it should be [this is where your early warning indicator is XP sp2 with the security center comes in handy-- when it freaks ....so do I]
• frequently check the server monitoring program to make sure no hardware is failed or failing.  I try to do this in the server room rather than remotely so I can make sure that there's not a vacuum cleaner plugged into the UPS or someone's coat hanging on a server [I lock the server room at night and check for physical issues, my HP machine has additional monitoring software that lets me know of issues[
• occasionally monitor the drives for free space [the daily emails tell me how much the server drives are growing]
• occasionally check the UPS status [one of our main printers is also in the network room so the green lights are pretty obvious]
• keep track of patch releases and install all necessary patches shortly after their release (you can subscribe to security alerts, etc. from Microsoft or watch for Susan Bradley to post something when they're released)  [who me?  Yeah I get the security alerts on my IM and my cell phone I also watch the chatter from the Patch Management listserve and Shavlik emails me with patches that are ready to use in their deployment tool.... unlike... uh.. WSUS who will shove stuff out without telling me.  I normally install patches depending on the risk, the 'chatter' on the backchannel regarding threats out there, and what firm deadlines might be of concern.  Most of the time I'll patch on a Friday, but there are times I have patched on “Patch Tuesday evening“. You do know about patch tuesday, right?  Second Tuesday of the month is the day the bulletins get released]

For Exchange, I do nothing except monitor the server logs daily and the database size occasionally.  Rightly or wrongly, I almost never defrag.  [same here, and mine is the biggest mailbox.  These days with 75 gigs it's less of an issue]

Two comments:  If you frequently monitor the server logs, you may spot something at the warning stage and avert a problem before it becomes critical (and thereby makes it into the e-mail report).  And, it's a good idea to do some monitoring so that you're familiar with how things run normally - this can help a lot in troubleshooting when something goes wrong.  [Honestly I think I'm going to set up some baseline Perf mons on my baby...we did it on the Yoda server box and Vlad constantly kept saying “baseline it“ “baseline it“ and all of us SBSers are going...do what-line it?

There's one more thing that has come in handy over the years... have the DSL modem in a place where you can see it.  There's been a couple of times that I've caught things [usually people downloading something they shouldn't... by seeing the solid lights on the DSL box and thinking to myself “okay what's doing a solid yank on our pipe like that?“  In a normal small office those DSL light connectors should blink.  Unless you are streaming media, watching a webcast, there's a pulse of activity, but not a solid light.  After a while as an admin, you'll know your firm's 'pulse“...and you'll know when something isn't right.  Every now and then pull up the live logging of ISA and see what's up and what your folks are doing.  Your acceptable use policy [you do have one, right?] says that you have the right to review anything and everything on that employee's system.  If your DSL modem is stuck solid on, fire up that ISA real time monitor and check it out.

Bottom line just be a smidge proactive, a smidge nosey, a smidge inquisitive... you'll be a very good SBS admin.