E-Bitz - SBS MVP the Official Blog of the SBS "Diva"

Interview with Samantha, the SBS 2003 client workstation - the year in review

Today is the second part of our interview series.  We talk with Samantha, the SBS 2003 client workstation today about her year in review

Q.  Good morning Samantha!  I see you are having your morning Mountain Dew!

A.  Well, yes, I'm just not a coffee drinker like the rest of you guys.

Q.  Well let's get started, shall we?  Yesterday we talked with Sam the SBS 2003 server about his year, let's talk about your year?

A. Ok!

Q.  Let's cut right to the chase and ask you about what's been on everyone's list these days of issues - malware.  How was it this year?

A.  You and I both know it was pretty bad this year.  For my end users that were smart, surfed safely, and stayed in a position where they didn't have full control of me and instead let Sam the SBS 2003 server control much of the details, they were pretty good.  For my end users that downloaded anything, clicked on anything and opened up email attachments willy nilly, they had some issues.

Q.  I hear though, you do have some protection that came out in August of this year, some third party addons to help and there is even more new products and plug ins coming to help out even more.

A.  That's true.  First off I have Outlook 2003 for my end users [again, thanks to Sam the SBS 2003 server that licenses all my end users for that] there are some built in protections that I have.  For example, in Outlook if you leave on cached exchange mode which Sam automatically sets for me, I have junk filtering, I block nasty attachments, and I block photos from being automatically viewed.

Q.  That's sounds pretty good.

A.  Yes it is.  Then if Sam the SBS 2003 server has Trend Micro Antivirus installed [and this is just one example, many of the vendors do this], there's a malware addon that you can enable that helps to protect me. 

Q.  So let's talk about what happened in August of this year, I hear you got a major update?

A.  Yes I did, a big new service pack for XP sp2.  Let me really stress to the listeners how much better I work when I have XP sp2 and Office 2003 with Sam the SBS 2003 server.  I really hook in really well with Sharepoint when I have Office 2003.  And with XP sp2 and Sam the SBS 2003, I really protect my workstations from willy nilly talking to one another.

Q.  I heard one of the Microsoft speakers talk about this, Steve Riley, I think?

A.  Yes, he's writing a book that will include dicussion of this concept, that workstations shouldn't just “talk to one another” that they should only talk to the server and thus they are better protected from things like blaster, sql slammer and what not.

Q.  Do you know what the book title is?

A.  Oh yes, it's called Protecting your Windows Network and it will be out in 2005 from Addison Wesley.

Q.  Cool.  But let's go back to that malware issue because I hear it was pretty bad. 

A.  Oh sure thing!  I agree it's a huge issue and even my maker in Redmond knows and they bought a anti-spyware company and will be bringing out a public beta of this very very soon.  Also speaking of betas, I've been trying out the Windows Update Services beta and that is looking really nice.  I'm really looking forward to relying more and more on Sam the SBS 2003 server for lots more protection.

Q.  Yes, Sam mentioned that, that can you expand?

A.  Absolutely, as I said right now I run with my end users in a pretty trusting way, but Sam and I have been talking and for some of our setups, where the consultant, the VAR/VAP has sat down with the owner and talked about this, we're going to run a bit more securely this year and take away those administrator rights on for my end users.

Q.  That's sounds pretty cool.  Is this something all firms will be doing?

A.  It's in the long term plans for all systems actually.  Some firms can do this now, and there's honestly some firms that don't see this as an issue.  But what's cool about the relationship that Sam and I have, is that we're pretty flexible and can set things up just about any way the owner wants us to go.  The biggest issue is not with the Microsoft applications running in this user mode, it's the third party stuff.  Like the firewalls we're running here, he and I can and do roll things out faster than bigger firms.

Q.  Wow, that's great to know that you guys are so agile.  But, I hear it's a pain to get those programs to run in user mode.

A. Yes it is, we have some tools like filemon, regmon, incontrol5, and a new chapter in Harry's book coming to talk on this, and I honestly do think that more companies are beginning to realize the value of doing this, but it will take time.  Right now we've got a lot of people asking how to do this for Quickbooks, an accounting program.

Q.  So what I'm hearing from you is that letting Sam the SBS 2003 server be in control is really key to having a secure system.

A.  Yes, being under Sam's protection, in a domain where I am, really helps me stay safe and secure.  It's really been obvious that the more I let him protect me for, the better off I am.

Q.  That's really good to know.  So we're about out of time, any final words to our listeners today?

A.  Yes, remember that you really want to buy XP Professional version, retire all older version because I really work the best when all my end users are on the same platform.  If you have any questions at all about licensing and what not, I have some really smart people looking out for me that are on the Mssmallbiz site and listserve. If fact all of my support communities are pretty amazing.

Q.  We've heard that they are pretty special online places.

A.  Indeed!  I'd like to wish everyone a very Happy New Year and an invite to everyone to join Sam and me in the SBS communities!  From Nick's to the Magical M&M's, to yahoogroups that Sam mentioned yesterday, to the newsgroups, in fact, before I forget it I want to say a HUGE thank you to the original gentleman who really started the community feeling and to this day really sets the tone for the communities out here.

Q.  Is that Grey Lancaster that I've heard mentioned?

A.  Yes it is, he has a real “southern gentleman” way about him and he really makes sure that the communities of SBS are kind and helpful.  He's pretty amazing.

Q.  Well we're out of time Samantha, the SBS 2003 client workstation, it's been great talking with you!

A.  Same here!

[Like I said, a little too much Dew for Susan]

Interview with Sam the SBS 2003 Server - the year in review

[tomorrow we will interview Samantha the SBS workstation, but today we sit down one on one with Sam the SBS box to ask him how his year was]

Q.  So Sam, overall, how was 2004 for you?

A.  Pretty good, all in all.  I've added a lot more relatives to the SBS family and community this year, a lot of brand new faces, blogs, it's been really fun to see a lot of new family members in SBSland.

Q.  Give us some highlights of the year, if you will?

A.  Sure thing, we started out the year on a solid footing with the release of Harry Brelsford's SBS 2003 best practices book and we've been building momentum ever since.  It's been really cool to see the increase in people in the 2003 newsgroups, in the yahoogroups - both the technical ones, the business ones and our new general small business one.

Q.  Any event in particular stand out in your mind?

A.  Oh yeah, couple of things that I was proud to be a part of.  First off we had the second year of the SMBnation conference in September and this time we had it in the place I was born, so that was a real treat for me.  Next Microsoft started a new community surrounding the small business space and that really took off with a bang which was really cool to see.  The Mssmallbiz web site, listserve and now blog really took off great.  I was proud to be associated in some small way with that effort. 

Q.  That's really cool!  Now we have to ask the tough questions, okay?  One of the big issues we have today in technology is in Security.  Let's be honest, here.  Weren't you in the news recently about some security issues you had?

A.  You read that USA Today article too, huh?

Q.  Well, yeah.  Want to comment on that?

A.  Absolutely!  I'd love to tell my side of the story more often. Honestly, that was a really dumb test they did.  What they should have tested was Windows 2003 server, instead they tested me.  And I kept yelling at them that I wanted a strong password or passphrase, that I did not want to be sitting on the internet exposed without a firewall but they refused it listen to me every step of the way.  I mean talk about frustrating for me, when I was trying to get them to listen to the right way to set things up and they didn't!

Q.  You mean they purposely set you up insecurely?

A.  Yes they did.  They wanted to prove the point that being on the web you need a firewall.  Geeze, I kept telling them that all along the way, but they refused to listen.  They did say that once they picked a secure password that I did stay on the web and didn't get hurt.  Given that I was set up without my normal protection in place, I'd say I did pretty good given that no one should be out playing on the Internet without the right protection.  But it really does showcase the one place where my owners and end users need to help me out.  Choosing proper passwords.   In fact, this year I can honestly say that I “could” have not gotten any security patches throughout the year and I'd still be able to be in very fine shape at the end of the year.  What really was my soft spot this year was what spammers were trying to do to me. 

Q.  Spammers?  What do you mean?  Can you elaborate?

A.  Oh sure!  First off they tried to guess my passwords so they could authenticate on my mail system. This is called an SMTP auth attack in my biz.  If one of my owners or end users uses a dumb password, it makes me susceptible to password guessing.  This is one reason why it's important for my owners and admins to review my audit log files.  This is one major advantage that I have over my older SBS 2000 relative, I natively do auditing, whereas my relative, you have to turn it on in his system, he doesn't do it automatically like I do.

Q.  That's a good feature to have turned on.

A.  Yes it is, I'd really recommend it to anyone still running SBS 2000 to enable it on their systems.

Q.  What other issues did you face?

A.  My other big issue regarding email is something called NDR attacks.  This is where a spammer tries to trick me into sending spam mail.  Javier, and Les, two really cool SBS MVPs that I know typed up some instructions to help people deal with these two issues.

Q.  Wow, that's kinda scary.  What other issues did you face?

A.  Well obviously, I wasn't hurt like Samantha [that's my SBS client workstation] was surfing the web because I have two things going for me. 

Q.  What's that?

A.  Well for one, I have a special protection on my Internet Explorer to block active X scripting.  You see some really smart guys looked at me while I was being built and tried to imagine all the bad things that people would try to do to me and the last thing they thought of was that my owner and admin would be really stupid and want to surf the Internet from me.  Then I have a smart owner that doesn't use me as a workstation and treats me like a server, so that really helps out.

Q.  Why would an owner do that?

A.  Sometimes they don't realize that my main job is to do work for them and not be used as a workstation.  Fortunately there's this IE lockdown that is in place that protects me a lot.

Q.  That's good to know.

A.  Yup, pretty much as long as you let me do what I am supposed to do, I really was not hurt by Malware like Samantha was this year.

Q.  Yup, I'll be talking with Samantha about her year tomorrow, I hear she got beat up a bit.

A.  Yeah, we've been talking about some ways that she and I can work closer together and do something called group policy to help her.  All in all, I had a very good year from a security standpoint, and now we're going to see if we can do more to strengthen her as well.  She did, though get a big boost from XP sp2 and the firewall she's running now inside the network and there are some anti spyware tools that our birth place just bought to help out.

Q.  Sounds pretty promising.  Well we're just about out of time Sam, any more thoughts before we end this interview?

A.  Well I'd like to point out a few last things, first off, don't forget about the “Oh, Canada!“ event that kicks the year off in grand style up in Toronto on January 11th.  Also, everyone should look forward to the SBS 2003 Advanced book coming out soon from Harry Brelsford.  I'm also hoping that this year we really put more emphasis on Sharepoint, taking that to the next level.  Look also for a new service pack in the new year.

Q.  A new service pack?

A.  Yeah, I'll be retiring ISA 2000 and adding a new member to the SBS family, called ISA 2004 and rolling up some other fixes and what not.  In fact, let me remind our listeners that there will be an week long ISA 2004 webcast series to get people ready. 

Q.  That's really cool.  Thanks for taking time out of your server duties, Sam, to talk to us about your year.

A.  My pleasure.  Back to work!

[okay so maybe a little too much Egg Nog and Mountain Dew for Susan today]

Windows NT 4.0 Server 1996-2004

Windows NT 4.0 Server, operating system, died, Friday, December 31, 2004 in Redmond, Washington.

Born 1996 in Redmond, Washington, he was the son of Windows NT 3.1 and Dave Cutler.

Windows NT 4.0 server worked for many years in many corporate offices and was for many years a beloved member of many firms.

He is survived by two sons, Windows 2000 Server and Windows 2003 Server, both of Redmond, and five cousins, Windows 2000 workstation, Windows XP Professional, Windows XP Home, Windows Tablet PC edition and Windows XP Media Center edition.  He was predeceased by his nephews Windows NT workstation, and Windows 95.  Currently another close relative, Windows 98 is on life support but the Doctors indicate has a few more years left.

Private visitation will be in Redmond.

A Christian burial will be celebrated at midnight [your local time zone] on December 31, 2004.

Windows NT 4.0 server had been in failing health but finally succumbed to the dreaded final “Blue Screen of Death”.

May you rest in peace.

Internet Explorer - what actions to take

If you've been seeing some of the tech news, you'll know that a group overseas called Xfocus published some details of Internet Explorer vulnerabilties on the web right before Christmas.  And while the press can say [clearing their throats] “Microsoft hasn't responded”, I can say that every time I sent in an email to the Secure alias [secure - at - microsoft.com] I got a response back.  They know and are “responding“ in their own quiet way when such things occur.

But in the meantime some general rules to keep safe until a patch is released:

• Begin to push for running in lesser “rights“ on the desktop.  This isn't easy at all, but it's something that we all need to push our app vendors to do natively in 2005.  I don't expect you guys to do this right away, but start thinking about preparing your end users and clients to not being able to download and install just willy-nilly.
• Ensure that you always use up to date antivirus
• Only surf where you know you'll be safe [I know...this one is kinda dumb as there have been reports of “good sites“ that don't keep themselves up to date on patches getting turned into “bad sites“ - but just try to be AWARE]
• Block all unnecessary email attachments.  Whether you use the native to SBS Exchange attachment blocker or Trend's blocker, PICK ONE and don't even let this stuff get in your network.
• Consider running IE with High security turned on, and only place those web sites into “trusted“ zones that you need fully functional for business purposes.
• While you can use alternative browsers like Firefox, Mozilla, I'd still recommend that you not “install and forget it“.  Mozilla today just released a new patch for a security issue it had.  Remember that Windows update does not patch Firefox, Mozilla, so you are on your own.  The default for Firefox is to check every 7 days [apparently as I'm guessing from the about:config that I'm looking at.  Brian Livingston has a great primer on Firefox that he had to dig up from their web site and other locations.
• Just in general be aware.  If an email sounds too good to be true, or is trying to sound like the sky is falling, check it out on the snopes.com web site.

P.S.  Next time guys, send an email to the secure alias and work with them for a patch FIRST?  Don't just disclose this stuff and then contact Microsoft?  Be part of the solution, not part of the problem.

OH CANADA - just a reminder that 2005 will bring you a SBS event to remember!

Date: January 11, 2005
Time: 6:30 - 8:30 PM
Location: Microsoft Canada - Mississauga

OK Toronto and area SBSers! The first meeting of the year for the Toronto
Windows Server User Group (TWSUG) - and it is all SBS. And look a the
drawing cards we have for the event!


Session 1 - Migrating Windows Domains using Swing Migration
Presenter: Jeff Middleton - US Microsoft MVP for SBS 2003

Session 2 - Windows Small Business Server - A Year in Review
Presenter: Harry Brelsford - Author and US Microsoft MVP for SBS 2003

Event information here...

http://www.twsug.com/Default.aspx?tabid=62


Jeff is just back from his 5 week presentation tour through Australia - with
resounding great response all the way. You want to know about his Swing
migration? Waiting to finally move up to SBS2k3? Here is an opportunity to
see, hear and ask those "what if?" questions about the process. Here is
Jeff's web site...

http://www.sbsmigration.com/


Harry is in Toronto the same day with his own One-Day Workshop in Windows
Small Business Server 2003 - Strategies to build your SBS consulting
practice; How to integrate SBS with Office 2003; Technical tips and tricks
to extend SBS. Harry has graciously accepted an invitation to present at our
evening session. Check out Harry's event here...

http://www.smbnation.com/smb_nation_summits.htm


But wait - there is more!

We are up to a count of 9 SBS MVP's that will be on site that evening! A
wonderful opportunity to meet the anchors of so many community resources you
depend upon. We want this to be your chance to ask questions, and share your
own hard earned knowledge with your Peers.


TWSUG membership is NOT required to attend. There is NO charge to attend.

Please - tell others about the event. We want this to be the start of a
really great year!

Running with Scissors... uh .....I mean admin rights

When we were little kids we were told by our parents to “don't run with you have sharp objects in your hands” ... like..scissors.  So remember my rant how I don't trust any browser?  I want to revisit that a bit again tonight.  Active controls in a web browser are, I think, like “running with scissors”.  Why?  Because what I said before that they rely on me trusting too much.  While the whole concept of “active content” means great things have happened in the Internet space, it also means that the very way we have let our applications get away with being coded as horrifically as they are and haven't really noticed how bad they are is contributing to the malware/spyware and other gunk we now have to deal with. 

While one could argue that Active X is worse than Darth Vadar, worse than ....oh I don't know.... worse than offering me fresh fish [I really hate sushi...I“m really sorry... it's chicken or beef for me], the fact is the real threat is there because Active X only plays in whatever “rights” you have on that system.  Run in user mode and Active X isn't the issue we're all running from.  Run like we're all used to with full rights to every single registry key on that box and Active X starts making us start thinking of a tall guy in a dark plastic suit that is a heavy breather.  Active X is the bad guy it is because we're running with scissors around here.  It can't be sandboxed from the user rights we have.  Thus as long as we go “la di da ing“ through life accepting that my business applications, ones that I just bought during the 4th quarter of 2004, many of them still think they live in a Win98 world are just wonderful, we're going to be stuck in the mess we're in.

Tonight I was running some tests on one of my lovely applications that are not “Designed for Windows XP” but yet we all happily load it and run it on our XP systems.  Once in particular ...well lets just say that I knew it was coded pretty poorly and now I'm certain more than ever that Vendors really need to step up to the plate more on securely coding these applications.

Now I'm not a coder by any means.  The last coding I did [other than a quick batch file here and there] was the misguided attempt to have beancounters learn cobol.  But it didn't take a degree in computer science or a slew of certifications to take one look at what that testing program was trying to tell me.  That application of mine, the one that I put firm's financial data in, looked to this untrained eye to probably make someone like Michael Howard  or Howard LeBlanc fall over in apoplexy.

In the document “Designed for Windows XP“ logo certification, the documents are pretty clear.  Support user mode and you get that certification.  So why the heck are we not beating up on vendors that DO NOT get certified on it and not giving awards for those vendors that DO get certified. 

As I'm typing this up I have an idea.  My term as Chairman of the Technology Committee of California CPA Society expires in May.  Perhaps one of my final duties can be to set up an “award” to the accounting application that meets security criteria.  Hmm.... I'll bring it up at the next meeting. Or perhaps my AICPA geek group, CITPers can also do that?

I'll showcase some of the vendors who ARE coding for least priviledge

• Peachtree 2004 - Designed for XP - runs in user mode
• Peachtree 2005 - Designed for XP - runs in user mode
• Quicken Premier 2005 - Designed for XP

Keep in mind that Peachtree 2003 is “compatible with XP“ and thus doesn't meet the guidance.  Notice there is one major application missing that isn't in the “designed for Windows XP“ logo program at all. 

Amazing isn't it?  We run our daily business in an application that is not “designed for Windows XP“

That in this day and age we can accept “The user doesn't have sufficient permissions with the Windows user login. Users must have full Admin or Power User permissions that permit them to write to the Windows registry. “ as being acceptable from an accounting application...   shouldn't we as CPAs, as fididuciaries of our client's records demand better than this?

Pssst you can't “intuit-itively“ figure out the app?

The designed for Windows XP logo includes this as a criteria

3.4     Support running as a Limited User

Applications must not require users to have unrestricted access (for example, Administrator privileges) to make changes to system or other files and settings. In other words, the application must function properly in a secure Windows environment. Complying with the previous requirements in this section will help to ensure that the application meets this requirement.

An application that does not install (executes without installing any components) must still support use by a Limited User.

A secure Windows environment is defined as the environment exposed to a Limited (non-Administrator) user by default on a clean-installed NTFS system. In this environment, users can only write to these specific locations on a local computer:
[Note 1]

·         Their own portions of the registry (HKEY_CURRENT_USER)
[Note 2]

·         Their own user profile directories (CSIDL_PROFILE)

·         A Shared Documents location (CSIDL_COMMON_DOCUMENTS) [Note 3]

·         A folder that the user creates from the system drive root

However, applications defaulting to use of these folders do not comply with the other requirements of this section.

Users can also write to subkeys and subdirectories of these locations. For example, users can write to CSIDL_PERSONAL (My Documents) because it is a subdirectory of CSIDL_PROFILE. Users have read-only access to the rest of the system.

NOTES

[1] Applications can modify the default security for an application-specific subdirectory of CSIDL_COMMON_APPDATA. This may provide an additional location to which users can write for a given application.

Any modification of the default security for an application-specific subdirectory of CSIDL_COMMON_APPDATA must be documented when submitting your application.

[2] Users cannot write to the following subsections of HKCU:

\Software\Policies

\Software\Microsoft\Windows\CurrentVersion\Policies

[3] By default, users cannot write to other users’ shared documents; they can only read other users’ shared documents. Applications can modify this default security on an application-specific subdirectory of CSIDL_COMMON_DOCUMENTS.

Any modification of the default security on an application-specific subdirectory of CSIDL_COMMON_DOCUMENTS must be documented when submitting your application.

This requirement does not apply to all features.

For any feature that a limited user cannot use, when submitting your application you must document what objects need to be opened for that feature to work, such as file system, registry keys, and so on.

When a limited user can’t use a feature, the application must degrade gracefully.

As defined in “Designed for Microsoft Windows XP” Application Test Framework:

TC3.4              Does application support running as User1, a Limited User?

XP Home [s] CANNOT join a domain

To the poster in the newsgroup who said “I wish they wouldn't keep it a secret” that XP Home [s] cannot join a domain.

Let's blog this up a bit so it's more googlable shall we?

XP HOME platform are for “Homes, houses, condos, apartments, shacks, shantys, leantos, outhouses, etc., etc., etc.“ but they are not for BUSINESSES.  Get it?

The information on whether or not XP HOME can join a domain is on the XP Professional page.

“Windows XP Professional is required to access a domain-based network. If you're not sure whether the network you will access is domain-based, talk to the person in charge of the network to make sure you choose the proper version of Windows XP.“

I love those kind of postings don't you?  I AM in charge of the network and what if I don't know the right answer? 

Like those messages that say “please contact your network administrator for more information“.  I AM the network admin and can't get this thing running the way it's suppose to.

XP professional is what you need to have computer JOIN A DOMAIN. 

I would argue that XP Professional is just plain better in general, with or without a domain, but that's just my opinion.

Let's blog it one more time for dear old Uncle Google

XP Home machines cannot join a domain.

XP Professional machines can.

XP MCE 2004 can join a domain.

XP MCE 2005 sort of can't but I hear if you install them from stratch the bits are there and you can join them, but officially they aren't supposed to be domained.

P.S. Changed the blog so that XP HOME would be better googlable  :-)  Thanks Sophos 

The things you "leak"

I'm bringing out to the blog an argument I'm having with someone on IM about the private versus “private” and Ipconfig posting issue just to make a point about the risks of life in general on the Internet.

I'm arguing that in a mere email, there is as much risk of information “leakage” about a firm as there is when we post in ipconfig in the newsgroups. 

Let me show you want I mean.  Send an email from your SBS firm network to an outside email box.  Open up the email and adjust it so you can see the headers [Outlook is a pain in the butt for doing this, Thunderbird much easier].

Okay let's look at the clues that come from a email

• Inside that email in your internal name.  Probably something.local or maybe .lan both clues that you are an SBS box.  Therefore there's about a 99% chance that your internal IP address scheme is 192.168.16.x
• Inside that email is your public IP address
• Inside that email is the “stamp“ of what version of Exchange you are on.  So if I see “Produced by Microsoft Exchange V6.5.6944.0” or “Produced by Microsoft Exchange V6.5.7226” I know you either have or don't have Exchange 2003 SP1.  [During the XP sp2 betas the beta testers would read the email headers of the MS folks and track what “next' build number of XP sp2 they were on versus the beta participants.... sick puppies ...weren't we? 
• Given that last I checked Dr. J's job wasn't to specifically target SBS boxes, I would argue that the fact that you can google the phrase “Remote Web Workplace“ and see potential SBS boxes and get just as much stuff from email headers that the risks are the in the same category. 

Will I still feel that way in a week.... a month... or a year... maybe not.  Probably not.  But I see that email headers “bleed out” just as much private information that we probably don't realize.

So is Tony right about freaking out about ipconfig postings in the newsgroups?  Probably.  psssst.. just don't anyone tell Tony I posted that....Jeff also states that to post that information indiscriminately in the newsgroup is not wise.  To post internal information in a public manner that is forever googlable is a bad idea.

But I would still argue that email is just as much of a “bleeder“ of information.

So ...what do you disclose about YOUR firm by just sending emails?

When is something "private" not Private

Tony posts that one should santitize the Ipconfig/all posting that is done in the newsgroups and I'd like to clarify one point he's made.  He says that you should clean out the 192.168.16.x and 10.0.0.x addresses in your post and I disagree.  While those are class c and class a “private” ranges they are so well known of internal IP address ranges that IMHO, you aren't disclosing anything that your email header doesn't post in more stuff on.  I would recommend taking off an “external” IP address [something your ISP gave you, but posting in ipconfig/all shouldn't also expose your ISP's DNS info [and it's not like an ISP's DNS isn't googable anyway.  We as SBSers don't “host” our own public DNS.

So what are the standard IP addresss that are considered “private“ but so used by everyone that it's common knowledge?  There's a page here that talks about the 'standards“.  In general in SBS land, back in the SBS 4.0/4.5 days we used a “class a“ with a kind of “class c“ subnet mask.  What's a subnet mask?  It's the part of the IP address that lets that system know how big of a network range it's going to talk to.

Back in SBS 4.0/4.5 we used 10.0.0.2 with a 255.255.255.0 mask.  That meant that as long as a computer had a IP address that started with 10.0.0.X, our server would “talk“ to that system.  You'll also see it noted as a 10.0.0.X/24. 

Now in SBS 2003 our default “'base“ range is a classic “C“ address of 192.168.16.x [where the server is normally 192.168.16.2].  Again the subnet mask of 255.255.255.0 makes that system “talk“ only to the 250 someodd systems in that range.  What that 255.255.255.255 mask really means is this.

As per RFC 1918, these address are “non routable“ they are your “inside“ addresses.  What many consultants do is pick that 172.16.x.x range and that is more often than not, NOT in a SBS network and thus any static VPN routing that the internal firm may do won't mess with that consultant's own ranges and settings.

What do I mean by Class “A“, and Class “C“?  These are agreed upon naming ranges for “private“ non-routable addresses.  Typically the Class A is a 10.x.x.x with a netmask of 255.0.0.0 and Class C is a 192.168.16.x with a net mask of 255.255.255.0, Thus in the SBS 4.0/4.5 days our 10.0.0.x/subnet of 255.255.255.0 was kinda not exactly the best setup.  Our new default of 192.168.16.x is the proper way to name our internal range.

Class	Range of Addresses
A	Any addresses in 10.x.x.x
B	Addresses in the range of 172.16.x.x-172.31.x.x
C	Addresses in the range of 192.168.0.x-192.168.255.x

In computers the use of “on“ and “off“ is really what everything talks in, so 255 is in reality the value of 11111111

Starting from right to left in a logarithmic fashion it's the total of

128   64   32   16   8   4   2   1  = 255

   1    1     1     1    1   1   1   1  = 255

Which is telling that system match every single number from the IP “octet“ [between the “.“] to the IP address that you are comparing it to. So a 192.168.16.2 with a subnet of 255.255.255.0 can talk to a 192.168.16.200 that also has a subnet of 255.255.255.0, because the “0“ at the end is telling the system “okay you talk to ANYTHING in the 192.168.16.1 to 192.168.16.255 range and I won't care“.

See how it works?

So when your ISP gives you an external REALLY PUBLIC IP address and the net mask is set for 255.255.255.248, it's saying the following:

128   64   32   16   8    _   _  _  = 248

   1    1     1     1    1   0   0   0  = 248

And because 1 + 2 + 4 = 7, your ISP has just given you only “that“ IP addresses that your public IP can talk to [normally a gateway IP address and 6 public IP addresses.   Get it? [Assuming I'm doing that right, someone correct me if I'm wrong]

So bottom line when you post your IPconfig /all in the public newsgroups DO clear out an PUBLIC Ip addresses that your ISP gave you but I would argue there's no need to clear out the 192.168.16.x stuff.  Wouldn't take a rocket scientist to know that we're “supposed” to be using those inside our networks.

Who's YOUR DHCP

DHCP.

As it's stated here on a web site:

1. What is DHCP?

   DHCP stands for "Dynamic Host Configuration Protocol".

2. What is DHCP's purpose?

   DHCP's purpose is to enable individual computers on an IP network to extract their configurations from a server (the 'DHCP server') or servers, in particular, servers that have no exact information about the individual computers until they request the information. The overall purpose of this is to reduce the work necessary to administer a large IP network. The most significant piece of information distributed in this manner is the IP address.

I have found that things just work “better” if you let the SBS server be the DHCP “hander-outer”, that is, it NOT your Linksys/firewall/router is the one handing out the IP addresses.  Again, if you are migrating from peer to peer this is a bit unusual as you've been used to having a router that does this function.  But IMHO [in my humble opinion] the SBS network works the best [connectcomputer works better, wizards run nicer] if the SBS box is in charge of DHCP and DNS.  If you ensure that the router has it's DHCP function disabled BEFORE you begin to set up the system, the SBS box will automagically set up the DHCP/DNS functions.  Go into the webbased interface and adjust the router to have DHCP disabled and then set up your SBS box.  It will no longer see another DHCP server and shut it's own down. 

If the SBS box sees any other DHCP server [like your router] on it's same subnet it will shut it's own DHCP server down.  Don't forget to run the VPN wizard as I've seen my server want to turn RRAS into a DHCP server without running that wizard.

Ipconfig /all

Probably the number one asked question back to posters in the newsgroup is

“Please post the results from ipconfig /all at both a workstation and a server”

So many issues with a SBS network are “fixed” with the right Internet Protocol configuration on the server.  It's amazing how people and go through the wizard and not “get” what they are trying to set up.  I think it's because of coming from peer to peer and on network card setups and now reading about different ways to set these networks up.  Many people expect that there should be an “Internet connection sharing” tab on the server, but we don't do things like that. 

The most recommended diagrams to follow for setting up a network can be found here:

While you can do a one nic setup as discussed here:How to Configure a SBS for Full Time Internet Access with a Single Network Adapter:
http://support.microsoft.com/kb/309633  I personally feel that two nics is more “separated“, more flexible and I just feel more comfortble with the wizards of SBS than the configuration of a hardware firewall.

The other KB that talks about two network cards is listed here: How to Configure Small Business Server for Full Time Internet Access with Two Network Adapters:
http://support.microsoft.com/kb/306802

Basically you point to the server, the internal IP address for all your DNS entries.  You only put in the ISP's DNS information into the DNS configuration as “forwarders“.  This is done automagically in the “connect to Internet“ wizard, but you can see the impact in the Admin tools, DNS.  Right mouse click on the server name, click on the “forwarders tab“ and you can see where the wizard put in the ISP's forwarders.

See?  That's the ISP's DNS that I placed in my box when I ran the connection wizard.  You don't put that information in the Network card properties as DNS as you would normally in a peer to peer with a Linksys.

This “separates“ and builds a wall between the inside and the outside to better protect you.

So next time you are having issues with your network, review the settings.  Start, command prompt, type in ipconfig /all and hit enter.  Copy what you see there, and paste it into the newsgroups and have us check why you are having issues!

ipconfig /setclassid "Local Area Connection" TEST

So you have this old server..now what?

If you are like me you might have a client that has an old server lying around because they just [or they will] be upgrading to SBS 2003 from SBS 4.5 because...well... THEY SHOULD!  Here are some ideas for that old server:

• Can you reuse it? How old is it?  Mine was 3 years old and just a month before “dropped“ a harddrive [and running out of room] and with dual processors, 2 gig of Ram was just fine for a member server, a terminal server, AND in my case, for running the “lunch order“ Live Communication Server 2003 [which I have because I had Software assurance on SBS 2000]
• Can you load Windows 2003 on it? If that was running SBS 4.0/4.5 and the server is “THAT“ old, you might not want to put it back in service and you certainly don't want Windows NT on it.  I personally would recommend Windows 2003 on any “side server“. Now keep in mind that any XP operating systems you had in place before Grey Lancaster and I went to the Windows 2003 Server launch in San Francisco [that's April of 2003 if anyone is counting], you can get grandfathered TS Cals.  Because I had Software Assurance on Windows XP, in my case it was a easy as going to my TS box, indicating that I had a Open Value/Volume licensing agreement, putting in my agreement and authorization codes, the number of XP pro licenses I had via that program and voila.  I have TS cals on the 2003 box.  For my OEM ones I'd have to figure out which ones were purchased before that date, crawl on the floor with a magnifying glass to read the Product key code off the Dell sticker and place them into the transition web site.  I'll stick with the ones from the SA plan.  Lot's cleaner.  Too many dust bunnies on the floor :-)
• Can you donate it?  But be careful here, before you donate ANY computer equipment with a harddrive to any charity [workstation/server] take that harddrive and ensure that it is totally and utterly and completely scrubbed.  You cannot merely reformat, this takes a Department of Defense level “drive wipe“ to ensure that it is cleaned.  You are literally writing “1's“ and “0's“ to the drive.  A story in the IEEE security and privacy magazine has excellent resources on scrubbing that drive.

Remember fondly SBS 4.0/4.5...but do exactly that.... remember it...don't run it anymore.  Come up to SBS 2003 where things are much better!

Hey, Directions on Microsoft? Aren't you going after the party not causing the problem?

I'm reading Directions on Microsoft's Top 10 issues that Microsoft has for challenges in 2005 and I'm pulling one paragraph out that in particular [I think] needs clarification.  In the Directions on Microsoft article they state:

“Security has always been near the top of our Top 10 list, but despite laudable efforts by Microsoft, such as a drop-everything-else code review, security is still a problem. In fact, the bad guys seem to be winning. Before anyone gets on the Internet the first time these days they need a PC already protected by the latest service packs and security patches, an antivirus program, an antispyware program, and training on how to avoid phishing exploits. Although Microsoft arguably bears little direct responsibility for these problems, the company has the most to lose if these security issues persist. Furthermore, Microsoft is in the best position of any vendor to address the problems. Some useful next moves? Make it possible to run Windows all day without requiring administrative privileges and work with other players on standards that will make it easier to authenticate the senders of e-mail.

"Security problems raise the cost of managing Windows clients, and make the perennial thin-client alternative more viable. This year, Microsoft has to deliver the improvements it promised for patching corporate PCs, and not let development of future product versions interfere with keeping current ones secure."
—Michael Cherry, Lead Analyst for Windows”

Mr. Cherry?  Office applications and Internet explorer run FINE as a user and do not need administrative privileges.  It 's my stupid APPLICATIONS that are coded stupidly that need these rights.  And even in SuSe [a Linux distribution] there are times to adjust the monitor, to apply patches, to install software that you need to Sudo [the equivalent of Administrator rights - or the Windows equivalent of RunAs].  I just recently loaded up SuSe and looked in absolute horror at this screen:

See that box that says “Keep password“?  You and I both know that your home user/end user is going to click that box and say “sure“ save my password because it's a pain to type in that really long strong password I gave the machine when I built it.  What's the insecurity [or insanity] of saving the administrator password so the next worm du jour that blasts through a SuSe box will have admin rights?  We cannot dumb down these desktops like this and keep these boxes secure!  The bad guys are winning and the sooner we all figure out that we should be fighting “them“ and not flighting the “who has the better Operating system“, the better off we will be.

Look at these applications in my office that REFUSE to run in user mode.  So I ask you?  Who's at fault?  Microsoft applications DO run in user mode.  It's my third party stuff that doesn't.  I say that it's not Microsoft that needs to make 'Windows' run as user, but rather that we get tools to help us identify how stupidly these applications are coded and then go and beat up THOSE vendors to make them either set the right permissions as they load on “just that registry key” or code better in the long run.  I don't need them to make Windows run as a “user” ...it does... I need Microsoft to give me tools to help me identify my vendors that are the dumb ones.

Ask for the right solution to the real problem, I say.

What are your top ten issues for 2005?

Directions on Microsoft released it's “Top 10 Issues that Microsoft has to overcome for 2005” and included in there were a couple that caught my eye in Silicon's version:

• Better security - "despite laudable efforts by Microsoft, such as drop-everything-else code review, security is still a problem… In fact, the bad guys seem to be winning."

• Doing a better job of convincing customers they can get more out of their software by deploying newer versions.

and lastly

• Making the PC a home entertainment hub, not trailing integrated digital lifestyle approaches at the moment led by others, notably Apple.

That one caught my eye in particular because everyone that I know that has a Media center edition computer says it does EXACTLY that.  Now while “I” would love it to natively be a domain member out of the box [you can do it if you install it from stratch] the reality is, in my opinion the product is already there but like the Tablet PC, the “ooh ahh” of getting it out in the marketplace needs to be majorly worked on.  The display I saw at CompUsa the other day underwhelmed me a bit.  You almost need to have a living room set up to showcase this.

So read that list.  Do you agree?  What are “YOUR“ top ten issues for 2005 that you'd like to fix?

My favorite things

It's Christmas evening and Julie Andrews is singing about her favorite things and I thought I'd take this time to talk about my “favorite things” [at least related to technology and SBS].

• The communities of Small Business Server - more that even the technology of SBS, the “we share, we win“ attitude of all the communities out here.  If you haven't joined in one of the communities... we have lots of variety of ways to “community“ out here so if your “thing“ is newsgroups, or yahoogroups [from business to technical to beyond], or web forums, we've got lots of options.  For each one of you that takes the time to share your expertise, THANK YOU for doing that.  You are what makes the communities so strong and so valuable.  Pat yourself on the back for doing what you do every day.
• The people of the SBS family who night and day, via email, or IM respond to anytime any day that I “say I need help, I'm stuck“ whenever I need help [or are just there when I need to rant about something].
• The people who work at Microsoft who work on SBS.  From Mothership Redmond, to Mothership Las Colinas, to Mothership Shanghai and to our future Mothership Bangliore, the people I know that work on SBS tend to go an extra mile, walk a little farther, and certainly some of you guys and gals stay up all hours of the night. 
• My fellow Microsoft Most Valuable Professionals who day in and day out do what they do because they want to help others make their systems just work.  You guys inspire me with your passion and knowledge.  You guys do what you do to help people and definitely believe in the concept of “pay it forward“.
• The people who work at Microsoft that I know in “weedy” areas and security.  The attitude on the “outside” is that Microsoft doesn't care, but whenever I meet people on the other side of the wall, I see people that I know care, and in fact sometimes feel just as passionately as we do out here about getting things “fixed” in security.  I think we're constantly going to be fighting the good fight against the bad guys no matter what platform, browser, you name it.  Yeah there is still a lot to be done, a lot to be fixed, but as I've seen the patch engines move to two engines, the fact that they are willing now to 'break things' is promising.  It's only us out here, working with more folks “in there” that more changes can be made.   

Happy Holidays everyone!

Merry Christmas to all!

And here's to a happy new year.  So far we haven't blown anything up for the day's events.. but the day is young.  :-)  To everyone, to all of yours, here's hoping you have a very happy holiday season.

Stay safe, stay secure, use IE in high security and “let's be careful out there“. 

If POP3 is not snap, crackle and pop-ing

Was in the newsgroup and was finding this KB for a person with POP issues and thought I'd post it to the blog:

How to troubleshoot the POP3 Connector in Windows Small Business Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;885685

A couple of other KBs that might help as well.

Exchange Server Connector for POP3 Mailboxes deliver multiple copies of messages:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;264249
How to use the POP3 Connector:
http://blogs.msdn.com/sbsdocsteam/archive/2004/11/15/257881.aspx

Many times I see pop not pop when people add a new email address not of the same domain which “breaks“ the ad/mailbox glue.  Reruning the connect to Internet wizard normally fixes it right up.

[Snap, crackle and pop refers to Rice Krispy cereal which makes me start thinking of Rice Krispy Treats ...oh man, there goes the diet resolution again...dang...]

Backup backup backup backup backup backup backup oh and I did I say how about checking the backup?

So there you are backing up every night and it's going beautifully.

Uh.. one thing.

Have you checked that backup?  Gordon blogs about the lovely “case of the missing backup”.  Can't we all relate to that tale.  What you thought was working, wasn't?

New Year's resolution folks.

Test the backup.  So ...how do you test it?  The better question is how much time and effort do you want to spend in testing.

• Minimum test - rename one file - restore that one file
• Moderate test - rename a folder - restore the folder
• Mucho giant test - restore the entire server

That last one is a bit extreme for a production network mind you.  Remember the backup and restore documents I pointed to the other day?  I'd say at least do a minimum test or a moderate test.

P.S.  Chad adds one more moderate test -- restore the system state to an alternative location.  ....... you do backup the system state..... right?  :-)

A new year.... a new firewall

Just around the corner, we're getting ready for ISA 2004 on our SBS boxes, and in January, there's a whole week of ISA 2004 webcasts to whet our appetite.

ISA Server 2004: Maximize Application Security and Performance:
http://www.microsoft.com/seminar/events/series/isaserversecurity.mspx

Janury 17 through the 21st get ready for deploying info, administering, detailed info, the whole works from the ISA 2004 team.  Then there are also virtual labs you can play around with.

TechNet Virtual Lab: ISA Server:
You can even order a trial version of the software to play with on a separate server or a Virtual server.

Remember that as part of SBS 2003 sp1, Premium customers will get ISA 2004, but if you are a SBS VAR/VAP, you may want to start looking at this now.

If you are any where NEAR CANADA you need to be here

Remember how I said earlier that if you were in Australia you were in luck because you had not one, not two but three MVPs presenting down under?  Oh, Canada, can you say TEN?  Book your plans in January, if you are ANYWHERE near Toronto, get ready for a SMBnation Day event that is turning into a MUST GO TO event for the Northerners.  At last count, about 10 SBS MVPs from across the US and Canada will converge in attendance at the Day Summit. 

First up MUST GO TO EVENT

SMBNation Summit in Toronto

• Click here to register
• January 11th
• Wyndham Bristol Place
• 950 Dixon Road
• 416-675-9444

Harry Brelsford is on the road with his SMBNation summit, a full day event filled to the brim of information that is always a hit.  Click here to register to get SBSism, lunch and Harry's SBS “bible”.  The bonus is that among the MVPs attending, you can meet several of the chapter authors that contributed to Harry's soon to be released Advanced SBS book [You know, the one I've been talking about that has the tips on Security and User mode?]

Later THAT EVENING, THE PLACE TO BE is  

TechNet Canada and the Toronto Windows Server User group plays host to two session speakers you know from the SBSworld as they welcome the SBS community!

• Click here to register
• Microsoft Canada
• 1950 Meadowvale Boulevard
• Mississauga [next door to Toronto]

Harry will spin a brief farewell with a “year in review” of SBS 2003.  Plus, sit back for an hour, Jeff Middleton is stepping up [or is it dancing?] for a Swing Migration presentation, the same one the Aussies saw just last month.  Click here to register for THAT event. 

SBS MVPs and SBS Family members are getting together and it's turning into a north of the border version of the Seattle SBS fest, and a north of the equator redux of the Swing It!! tour.  If you are in our Northern neighbors... sign up....and if you re near the border.... get your birth certificate in order and GO!

Use Firefox/Mozilla for a safer system

Eweek today has an article that says for “me” to be safer I need to use an alternative browser.  But today I'm giving myself my Christmas present early.  I'm wacking my registry via group policy to run in User mode[a].  And you know what I found?  That Mozilla/Thunderbird will not work in EITHER user mode or power user mode.  You have to run as local administrator for it to work.

That's right, I have to run in a manner that I'm not willing to run in anymore in this firm to load a program that Steven Vaughan-Nichols says will keep me safer. [I'm 99% sure that Firefox also puts in the profile in a protected space but I'll go download it on this machine to triple check].

See the error message I get when trying to run in User or Power user mode?

Click here for a larger view

Next, in order to have Mozilla to access the web here at the office I would have to adjust the firewall to allow “unauthenticated outbound connections” [in other words turn off “egress” or outbound filtering.

Again, how is this making me more secure?

Can someone explain how leaving myself in administrator mode, and opening up my firewall more is going to give me a “safer system” here?  I'm still scratching my head how this is going to make me more secure.

Remember what I blogged about the other day?  I don't trust ANY browser and thing they should all be considered "untrustworthy".  All of them ask too much trust of me these days.  And especially when they want me to run as Administrator.

[a] I'll be blogging more about this process but it's in the next Harry B. book.

P.S. I chose the 'standard' Mozilla/Thunderbird settings.

Troubleshooting the Outlook over HTTP

Troubleshooting the Outlook over HTTP [stealing this from a post by Woody Guo - Mothership Shanghai - thanks Woody!]

1. Is the certificate you are using created by the CEICW?

2. Is URLScan installed on the SBS server? Do a search for urlscan.ini and
see if you can find any.

If URLScan is installed, in some configurations, it is necessary to make
the following changes in urlscan.ini in order for RPC over HTTP to work:

[RequestLimits]
; The entries in this section impose limits on the length
; of allowed parts of requests reaching the server.
MaxAllowedContentLength=2000000000
MaxUrl=16384
MaxQueryString=4096

In addition, you need to add the following verbs to the Allow Verbs:

RPC_IN_DATA
RPC_OUT_DATA

After editing the ini file, restart IIS Admin Service and Microsoft ISA
Server Control services. Does this help?

3. Start outlook with the /rpcdiag switch, does that provide any direction?

4. From the Internet client, browse to https://FQDN/rpc. In order for RPC
over HTTP to work, you must be able to browse to this URL without getting a
popup warning about the certificate. You will receive the following error
on the page:

The page cannot be displayed
HTTP Error 403.2 - Forbidden: Read access is denied.
Internet Information Services (IIS)

This is normal. The idea is to be able to get to that page without getting
the popup warning about the certificate.

4. When you receive the error, click "OK", is there any other error message?

5. On the SBS server, verify if it trusts the certificate:

A. Open Internet Explorer, and then in the address bar type:
https://publishing.yourdomain.local/remote
B. If the certificate is not trusted, a warning popup appears. Click View
Certificate, click Install Certificate, and then follow the instructions.

6. On the SBS server, open IIS Manager, expand your server\Web Service
Extersions, is RPC Proxy Server Extension allowed? If so, double-click it,
check if it is using "C:\WINDOWS\system32\rpcproxy\rpcproxy.dll". If it is
using "C:\WINDOWS\system32\rpcproxy.dll", remove it and add
"C:\WINDOWS\system32\rpcproxy\rpcproxy.dll" on the Required Files tab. Run
"iisreset" and see how it goes.

I challenge 2005 to be the year of SBS

Wayne and I were chatting earlier that he had a benchmark goal in mind for the number of SBS servers he wanted installed by June of 2005.  Do you have a goal in mind for your year?  Get out a piece of paper.  Put on it the number of SBS boxes you want by the end of your year [Wayne's is a fiscal year of June].  Fold that paper up and tuck it in a drawer.  Next year at this time, I want you to get that paper out and see if you made your goal.

So as we get near the end of the year when resolutions are made...what are yours?  What predictions do you see for 2005? 

Here are some of the things I see bubbling up at the end of 2004:

• Mine is [and I'll be doing this tomorrow...] flipping desktops to user mode and finding any “sticking programs” with the incntrl5 tool.  Jeff Middleton will have more details in Harry's next SBS book that should be out shortly in the new year.  I'll also be doing more group policy this year.
• I've seen some folks signing up for the smallbizit listserve interested in a career change.  They are seeing the SBS platform as a way to be the outsourced CIO for small businesses.
• I've heard on the Gartner Talking technology that they are talking about “Micro-commerce“.. bite sized chunks of time and service that people are offering to businesses.  I think we'll see more of this occuring in this space.
• Gartner says Open Source will burrow into more enterprise infrastructure, but I think that it needs to wake up to the power of group policy and control more.  While there are places where it make sense, in the SMB space it's harder to find the right vendors, the right partner to install open source.
• PCs will go virtual - and this is one place where some of us have been playing with - a Virtual server inside your beefy SBS server to run a Terminal server.
• Email responsiveness will increase - already we're seeing folks ask “what brand of smart phone are you using with SBS“
• More tools for security -- for example -- spyware - you all heard that Microsoft bought a spyware company, right?
• Collaboration tools will start becoming more mainstream.  I'll give a heads up to Chapter 1 of Harry's advanced book and he acknowledges that we really haven't given Sharepoint a run for it's money in SBSland.  Chad has showcased Sharepoint time and time again with the use of Frontpage and Infopath.
• I see folks trying to get smarter on SBS projects..from flat rate installs to more “menu based“ they aren't doing the same estimating they used to.  Christopher Hawkins has a “software based“ but still interesing post about estimating.  A lot of people are either already using or chatting about the Connectwise product.
• We'll want to know more/control more.  Level Platforms is definitely showcaing the “more I can touch, the more I can protect“ view.

So what about you?  Where do you want to be this time next year?  What predictions do you see?

Download center now has official email notifications

I kinda feel a bit bad.  Microsoft comes through with something I've been asking for a long time and I”m ungratiously saying “That's nice ...but I want RSS feeds as well!”  They've finally started offering email notifications for the Microsoft Download center where I pick up a lot of good information.  And while this is nice.. I still like the RSS feed method.  I actually have two here..a main one and a backup [feed and a backup is a wise thing these days don't you think?]  Right now my main feed is “down” because the Thundermain folks lost a harddrive but I pinged the guys and they are working to get back online.

My normal way that I stay plugged into new downloads on the Microsoft site are the following two RSS feeds:

• Thundermain [offline right now but back on soon] [a]
• Roy's version.

So I signed up for those emails just because I like to stay plugged in [there isn't a Microsoft newsletter I don't get]

Say, before I forget it you also know about the SBS specific RSS feeds?

• Like the top downloads for SBS?
• Top KB articles for SBS?
• Community solution articles for SBS?

[a] They are backonline now.

Nice Timing - how about trying to do THAT with XP Homes Mr. Dell!

So last night I posted [okay, so more like ranted] that Dell shouldn't be selling to SMBs...well one always puts a bit more “heat” into a headline at 11:00 p.m than one does at noon.  What I really should have said is that Dell should be selling the RIGHT way to SMBs.  They should be ensuring that SMBs know that without XP Professionals they don't get all the toys and bells and whistles and cool stuff and Sharepoint and ...oh just EVERYTHING you get when you have a server setup.  So today I'm surfing over to the home page of SBS to pick up a link and low and behold.... there on the page.... a glowing icon... a beacon.... a light in the far yonder distance...it's a sign I tell ya....

Very Very Nice timing guys and gals at Microsoft because you have a link today to a PDF document explaining to the business owner why a server is where you want to be.

“Using a server to network your computers can help your small business run more smoothly and cost-efficiently, while also boosting productivity. Our free guide, Networking Basics for Small Businesses, can help answer many of your most important server questions. You'll learn what networks and servers are, whether your business is ready for a network, what type of network architecture is best for your needs, and much more.”

And again, what is the operating system that gives us all that joy?  XP Professional. 

The traditional 'benchmark“ for networks was more than 10 people.  Today?  With the pricing of SBS 2003 standard?  Man, if you are even a 5 user firm and don't have some sort of automated backup.... then you need to seriously be looking at SBS2003 to be your base... your launching off to more growth.

Send that link off to someone who's “thinkin'“ about a server.  Push them over the edge.  2005 should be the year of the small business..the year of the server...the year of SBS.

P.S.  Okay..so it was more like midnight....

Michael Dell of Dell Computers -- would you STOP selling to SMBs?

Joe Wilcox comes through again with another SMB post that is SO SPOT ON it isn't funny.

Mr. Dell...would you please realize that every single time you make a “deal” for us SMB's, those of us in the Small Business Server world have to clean up your mess?  I can't tell you how many times consultants have to deal with a XP HOME machine that cannot and will not connect to a domain.  Joe Wilcox is so spot on!  We need XP Professional in SBSland and not XP Home.  You aren't doing us any favors whatsoever in calling these systems “small business” systems.  They are NOT...they are HOME machines by name and by definition [get it]?  They are called HOME for a reason and should not be sold for small businesses.  We NEED servers here.  We NEED domains.  We DON'T need workgroups.  And XP home is a crippled system for our networks.  We've complained before that retailers only sell XP Home machines in stores ...but this takes the cake...you ADVERTISE these machines as being for small businesses.  And guess what...they don't work in our networks!

We want domains... what do workgroups give us?

• Workgroups have no domain controllers.
• Users are more often than not local admins of their own machines.
• Permissions across a group cannot be set.
• No consistent permissions or rights.

What do domains give us?

• Group policy which manages
  • Password policies
  • Lockout policy
  • NTFS permissions
  • User rights
  • Event logs that can be viewed across the lan
  • Registry settings
  • IPSec
  • Much more
• The ability to use Software Update Services [and in the future WUS] to patch all our systems
• The ability to centralize backup
• Centralize antivirus
• Redirect the “My documents“ for all employees to the server to be backed up
• Enable roaming profiles
• and much much much more.....

Mr. Dell... you sell us XP Home's for our networks and the first thing we have to do is convince that business owner to take that brand spanking new workstation and spend more money.

You want to sell to the SMB marketplace?  You sell us XP Professionals for our BUSINESSES.  Don't try to sell us XP Homes down here... we're running businesses...not HOMES.  Come on Mr. Dell...work with us down here and help us all enable these businesses to go farther, work better, be more empowered with a NETWORK that needs XP Professional machines.

P.S.  What amazes me is how Joe Wilcox “gets our space” but Dell Computers does not.

SBS Knowledge base articles this week

A bit of a slow week for KB articles this week:

Exchange queues fill with many non-delivery reports from the postmaster account in Small Business Server 2003:
http://support.microsoft.com/?kbid=886208

Just a SBS KB that was re-released [knowledge base], and Nick wrote one up on added the ActiveX codes to XP sp2

Outlook Web Access and Small Business Server Remote Web Workspace do not
function if XP Service Pack 2 Add-on Blocking is enabled via group policy:
http://support.microsoft.com/default.aspx?scid=kb;en-us;555235

Can Browsers be trusted?

Last night I'm reading the blogs and I like to read the Michael Howard one [he's a coder dude, but he's security so it's always kinda interesting] and he links off to Peter Torr's post on whether you can “trust Firefox” because of the fact that it's not digitally signed, that you are going off to some University web site and what not.

While he makes some valid points, which Karl had a nice summary of in a post today that basically is as follows:

 Brief summary:
1) The Firefox installation redirected the author to a download from some random university server or in a second trial, an IP address instead of a host name. 
2) The downloaded setup file isn't signed. 
3) The install generates an error message popup that is blank, no words in the message. 
4) When downloading unsigned Firefox extensions, the default action is still "Install now." 
5) Downloaded programs like the Flash extension aren't checked to see whether it was signed or not, and
6) there was a "don't ask me again" checkbox on the dialog box asking whether to run the downloaded file. 
7) There was no apparent way to disable or uninstall the Flash extension,and
8) an unsigned third party extension had to be installed to do this.

  But I think they are both missing the bigger picture.  There are many programs like the one I just installed today that I bought and paid for that I must click through and say “sure I trust you because I think you are the program I just purchased“.  This is the exact screen I was presented today to install a “business“ application I must have in order to run my business.  So, you think I'm going to decline to install something that I just paid for?  Don't think so.  I'm clicking the “Run“ button and not really thinking this is a security issue at all and more like a software developer who didn't take the time or expense to get their code “signed“.

In full disclosure here, my pacbell.com email address that I “have had for ages, use in the public newsgroup, how would you like Rolex ads or the lastest scam because I get them because I purposely don't filter this email account so I can get a pulse on what gunk stuff is out there and don't pull it into Exchange or Outlook“ gets dumped into a Thunderbird mail client that I downloaded the software for, and clicked through and said “sure, whatever, I'll install it, no sweat because I want to!“

There are many times I just “trust“ in the system.  Do I verify the PGP key on the Microsoft Security bulletins to ensure they are the valid bulletins from the Microsoft Corporation?  uh...no.  Never have.  Do you?

Do you run md5 check sums on the security patches that Shavlik downloads to ensure that what they “sucked down“ is what patches are supposed to be coming from Microsoft.  uh...no, can't say that I do that one either.  Do you?

Look around and we have a lot of “trust“ that goes on.  The problem is really that we've [the industry, not Microsoft] have embraced the web as a platform.  But when you start peeling back the layers, I'm not so sure it's a good idea to trust ANY web browser these days ESPECIALLY if you are running in local administrator mode.

As I was studying for my GSEC/GIAC renewal, I was re-reading the sections where it talked about what “active content“ in web browsers is all about.  The Java, Javascript, and ActiveX was designed to unload bits of code onto our desktops to share the computing power so that the web servers weren't so over loaded.

....wait... let's read that one again... they were “designed“ to put code on our desktops. 

A document newly released by the W3C.org group that is entitled “Architecture of the World Wide Web, Volume One“ uses the word “security“ in the document only four times.  Hey, Guys?  Can we sprinkle that word around just a tad more than that?

In the organization's  long term goals for the Web, the follow three items are highlighted:

1. Universal Access: To make the Web accessible to all by promoting technologies that take into account the vast differences in culture, languages, education, ability, material resources, access devices, and physical limitations of users on all continents;
2. Semantic Web: To develop a software environment that permits each user to make the best use of the resources available on the Web;
3. Web of Trust: To guide the Web's development with careful consideration for the novel legal, commercial, and social issues raised by this technology.

I don't know about you but I would feel a heck of a lot better if this didn't quite sound so much like a “Woodstock convention of free love, peace, happiness and interoperability“ and a bit more emphasis on “restricting bad guys from running code on my desktop“ and a realization that we are running financial transactions and business deals on a platform that wants to take into account “social issues“. 

Don't get me wrong, I think that the web has brought us a lot of good, but I don't think anyone, even now, is really thinking in a crystal ball kind of fashion to locking this browser down enough so that I don't feel that my thinest edge of the border of my network is right now at this Internet Explorer window typing up this rant post.  It's this thin line between this browser window and the rest of the world that freaks me out the most these days.

Right now I don't trust ANY web browser.  On a daily basis Secunia.com and the web site of incidents.org remind me of this. 

Pick a browser and you'll find that if it doesn't have issues today, it probably will tomorrow or it will next week.

• Internet Explorer is not the only one that can be picked on.
• Opera
• Konqueror
• Firefox 1.0
• Firefox .8
• Camino
• Safari
• Netscape
• Mozilla
• Icab
• OmniWeb
• IE for MAC

And the scary part about all this gunk is that more often than not it's “from remote“... out there.  The only thing that any other browser has going for it is that it's not quite so embedded as Internet Explorer is so they can make patches a bit faster as they don't have to worry about the entire world who built applications on the web freaking out if a patch isn't tested enough and goes and kills computers and applications.  But in the big picture.. I'm not any more secure because I have less patch tools, and no control over any other browser without group policy.  Sure there are guys that are trying to fill in the gap like Cider giving guidance to set the settings via group policy , but I'm just not ready to install another piece of software that I can't control, can't patch, phones home for patching when I don't know about it, and that I would have to lower the security in my egress filtering firewall just so it would work.  Right now a Firefox or Mozilla browser won't work in my AD/ISA integrated environment and I'd have to tick the check box that would say “oh don't authenticate users before allowing them out the firewall“.

Sorry folks..just not going to happen here.

So what I“m ranting about folks is ...should we really be trusting ANY browser these days?

I don't think any of them are secure enough for me!

Outlook and getting it to talk to Exchange

There are times that Outlook and Exchange just do not want to be the intertwined collaborative tools that they should be and refuse to talk to one another.  [Must be something to do with the holiday season and inlaws or something.]  Cal was having issues with this and I googled up what has worked for me in the past:

How to troubleshoot connectivity issues that are caused by RPC client protocol registry entries:
http://support.microsoft.com/kb/325930

Ensuring that under this reg key: 

The following regkeys are in place seems to do the trick for me:

Name	Type	Data
ncacn_http	REG_SZ	rpcrt4.dll
ncacn_ip_tcp	REG_SZ	rpcrt4.dll
ncacn_np	REG_SZ	rpcrt4.dll
ncadg_ip_udp	REG_SZ	rpcrt4.dll

Exchange's 16 gig limit - technology issue or a people issue?

There's an application that's a bit out of date on our boxes.  No, I'm not talking about patching, I'm talking about an app that still thinks we're in the year 1999.

Exchange.  You know what I”m talking about .... the 16 gig limit maximum storage that any Exchange standard [not just SBS] has to deal with.  You can kick it temporarily up to 17 gigs, clean it out and defrag it but you are just buying yourself time.  When I was on my old server and we were increasing file storage space at a rate of about a half a gig per day when we were scanning like crazy, it felt like a ticking time bomb about to explode as I saw the space reduce and reduce and reduce.  If you are anywhere near 16 gig on that Exchange, you too must feel like you are heading towards a brick wall.

Exchange Server Mailbox Store Does Not Mount When the Mailbox Store Database Reaches the 16-GB Limit: http://support.microsoft.com/?id=828070  That KB will help to temporarly move the 16 gig to 17 gig so you can clean out your store enough to get yourself below the 16 gig again.  But it's not a permanent fix.

And....there's another issue you should be looking at.

Liability.

Every bit of more gigabytes of data that you store in that mail server is one more bit of evidence that can be asked for in a wrongful dispute, contractural argument, you name it.  Who's been nailed with email evidence?  Only people like ...oh.. Bill Gates, Martha Stewart, Enron and Worldcom, but even little firms can have issues too.  Take a look at this newsletter {in PDF] of all the stuff that can be retrieved. Think about the emails you have in your inboxes.  What risks do they pose for you?  Do you really need that junk in there.  When I migrated to the new server I purposes left behind my old emails because I had already saved those emails I needed and quite honestly all the rest was total junk.  Even right now I know people have “deleted“ emails but they are still sitting in the deleted mail folder and thus they are still counting towards my 16 gig limit.

Have we given feedback to Microsoft that we too think 16 gig might be a tad on the small side these days?  Yes.  16 Gigs was built when a 20 gig harddrive was huge.  I think nothing of 100 gig, 200 gig harddrives these days.  Thus is this a limit that even I think is artificially too low and out of date?  Yes.  I couldn't see that 16 gig would fit any MEDIUM sized firm let alone small ones.  Given that Exchange Enterprise jumps the limit from 16 gig to 16 terabyes...somehow I think there's a Exchange “mid sized“ SKU somewhere in the middle that is waiting to occur.  But then again I'm not sure of the technical limits or issues to know if that's what is the 'deal breaker' here.  We'll have to see if anything is done on this.  In the meantime the only way to get above 16 gig is to move to Exchange enterprise version [and get ready for the sticker shock]. 

Bottom line, though,realize that this isn't quite the technology issue, but more of a “end user management issue”.  You have a small office who's end users are not managing their email.  Increasing the limit above 16 gig is only going to make the management issue more of a problem, and the potential for litigation even higher still.

It still comes down to the people issues, doesn't it?

Time Syncing

One important thing in a DC setting is to make sure everyone is on the same “watch”, timeclock, in sync and happy.  For those running SBS 2003 Premium, just a reminder that the packet filter automagically built by the wizard is set to TCP not UDP for port 123 which is what is needed.  Therefore, follow this KB to set it up correctly:

The server cannot synchronize with an external time source after you run the Configure E-mail and Internet Connection Wizard on Windows Small Business Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;887355

Then follow the excellent documents from Mariette on the SBS site:

Smallbizserver.Net > SBS 2003 > Server issues > How to fix time synchronization errors:
http://www.smallbizserver.net/Default.aspx?tabid=156

Is having "cached credentials" enabled a security risk?

Just to bring up to the top of the blog a comment about having “cached credentials” turned on in your network that I referred to in the prior post.  A recent post to Russ Cooper's Ntbugtraq questioned the “security“ of having cached credentials enabled, but Russ failed to post in any information regarding the “flip side“ of disabling the setting.  Keep in mind that if you totally disable cached credentials, any laptop off the domain will not be able to log into that domain profile, thus disabling “cached credentials” [the ability to log into a “non existent domain until the domain comes back online] shouldn't be done [if at all down here in SBSland] unless you are mandidated by having to follow some misguided Department of Defense guidelines or something.  It's going to cause you way way more headaches than any security value you might think you are gaining.

From the Threats and Countermeasures guide.....

Interactive logon: Number of previous logons to cache (in

case domain controller is not available)

The Interactive logon: Number of previous logons to cache (in case domain

controller is not available) setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally so that, in the event a domain controller cannot be contacted on subsequent logons, a user can still log on. This setting determines the number of unique users whose logon information is cached locally.

If a domain controller is unavailable and a user’s logon information is cached, the user is prompted with the following message:   A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on may not be available.

If a domain controller is unavailable and a user’s logon information is not cached, the user is prompted with this message:

The system cannot log you on now because the domain is not available.

The possible values for this Group Policy setting are: 

? User – defined number (between 0 and 50)

? Not defined

Vulnerability

The number assigned to this setting indicates the number of users whose logon information the servers caches locally. If the number is set to 10, then the server caches logon information for 10 users. When an eleventh user logs on to the computer, server overwrites the oldest cached logon session.

Users who access the server console will have their logon credentials cached on that server. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords.  Windows mitigates this type of attack by encrypting the information and keeping the cached credentials in the systems’ registries which are spread across numerous physical locations.

Countermeasure

Set Number of previous logons to cache (in case domain controller is not available) to 0. Setting this value to 0 disables the local caching of logon information.  Additional countermeasures include enforcing strong password policies and physically securing the computers.

Potential Impact

Users will be unable to log onto any computers if there is no domain controller available to authenticate them. Organizations may want to set this to 2 for end – user systems, especially for mobile users. Setting this value to 2 means that the user’s logon information will still be in the cache even if a member of the IT department has recently

logged onto their computer to perform system maintenance. This way, those users will be able to log onto their computers when they are not connected to the corporate network.

Planning for the worst

The big server land folks thing we're crazy.  They have redundant domain controllers, backup this and that, fallover, you name it.  Heck most of the “big server” folks that even try SBS say that the would never set up one without a secondary domain controller [you guys know whom I'm talking about], so when people post into the newsgroups that they want a totally backup second server, a failsafe falloever, a total redundancy, I'll be honest with you. 

It's a total waste of your money.

In the years that I've had computers in my office which is exactly 1 month after I started work there, the following “things“ have died.

• One server NIC with the Novell network we had ages and ages ago.  {I attributed this to the SBS 4.0 in a newsgroup post, but in hindsight I was wrong, this was on the Novell}
• One switch.
• One server nic on the SBS 2000.
• One harddrive off the raid 5.
• A couple of viruses way back when.
• Numerous floppy disks [which is why we don't save this way any more]
• Numerous numerous cases of the “fatal finger“ which I still fight to this day.  To have the ability to save, you also have the ability to move.  Someone will buzz me and say “I can't find the folder for Client ABC“ and 100% of the time the folder has been accidently slid over to and under it's next door neighbor.
• Numerous cases of “oh my gawd the file is gone“ when they are trying to open an Excel file in word, or a word file in Excel and of course you only see that “kind of file“ from inside the program.

Bottom line while I did  buy spare harddrives this time for this server, I honestly don't feel that we in SBSland are spending money in the right way if we “have to have“ a duplicate spare computer.  Read the backup documents, test it out, but I still believe that our server dollars are better spent elsewhere.

If you buy good quality hardware, the risk is less to begin with.

Money is better spent on an antivirus package that covers the server, the mailboxes and the desktops.  It's better spent on better equipment from the get-go.  It's better spent on security awareness and training.  It's better spent on Window XP sp2 and Office 2003 on every desktop.

It's not better spent on a secondary domain controller, or a duplicate server.  Of course that's my opinion, but I don't have my network set up this way and just haven't felt the need.  What would you rather your clients' spent their budgets on?

P.S.  XP computers used cached credentials and with the use of Outlook in cached mode, I can literally stay working on my local machine and the workstations don't care if the server drops off for even a security patch reboot.  I still say that I don't see a huge need  to have a complete spare server as long as I have “good server quality equipment“ in the first place.  I still find it difficult to justify the added complexity of the secondary domain controller unless you are dealing with the issues of a branch office location.

Securing Microsoft Small Business Server 2000

So I'm up really late...um early today because I wanted to get my GSEC renewal out of the way.  6 binders are laid out in front of me as I took the online exam.  And I just finished up ...yeah... I recertified!  Yeah!  I had to laugh... one of the questions had to do with passphrases.  You can bet the GSEC folks don't recommend a password of “password”.

So I'm just kinda “brain vegging” out  now and finish surfing the site when I notice a recent GSEC certificate holder did a practical that is called “Securing Microsoft Small Business Server 2000”.  Way to go Matt Gibson for showcasing in your practical that SBS is a box that you CAN build on security [even SBS 2000 for that matter and I would argue that SBS 2003 is even better].  A practical is the first part of the GSEC exam process where you write a “white paper”.  Most students hated that part, but I LOVED writing the practical.  I look back at mine now... it was so lame.  Back then I thought power user was good enough security on my desktop.  Now, I totally agree with Matt's assessment of killing off Win98's and removing local admin rights.  The next advanced version of Harry's book will have a “how to“ from Jeff Middleton on this concept.

Oh I could just kiss Matt for this paragraph:

“The single adapter configuration is potentially the least secure of all the SBS network configurations, due to the fact that ISA can only be used for its caching components, and not its firewall or proxy components. Far too often, the firewall (if any) used in this topology is only a basic NAT/PAT router, with no proxying or access control list capabilities. Unless the firewall can provide advanced ACL capabilities, this configuration should not be used. If a hardware firewall must be used (corporate policy), then it should ideally be used in conjunction with ISA, not as a replacement for it. This configuration should be avoided at all costs, as it does not provide any advantages over the two NIC configuration, while coming at a higher security risk.“

We constantly get into the one nic/two nic arguements including inside the Microsoft's own documents.  I'll keep a firewall/router on the outside, but i LOVE my egress filtering firewall smack dab on my domain controller, thank you very much.

If you are still maintaining a SBS 2000 network this is a pretty good security primer on that platform.  Keep in mind for SBS 2003, a lot of the “tightening” listed here is automagically done and then some for that platform.  The everyone group in Windows 2003 no longer includes “annoymous”, auditing is already turned on, just a lot of the tweaks he has in here are already on the SBS 2003 system.

Check out Matt's practical!

He posts, he SharePoints, he Blogs... I think he doesn't sleep!

One of the most tireless people I know is Eric Ligman who is the Small Business Manager out of the US Central Region.  Tonight I got an email saying that they've opened up a MSSMALLBIZ blog.

Kewl!  

We are happy to announce that the MS Small Business Community has launched the third component of our Community, the new Community Blog.  Be sure to check it out and watch for posts from our team rolling out in the future containing additional tips, tricks, thoughts, information, etc.

Now while the Mssmallbiz yahoogroup and the Mssmallbiz community site is not “SBS” specific, Eric and his crew are VERY SBSized and if you have any questions or issues or clarifications especially in licensing, he's your man for that.

I'm going to sound like a broken record again, but RSS feeds in Newsgator or your favorite RSS reader are indeeds the way to keep up on all this stuff.  And now we have another community resource for the Small Business marketplace!  Eric and the Mssmallbiz site, in my opinion, point out what we've known all along, we can be agile down here and provide services quickly and easily.  Eric and his group started out with the Sharepoint site on an externally hosted location to support “non domain” users, then his group added the yahoogroups to support the communication, and now the blog as an additional communication tool.  Other than the web site, there isn't a huge budget involved in the yahoogroup or the blog technology.  He showcases exactly what an agile small business can also do to get the word out.

Speaking of blogs, there's another one that I spotted yesterday of interest.  The Small Business Trends blog talks about the “anti trends” of the year.  One of the bullet points caught my eye:  Technology Convergence: He sees bundling between broadband, wireless and other communications technologies. Voice, wireless, Tivo, messaging -- they all will converge. You'll retrieve cell phone messages through your computer, and computer messages through your cell phone.  We're seeing more of that in the newsgroups, of people coming in and asking “what version of smart phone did you buy?“  Another trend I spotted [and that we SBSers are already reacting to] is a post in the blog Microsoft Monitor that indicates more and more small and medium businesses are having MACs around.  What have we SBSers done as a result?  Recommended calling our domain names .lan and sending more and more people to Eriq Neale's site.  Don't forget to also visit SeanDaniel.com's site for his mobility tips.

What if?

What if your worse nightmare came true?  What if your client called you up in a panic that something really bad happened to his office?  Would you be prepared?  Would he?  The other day on a listserve someone asked about Business Continuity Planning documents and I don't think I took the time to google up examples.  Well tonight I was reading some stuff for my GIAC renewal and one of the chapters was on basic policies and here are some sample Business Continuity plans for your review:

MIT Recovery Plan Master:
http://web.mit.edu/security/www/pubplan.htm

University of California Plan http://www.ucop.edu/ucophome/policies/bfb/is3.pdf

UWS - Year 2000 Business Continuity Plan:
http://www.swan.ac.uk/uws/y2k/bcplan.htm

California CPA Society sample disaster plan http://www.calcpa.org/MAP/disaster.pdf

Disaster Recovery Journal's - Sample Plans:
http://www.drj.com/new2dr/samples.htm

So as we start the new year... are you ready?  Are your clients ready?

Where's your dataflow diagram?

My what?

You know what I mean don't you?  How are all the ways that data can get into your network?  Does “little Johnny's” use of the boss's home computer impact that firm's network and it's security?  You bet it does. 

Microsoft recently opened up a “at home” security site that is designed to ensure that as we talk “basic security” to folks, they won't suddenly “glaze over on you” as they are apt to do sometimes.  We, all of us, need to do a better job of educating all of us out here.  None of us are immune from possibly being tricked.

Empower employees to stop and ask me when things occur is one that I'm trying to increase.  The Security 360 webcasts are now adding “checklists” to each monthly video and one of the prior ones talks about “Establish a central location, such as an e-mail alias or intranet site, where employees can report unusual activity.”  Hmm... doesn't that sound like a Sharepoint to me?  And remember our past Blog to Sharepoint post?  Couldn't you see this to be part of that?  A centralized place of links to go to for basic security answers.

CNN/Next was just talking about the “National Do Not Call” email hoax that was floating around.  Last week they had a huge spike in posts to the web site.  And last week my Dad called me about this very email.  His age group in particular is very much being targeted to be tricked into downloading and clicking. 

I've also found that I need to let people know about the “Snopes hoax” site because on a regular basis hoax emails float around.  There's a couple of times that people have sent me “forwarded warning emails” and I immeidately recognize it as a hoax.

So check out the At home site.  You might find some things to use in better educating your clients so that the “dataflow diagram” for that network is more contained to that network.

I was going to say something about Lycra and Tights ...but maybe not

Anyone in the Toronto area on January 11th is in for a treat.  While it's SMBnation day in Toronto, it's turning into an unofficial get together for Canadian and northern USA SBS MVPs and SBS Family members.  If you happen to be anywhere near [or know someone who is] get your cold buns on over to Toronto for this event.

Honestly the face time and community time and let's face it, beer time is just as good as the event itself. 

Looks like besides Harry, that Les [is more], Cal and Dave will be there.... maybe others from the SBS family?  I know that Gavin is planning to be there.  Check it out if you are anywhere near that region!

Great news!!!  Small Business Server (SBS) author Harry Brelsford will be 
returning to Canada on January 11, 2005 to deliver his popular one-day 
Windows SBS 2003 workshop.  This workshop provides a third-party look at SBS 
from both business and technical perspectives. Full workshop details are 
available at www.smbnation.com.

 The workshop will take place from 9am-5pm at the Wyndham Bristol Place, 950 
Dixon Road, Toronto, Ontario M9W 5N4. Phone   416/675-9444

The registration fee is $125.00 CAD and space is limited! All attendees will 
receive a complimentary copy of Harry's book titled "SMB Consulting Best 
Practices," a $80 CAD retail value. Continental breakfast and lunch will be 
provided.

To register for the event, please visit www.smbnation.com or email Nancy 
Williams at sbs@nethealthmon.com.

Dual Monitors the "Cheap Way"

As you go to Paperless [um... how about we all just call it a less paper] office, you find that one of the things you need is MORE MONITORS.  Yes, count them, not one, not two but I've got a guy here in the office with three monitors.  He can spread his spreadsheet across three monitors.  Basically here are the ingredients you need for at least dual monitors:

• A computer running Windows XP [preferably XP sp2]
• The monitor card that came with the PC
• A relatively inexpensive PCI slot video card

The card that came with the computer is more often than not an “ATI” style of card.. you know the monitor cards that I call having the little “foot”.  Then you slide in the second PCI card into a free slot and voila, you have two monitors side by side that can have one thing on one monitor and another thing on the other, or one object slid across both screens.  For that it's best to have “matching sized” monitors.  For him to get three monitors, I bought a Quad Matrox card off of ebay and had it installed in the system.

I personally have one 19 [it might be 20] inch flat screen and a 15 inch flat screen.  It's also nice because I can throw webcasts and things up there on the second screen and not bother my main screen.

Personally I think we just need to all get one of these and be done with it.  What do you think?

P.S.  Forgot to say that most laptops these days can automagically do “dual monitors” as well.  Check it out!  That “external monitor connection” that you used to only use for powerpoints can be used for two screens as well, the laptop screen and an external monitor. 

It's just not a Bradley family holiday without some event

[warning off topic blog post]

It's just not a Bradley holiday season without an “event” occuring.  You know... an event.  When I was much younger one year the event occurred when I was attempting to do recreate “Chestnuts roasting on an open fire” California style and placed fresh Chestnuts in the Oven.  I opened the door to check them and somehow the open oven door with the cold air interacted with the warm chestnuts and .... well.. I had an explosion of Chestnuts all over the kitchen ceiling and chestnut meat in my hair.

Another year my Mom roasted the turkey with the plastic giblet bag still in the neck cavity.

Another year I caught bread dough on fire in the oven [even had firemen come to the house on that one]

Another year we were opening up a Whipped cream canister [the cool ones from Williams Sonoma that you “re-charge“ yourself] and the leftover cream that was inside shot through the open kitchen window to the outside [it was still under pressure]

Last year a one inch water pipe broke in our bathroom and flooded our living room.  I walked in from the garage, heard water running, thought the lavatory got stuck and realized...uh oh.. when my shoes went “squish squish”.  We had carpeting we wanted to remove anyway... we just kinda removed it a little sooner than we planned.

So tonight my sister comes home and is talking on the phone and notices some brown sticky stuff and thinks that I've dropped maple syrup on the tile.  Little does she realize that I haven't had maple syrup in about a month... and then she realizes there is “syrup” on the front ...the front of the fridge. 

You see my Dad was trying to get the ceiling blade fans to straighten out so he um... varnished them... and um.. then after he thought they were dry.... um... and turned on the fans and ...... oh yeah.  That brown maple syrup was actually varnish.

One messed up manicure later as Karen [my sister] and I [we share the house together] scraped the varnish polka dots off the walls, the floors, the tile, the ... well kinda everywhere and in this really interesting arc-ing pattern.  Amazingly it came off.  [Poor Dad felt kinda bad but in hindsight it's really funny now]

Happy Holidays everyone.. NOW it's truly the holiday season at the Bradley house... we've had our annual holiday “event”.

P.S.  Do you kinda get the idea that you don't want to be invited over for Christmas dinner at our house without wearing some kind of body armor?

So lets all switch to Firefox and solve all our problems, right?

Not so fast.  Read this first.

Rule of Susan:  If it browses, don't trust it.  If you think that switching to another browser of your choice will solve all of our problems, I have news for you.  It wont.  Heck, spammers are even using blogs for spam these days!

As long as I can't group policy or remotely patch Firefox, I don't consider it a viable option for the business even a small business.

They've figured out how to blast through popup blockers, they spam blogs, they hijack web page ads, obviously there's a financial incentive for all this gunk otherwise they wouldn't do this stuff.

So meanwhile, we're driving out here on the web with all this junk along with all the normal spam email I get like Rolex ads and what not.

I'm honestly browsing these days with IE in high security.  Yeah pages like hp.com look ridiculous, but at least I'm being super duper paranoid.  I'm just not willing to move over to another browser that I'd have to actually lessen my security for because it doesn't authenticate well to ISA, doesn't have a patch tool for like I have with Shavlik so I can remotely patch with.  I'll stick with using my tweak bar tool instead which makes it easier to add sites to the trusted zone.

So I have a SBS and I'm supposed to download Windows Server 2003 SP1 right?

WRONG.

First off, it's still a beta - it's only a release candidate so DON'T PUT IT ON YOUR PRODUCTION NETWORK.

Next off, while the “normal” rule is that any patch that is “normal” server is okay for us, we're going to get our own special version of Windows 2003 sp1 as part of our SBS 2003 sp1 combo.  The plan right now is to release “our” SP about the same time as our big brother server patch.

“Our” SP will also have [for premium customers] the eagerly awaited ISA 2004 upgrade.  At this time, while I'd probably [and I honestly need to do this myself] is to start PLAYING in a NON PRODUCTION setting with ISA 2004, you DON'T [yes, I'm shouting] want to install this on your client's servers or even YOUR production network.  Word is that the SP will be for shipping/handling/media costs.

So don't download this Server sp release candidate.  Patience.  Wait for ours.

It's that time of year

No, not Christmastime or Hanukkah or anything like that, I'm talking about the season of the year that is the Social Engineers best time of the year. Social Engineer... you know someone devious who takes information about a company and with the bits of info they have, “tricks” their way into a place they really should be in.  This is the time of the year that if you send an email to a listserve that is set up for direct replies, you will get a cornucopia of potential ways for “social engineering attacks”.

Just exactly what the heck am I talking about you ask?  I'm talking about  “Out of Office messages”.  Those lovely emails that tell people you are out of your firm and depending on how you've set them up may even give such juicy details as to possibly expose too much information about your office.

My personal favorites are the “out of office messages” on listserves that in turn cause the mailbox to respond to it's own out of office message such that you end up in a virtual loop of out of office messages.

The best series of “out of office messages” I got was last Christmas eve when I sent an email to the ntbugtraq list.  All of a sudden I got hundreds of emails in my inbox.  I was truly amazed of the number of detailed information that firms were allowing out the door.

I personally don't turn them on here.  We have enough remote connectivity, or people with delegated rights to mailboxes, that it just doesn't make sense to turn them on.

The other interesting tool that I've seen used for social engineering is a book I bought off of e-bay.  [Okay you already know I'm a bit strange, so here goes this confession].  I bought a book off of ebay that was previously held by the FBI as evidence for Kevin Mitnick.  The book was a “Western Washington Technology Firm“ who's who and listed the CEO, President and key employees along with phone numbers, addresses, etc. 

Told you I was strange.

Microsoft acquires anti-spyware company

Today, Microsoft announced that we have acquired GIANT Company Software Inc., a New York-based company that develops anti-spyware and Internet security products. The goal of this strategic investment is to help our customers keep spyware off of their computers with new solutions that they can use in the near future. It also provides us with a solid foundation for delivering new long-term solutions.

In order to help protect customers as soon as possible, we plan to roll out a beta offering of a new spyware prevention, detection, and removal solution based on Giant's technology within the next month. The solution, which will be available for Windows 2000 and later operating systems, will enable customers to decide whether to block, find and remove spyware and other unwanted software from their PCs. Together with the security technologies in Windows XP Service Pack 2 that improve the security of browsing, this solution will offer a higher level of protection for customers on the Internet.

We are also tackling the spyware issue in other ways, including consumer guidance & engagement, industry collaboration and cooperation with legislators & law enforcement.

This acquisition reflects Microsoft's deep commitment to security. We intend to continue investing in solutions to help protect customers against all types of malicious software, not just spyware.

Details on timing and terms of product availability for our new anti-spyware offerings are yet to be determined. It will be available for Windows 2000 and later operating systems.

Microsoft has posted more information on our efforts to combat spyware on: http://www.Microsoft.com/spyware

Thank you,

Microsoft PSS Security Team

RAY-ISM: Can't see your member server/Terminal Server in the "Connect to my Application Server" Box?

If you logon as a regular user (with user, mobile user, or power user), you
should see the option. If not, verify

HKEY_LOCAL_MACHINE\SOFTWARE\

Microsoft\SmallBusinessServer\RemoteUserPortal\

KWLinks\AppTS is set to 1.

[stick all that together btw]

Ray Fong
Microsoft SBS Product Support

This posting is provided "AS IS" with no warranties, and confers no rights.

The Ray-ISM category is dedicated to Ray Fong who suffered through teaching a bunch of unruly SBS MVPs in Charlotte.

Remember once an SBSEr, always an SBSer.

My favorite blonde patch tool is coming out with a beta

You've heard me rant on and on about this before but MY FAVORITE blonde patch tool is opening up a beta probably next week.  A new version of HfnetchkPro is going to be released into public beta next week.

Sign up with a username on the Shavlik forum at http://Forum.Shavlik.com/ and then send that username alias to beta@shavlik.com to participate on the beta.  Word is that [sniff sniff] it will separately state SBS 2000 and 2003 and we won't be lumped in with our big brothers anymore but have our own space.  Kewl!

Literally in the time of me typing up this blog post, I can scan and start sending patches to my entire network.  The thrill I get hearing the choruses of Windows restarting around the office gives me chills.  [Okay so I REALLY need a life]  Right now on this workstation of mine, while behind an egress filtering firewall on SBS2003, my issue with getting to Windows update is fixed, however my workstation is still not automagically pulling down patches [I'm leaving it as automagically WUable just to test]

I'd much rather have a tool that is separate from the WU feature and gives me an audit trail and report as well.  Remember my patch management interview I talked about?  When people ask “how can you justify a patch managment solution” ...and to that I say...how can you NOT when patching for 25 workstations is about $24 a workstation. 

It just makes sense to have a tool and I'll be honest with you, you'll have to pry my dead cold fingers off of my Shavlik patch tool.  It may not be quite enough to get us SBSers to “fully installed” patch status as it does not do our important but not security critical patches, it sure is a network lifesaver once that system is built.

I think this is one beta you'll want to check out.

SBS KB's of interest

The Configure E-Mail and Internet Connection Wizard may not run successfully, or you may receive a "0xc0000409" error message in Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=888817
Group Policy processing fails with Events 1058 and 1030 in Windows Server 2003:
http://support.microsoft.com/?kbid=830676
High CPU usage occurs, and event 7023 is logged in Event Viewer in Windows Server 2003:
http://support.microsoft.com/?kbid=888193
The System tool and Task Manager do not correctly calculate 4 gigabytes of RAM in Windows Server 2003:
http://support.microsoft.com/?kbid=888855
Network performance and data throughput may be significantly slower after installing Windows XP Service Pack 2:
http://support.microsoft.com/?kbid=842264

"Show only specified control panel applets" policy does not display applets that use dynamic icons in Windows XP Service Pack 2:
http://support.microsoft.com/?kbid=889085

A note from Handy Andy - Chat tonight!

Hi Gang,

Today or tonight depending on your time zone is the SBS Chat at
www.mcpmag.com/chats

7:00pm est 4:00pm pst and if I did it right midnight gmt

Hope to see you there,

Andy Goodman, SBS-MVP, MCP, DownHome Computers 

A.K.A HandyAndy on the SBS forum at
http://mcpmag.com/forums/display_forum_topics.asp?ForumID=67
"If you can't find the key to success, pick the lock."
                              Author Unknown

Two more patches you might need

There are two other patches that came out today... one is a re-release of the GDI+ patch that affects Visual Basic, .NET framework and Windows Messenger.  The other is a patch for the XP sp2 firewall and is available on Windows Update.  Since it's not deemed a Security patch, I'm not sure it will be on Shavlik.

Don't forget we still need to apply the mitigation patch for ASP.net for our Sharepoint and Remote Web Workplace.  There is still a final security patch in the works but this will fix us up ship shape and keep us protected for now.

HELLO OUT THERE PEOPLE!!! WE EXIST!

Today on a comment posting, I noticed a blog link and followed it. And there on the page I found this post:

Tools people should be using but apparently aren't aware of.:
http://jamesatuncw.com/blog/archive/2004/12/11/220.aspx

"I'm getting a little confused, disappointed, and downright upset by the high number of "computer professionals" I am meeting that simply know nothing about certain tools made by Microsoft, mostly for free, that really help administrators“

Amen James to that. I find it funny sometimes that a little SBSer tells enterprise folks about the power of Group Policy as well. And a bit down in the blog post was this phrase:

”The fact that Small Business Server exists"

Yup I hear ya James. There are times when people post into the newsgroup that have entered from the Enterprise venue and i just want to box their ears when they’ll post in “well I just did a DCPromo and now need to know how to install Exchange 2003”. Yo, Dude? We don’t DCpromo in SBSland…well we do but only during gunky migrations and what not, we certainly don’t do it when the SBS wizard does it’s own install.  And Exchange gets automagically installed!  What are you doing trying to manually install it? 

I still remember how “I” first heard about SBS 4.0. From a fellow accountant who was in the technology biz and thought it was perfect for our sized firms. I still think it is. Of course these days with the document imaging that we’re doing it’s starting to be the “SBS + some other big storage device because we can’t fit it anymore on the server”, but nonetheless I still see it as being the perfect base to many CPA firms.

So hello world!! We’re out here!! Find us!

Remember we do everything [and more] that a small firm needs just like the big guys. Heck Tim was asking me this morning about how to directly manipulate files in the Sharepoint/SQL database and I’m like… uh.. Tim.. my knowledge of SQL consists of Google, a step by step that Jerry wrote up so I know how to setup blogs, and enough knowledge to know that fellow SBS MVP Steve Foster is the one that people should ask questions about SQL.  Uh.. Steve?  There are so many things that we can do with our boxes and it's sad that folks don't even know we exist.

P.S. To the party who just logged in while I'm typing this on IM with the name “JeffZi – OS&B Resurrected!!!!! …okay what’s up with that, huh? ;-)

In reply: An open letter to Steve Ballmer

First of all, I want to thank you for your comments regarding your high level of satisfaction with Windows Small Business Server and our support services. We value the hard work and contributions of our MVPs and customers, and strive to live up to their challenges.  Through your efforts, we are able to build a better product, and we look forward to your continued support and feedback.

At Microsoft we are constantly re-evaluating our product, sales, and support offerings to identify changes that will provide better service to our customers.  As you pointed out in this blog post, we are planning to make changes in the near future to the way support services are provided for SBS.

Please rest assured that we are doing everything possible to guarantee that our customers continue to enjoy the high level of support that they have come to expect for SBS, and that we want you, partners and members of our SBS community, to continue to hold us accountable to these high standards as we're making these changes.

As is often the case, there may be issues or “hiccups” in the short term that need to be ironed out during this transition, but we believe that our partners and customers will ultimately be better served by this change.

I want to take this opportunity to thank the SBS MVPs for their valuable feedback, the effort and the time they spend helping others in the newsgroup and for all of their contributions to the SBS community. You make a difference.  We're listening.

Eugene Ho

Director – Windows Small Business Server

Security Bulletins today

Microsoft Security Bulletin MS04-041
Vulnerability in WordPad Could Allow Code Execution (885836)
http://www.microsoft.com/technet/security/Bulletin/MS04-041.mspx
Severity: Important

Microsoft Security Bulletin MS04-042
Vulnerability in DHCP Could Allow Remote Code Execution and Denial of
Service (885249)
http://www.microsoft.com/technet/security/Bulletin/MS04-042.mspx
Severity: Important

Microsoft Security Bulletin MS04-043
Vulnerability in HyperTerminal Could Allow Code Execution (873339)
http://www.microsoft.com/technet/security/Bulletin/MS04-043.mspx
Severity: Important

Microsoft Security Bulletin MS04-044
Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of
Privilege (885835)
http://www.microsoft.com/technet/security/Bulletin/MS04-044.mspx
Severity: Important

Microsoft Security Bulletin MS04-045
Vulnerability in WINS Could Allow Remote Code Execution (870763)
http://www.microsoft.com/technet/security/Bulletin/MS04-045.mspx
Severity: Important

When last they were seen, they were on their way to the airport

Last Friday at Lunchtime... um.. I mean in the afternoon... um... I mean in the evening... two guys flew down.... um...well drove down....in the fog no less to video tape some “sound bytes” for a Mike Nash [Mr. Blue shirt and nothin' but blue shirts] Security 360 video. 

I warned them about FresNO's [David Spade commercial] reputation of puddle jumper flights but I forgot to tell them about then even worse issue of cancelled flights. So there they were in San Francisco ...getting delayed...getting delayed... and finally the flight was cancelled, they grabbed a one way rental car from San Francisco [they were coming from Seattle] and started driving....and...hit traffic....and fog....

Poor guys.  Needless to say it was fun and hopefully I won't do at much “blinking“ eyes as the soundbyte thing I did for Trend Micro. 

One of the questions that they asked that just floored me a bit was .

What are some of the ramifications of not having a patch management program in place? Or, put another way, how do you make a business case for patch management?

Yo, folks?  How can you NOT make a business case for patch management?  It's just good business.  Especially now with AB1950 kicking in in January

"This bill would require a business, other than specified entities, that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use,
modification, or disclosure. "

"A business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. "

I argued on the Patch Management.org listserve [that I got a plug in for during the soundbyte interview I might add], that Is using an end of life, no longer patched OS "reasonable security procedures"?  Me thinks there's going to be a few Attorneys getting rich arguing over that definition.

Mind you this is an argument over EOL for Redhat 9.0, 8.0 etc, not Windows NT.

As I pointed out in the post, ever listened to "Death of the DMZ" by Steve Riley? As Mr. Riley points out the original RFC[a] for tcp/ip states that "security was not taken into consideration".

We've got systems set up that were never intended to be over "untrusted" communication and now we're still using them how many years later on the Internet that these days and we shouldn't be trusting even the people "inside" the wall?

Check this out...

 An Applications View on Security: 
http://www.eweek.com/article2/0,1759,1738991,00.asp?kc=EWRSS03129TX1K0000614 
 
In fact, more than 80 percent of companies have detected system penetrations of internal origin, according to data compiled by insurance brokerage and risk management company Arthur J. Gallagher & Co., in Itasca, Ill. This means that applications performing their normal function, at the behest of authorized internal users, must be viewed as dwelling in hostile territory rather than in trusted environments.

I mean when you have employees like this... who needs enemies on the outside of your wall? [Well ya guys listen to me why audit logs and ISA logs are a good thing?]

[a] which I think is this one

P.S.  For the record I did not wear a blue shirt.

Tomorrow is Tuesday

As Cory points out rightfully so... tomorrow is Patch Tuesday:

* Tune in tomorrow for the chills, spills and thrills of no less than *FIVE* security bulletins!
* Recoil in horror as you realize one or more of these bulletins will be *IMPORTANT* in severity!
* Cry out as you may or may not be forced to reboot!

All this and MUCH MORE awaits you at the Microsoft Security Bulletin Advance Notification site! http://www.microsoft.com/technet/security/bulletin/advance.mspx

Tomorrow I'll be posting the bulletins in here, and giving a brief overview, but watch out for something new coming up that [I hope] will be of value to more people.  Stay tuned.

MERRY CHRISTMAS (In Legalese):

For your reading pleasure during this holiday season . . . :) MERRY CHRISTMAS (In Legalese):

Please accept without obligation, express or implied, these best wishes for an environmentally safe, socially responsible, low stress, non-addictive, and gender-neutral celebration of the winter solstice holiday as practiced within the most enjoyable traditions of the religious persuasion of your choice (but with respect for the religious or secular persuasions and/or traditions of others, or for their choice not to practice religious or secular traditions at all) and further for a fiscally successful, personally fulfilling, and medically uncomplicated onset of the generally accepted calendar year (including, but not limited to, the Christian calendar, but not without due respect for the calendars of choice of other cultures). The preceding wishes are extended without regard to the race, creed, age, physical ability, religious faith or lack thereof, choice of computer platform, or sexual preference of the wishee(s).

THE NIGHT BEFORE CHRISTMAS:

Whereas, on or about the night prior to Christmas, there did occur at a certain improved piece of real property (hereinafter "the House") a general lack of stirring by all creatures therein, including, but not limited to a mouse.

A variety of foot apparel, e.g., stocking, socks, etc., had been affixed by and around the chimney in said House in the hope and/or belief that St. Nick a/k/a/ St. Nicholas a/k/a/ Santa Claus (hereinafter "Claus") would arrive at sometime thereafter. The minor residents, i.e. the children, of the aforementioned House were located in their individual beds and were engaged in nocturnal hallucinations, i.e. dreams, wherein vision of confectionery treats, including, but not limited to, candies, nuts and/or sugar plums, did dance, cavort and otherwise appear in said dreams.

Whereupon the party of the first part (sometimes hereinafter referred to as ("I"), being the joint-owner in fee simple of the House with the party of the second part (hereinafter "Mamma"), and said Mamma had retired for a sustained period of sleep. At such time, the parties were clad in various forms of headgear, e.g., kerchief and cap.

Suddenly, and without prior notice or warning, there did occur upon the unimproved real property adjacent and appurtenant to said House, i.e., the lawn, a certain disruption of unknown nature, cause and/or circumstance. The party of the first part did immediately rush to a window in the House to investigate the cause of such disturbance.

At that time, the party of the first part did observe, with some degree of wonder and/or disbelief, a miniature sleigh (hereinafter "the Vehicle") being pulled and/or drawn very rapidly through the air by approximately eight (8) reindeer. The driver of the Vehicle appeared to be and in fact was, the previously referenced Claus.

Said Claus was providing specific direction, instruction and guidance to the approximately eight (8) reindeer and specifically identified the animal co-conspirators by name: Dasher, Dancer, Prancer, Vixen, Comet, Cupid, Donner and Blitzen (hereinafter "the Deer"). (Upon information and belief, it is further asserted that an additional co- conspirator named "Rudolph" may have been involved.)

The party of the first part witnessed Claus, the Vehicle and the Deer intentionally and willfully trespass upon the roofs of several residences located adjacent to and in the vicinity of the House, and noted that the Vehicle was heavily laden with packages, toys and other items of unknown origin or nature. Suddenly, without prior invitation or permission, either express or implied, the Vehicle arrived at the House, and Claus entered said House via the chimney.

Said Claus was clad in a red fur suit, which was partially covered with residue from the chimney, and he carried a large sack containing a portion of the aforementioned packages, toys, and other unknown items.

He was smoking what appeared to be tobacco in a small pipe in blatant violation of local ordinances and health regulations.

Claus did not speak, but immediately began to fill the stocking of the minor children, which hung adjacent to the chimney, with toys and other small gifts. (Said items did not, however, constitute "gifts" to said minor pursuant to the applicable provisions of the U.S. Tax Code.)

Upon completion of such task, Claus touched the side of his nose and flew, rose and/or ascended up the chimney of the House to the roof where the Vehicle and Deer waited and/or served as "lookouts." Claus immediately departed for an unknown destination.

However, prior to the departure of the Vehicle, Deer and Claus from said House, the party of the first part did hear Claus state and/or exclaim: "Merry Christmas to all and to all a good night!" Or words to that effect.

Thanks to Ralph Ostermueller of fvginternational.com for this legalese.

Having the right tool

Today we fixed the Christmas lights by using a special Christmas light bulb tester.  Without using that tester tool, we probably would not have found the 14 burnt out light bulbs in the string of lights.

A friend of mine got a IRQL NOT LESS OR EQUAL Error.  And in the past they've reinstalled the server to fix it.  Well next time an error like this occurs, don't reinstall, JGAD it!  Just Get A Dump!  Use the right tool and make your life easier!

One update to my “get a dump” post, in order to get a KERNEL dump do the following [the prior post on Dr. Watson's is for applications dumps not Kernel dumps]:

Right mouse click on My Computer, then on properties, then on advances, the on startup and recovery settings.

Change “write debugging information to kernel memory dump“ [at least] or go to complete memory dump [really recommended]

So next time you get something like IRQL NOT LESS OR EQUAL Error “Just get a dump“ JGAD!

The dump file will be located at %SystemRoot%\MEMORY.DMP.  Call PSS and upload it so they can debug it!

Would ya stop reinstalling and start crash dumping?

Blue Screen of Death and a dump file.  We've all seen them at least once in our lifetimes right?  And so many times in SBSland our reaction to just about any issue is to reinstall. 

Well, stop doing that.  We don't need to.  We've got so many ways to know EXACTLY what is going on in our boxes without just saying “hmmmm... it's sunspots..... or hmmmm....must be just a Bill thing”.

On the server, when your system “dumps” and if you click “send to Microsoft” they see it and the automagic system may even direct you to a driver fix.  As Dana confirmed, most BSODs are drivers [I would also add that I've heard that malware is also causing a bit of BSODs these days but you shouldn't [hopefully - remember don't surf at the server] see any of that on a server.

At the server you can type in start, run, drwtsn32 and see what the settings are.

My log file is located at:

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Dr Watson

And my crash dump is at

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Dr Watson\user.dmp

And look at that... I've even got some old events in there from December 27, 2003 of last year.  Wonder what those were?

If you need to see what's up, flip that one setting to “Full“.  In fact, I wonder why we can't just leave it as full on a server anyway since it should happen EXTREMELY rarely anyway and when it does you want full details.

Once it “dumps“ call Microsoft Product Support Services and have them look at it rather than knee jerk reinstalling the system [trust me, any fee you pay to have them look at it pales in comparison to the cost of reinstalling a server].

Someone I know would argue that all of us geeks should know how to do basic debugging.  I totally agree. Take some time to review this stuff, but if that starts to make your eyes glaze over, just know that there are tools that the PSS folks can use and just call them to do it.  In fact this is normally one section where you want the “beta“ stuff as they have the latest and greatest debugging stuff in there.

So ...hop to it folks.. start Crash Dumping!

An open letter to the Security Community:

Seriously.  Right now there are several unpatched browser vulnerabilities and one “blast through the POPup blocker”.  The sky is definitely falling.

And why do we have these unpatched vulnerabilties that are being discussed in detail with no patches?  Because someone believes that it's more responsible to disclose it to the community of folks that then turn it into worms and what not than to responsibly disclose to the vendor and WAIT for an appropriate time for us to test and apply patches. 

• Nicolas Waisman disclosed a paper on WINS vulnerability - patch is not yet released
• eEye while stating on their web site that they practice “responsible disclosure“ have released technical details about an vulnerability the same day as the patch is released [approximately 12 hours last time] with usually enough technical details to begin the clock ticking.
• http-equiv-at-excite.com has regularly disclosed before allowing for a patch.
• Liu Die Yu, in reading his essay on the Microsoft Security Resource Center titled “Die slowly this time MSRC explained“, apparently believes that going after the MSRC with verbal abuse is the noble thing to do.

These are just a view of the examples of businesses and individuals that make us more IN-secure out here.

I can hear you now say if the Evil Empire  “well if they'd only write better code“.  Wake up folks.  In the book Practical Cryptography the authors state that bridge builders have a finite threats to deal with.  Gravity, water, weather.  Software coders have an infinite amount of threats, including, but not limited to, all of us pesky end users still running as local administrator around here.  [And while those say that it's hard to run as user mode, I would argue that for the vast majority, that if it were not for the insecure requirements of the applications we are running, we COULD run as user mode most of the time as many of us have no need to install software on reoccuring basis]

I'm tired of my security, my patching, being influenced by someone not even willing to use their real name. 

I'm tired of security firms that don't sell products in the small business server space that say they holding Microsoft responsible when all they do is end up hurting my community.

Patches hurt me in my community in two ways.

Firstly they hurt me when I don't know about them.  When all I do is go to Windows update and that's not enough to fully protect me.  [Granted, these days on the Internet, most “gunk” traveling the wire is tuned for XP and 2k and thus even when USAToday stuck us out there with only a strong password to protect us and netbios ports exposed, we stayed up].

Secondly, they hurt me when I apply them and they do harm.  Granted, this is happening less often, but there are still the rare times that they cause issues.  Rare is one time too many for me.

I'm sure there are folks that will tell me I'm kidding myself that the exploit is only coded “after” the patch comes out, that is, it's already been out in the exploit community and the mere release of the patch alone gives the folks out there the opportunity to reverse engineer an exploit.

But folks you are missing something.  Down here, my community is not specifically targeted.  We're road kill.  We get hit with the worms, the blasters, slammers.  We don't get hit with the specifically targeted attacks.  Ryan and Kevin stuck us out there to get hit by a MACK truck.  They weren't specifically hacking us.

So to those folks that think you are being noble, that you are holding Microsoft responsible, that you are making sure they do secure coding?  You hurt me and my community more.

Remember that we don't buy your products.

We don't know who you are down here if you are seeking fame.

We just get affected by what you do.

Remember that.  You hurt us most.

For the record, Opera is patched, Firefox has a workaround, but I'll stick stick with IE because I can group policy it and I have not heard of these actually being exploited.... yet.

Google desktop is slightly freaking me out

Google desktop is slightly freaking me out....and that's a bit of an understatement.  I'm trying it out here at home just to see what it does and ...well... for me... it's not.  I guess I have an active system because abut 28 hours later, it's still only indexed 17,000 items.

Next, I don't know about you, but I find it freaky to google the Internet and get results from “my computer” as well.  I think this experiment is going to be uninstalled for now.

While the Privacy statement says “So that you can easily search your computer, the Google Desktop Search application indexes and stores versions of your files and other computer activity, such as email, chats, and web history. These versions may also be mixed with your Web search results to produce results pages for you that integrate relevant content from your computer and information from the Web.”, and I know after attending the Encase class that index.dat file showcases how intertwined Internet Explorer is with the file structure, I just do not get a warm fuzzy feeling seeing “desktop results” on the top of an external web page.  That so does not give me the “air barrier” feeling that I want and need to be putting this anywhere near a production network.

Yes, I know.

• Sky is falling.
• We're all going to be sucked into a worm hole.
• A meteor could hit us tomorrow.

All of these are probably way more possible that Google even caring about my data [and that's one of the reasons that I always say “yes” to Dr. Watson dumps and what not because I really do beleive that the “Evil Empire” is not getting personal data when I send them a Dr. Watson dump], but this just “feels” a bit more of a line blurred.

If Google desktop was a “Lookout” kind of application, I think I'd feel better.

Okay here's a sample page.  What do you think?  Me it freaks me out.

This week in the communities

The headlines this week for the communities of SBS:

SmallbizIT [the business of SBS listserve] is discussing flat rate versus hourly billing.  Which works for you and your clientele? And then chatting about Harry's upcoming SBS Advanced book.

Mssmallbiz [technical, business and the BEST place for licensing questions] is discussing “Server down support“ and Eric Ligman had a “Understanding licensing for Small Business Customers“ webcast that is now available from the Mssmallbiz.com web site [Click on the live meetings link on the quick launch bar on the left hand side]  Remember too the Small Business Center webcast is coming up on the 14th.

SBS2k [which also covers SBS2k3 - technical] is discussing Remote web workplace, RISing out workstations, does SBS really need WINS and has some great ISA experts in there as well.

Newsgroups are discussing

• Exchange can be accidentially turned into a mail relay if your anti spam/virus program wants to connect to one port and relay to port 25 [Chad blogs about it too]
• Getting PCAnywhere out ISA
• A Dead motherboard [ouch]
• Companyweb prompting for login
• Why you don't want [your clients] to install software
• Two servers in a domain
• RWW questions
• Internal and external email questions
• Backup vs. Trend Micro
• Warning - new variant of Vx2

Smallbizserver.net is discussing Antivirus and backup issues

Nick on the Minasi forum is chatting about Sharepoint, SMTP and external access.

Handy Andy on the MCP forums is talking about roaming profiles and Exchange server.  Don't forget too that Handy Andy will be having a live chat on the 15th.

Harry and SMBnation will be coming to Toronto on January 11th and word is besides Harry a couple of other local SBS MVPs will be in attendance.

Did I forget any SBS Community out here?  If so, let me know.

Oh yeah, one more.

In the Usergroup Leadership listserve [listserve specially formed to help grow and nuture user groups] we've been talking about setting up an Office live meeting.  What?  Don't have a SBS usergroup near you?  How about setting one up?  Next time there's a TS2 event in your neighborhood [or other international venue where SBS installers might congregate], go up to the presenter and ask if you can make a small announcement asking for interest in a SBS consultants group.  Use Yahoogroups for a free listserve to help announce meetings and gather interest.  Meet in an office, a bar, a chamber of commerce, and if you are lucky and live near a Microsoft office, call them up and ask for meeting space there.  But don't let the fact that there isn't a Microsoft sales office near you stop you from starting your OWN localized resource of smart brains.  Start small and grow.  We all win when we realize we're not competing against each other.  Orlando Ayala said there were 300,000 units of SBS sold and as Steverino pointed out WE have a lot of work to do folks selling a heck of a lot more.  There's 22,000,000 small businesses in the United States, Steverino says.  By my count that means we have about 21,700,000 more SBS boxes to install. 

Get crackin' folks.  I want those installed by next Christmas.

:-)

It too started out as a Small Business

I was watching “People in the news” on CNN this morning and it reminded me of a story I love about the start of a small business.  It was a small, rag tag bunch of folks that were Street performers in Montreal.  The realized they had something unique, something special, so they gathered what money they had and traveled to a festival in Los Angeles.  If they didn't make it, they'd have to earn their way back home.  They risked it all.

Under 75 people started this business.  73 to be exact in 1984.  This small business realized it had to take a bit of risk and it did.  Now granted this small business did not use computer technology way back then [not many of us did in fact], but they sure do now.  [Needless to say when I've visited one of their locations, I'm just as fascinated by the computerization they rely on now as much as the artists that perform]

So... got an idea of the small business I'm talking about yet?

A firebreather, a stiltwalker and an actor were some of the founders.

Let me give you more clues as to where this “small business” is located today besides it's home base in Montreal.

They have permanent shows in Las Vegas. Touring shows in Quebec City, Toronto, Houston, Austin, Baltimore and Pittsburg.  They've presenting in over 100 cities. In 2003, 7,000,000 people saw their shows.  Today they employ 2,500 people.  They hire artists from around the world to peform in their shows and entertainment events.

Give up?

Click here and check out what started out as a small business.  Less than 75 people in fact.

The next time you set up that Small Business Server, remember that you too could be helping to put in place the building blocks of the next billion dollar company.

Yes, I said Billion with a “b“.

So the next time you visit one of their permanent shows in Las Vegas, remember that 73 people, a “SBSized“ group of folks started it all. 

How do I remove a computer from being listed in the Remote Web Workplace?

 Add this regkey to exclude certain workstations from showing up on the RWW.

hklm\software\microsoft\SmallBusinessServer\RemoteUserPortal\ExcludeList

The regkey is a string and it consists of a comma delimited list of
computers you want excluded.

Example:
joecomp1,janecomp1,jackcomp1

[courtesy of “Less is More” Connor SBS MVP posting in the SBS community newsgroups]

Jargon anyone?

Sometimes you forget the jargon that you use in a certain industry.  I was talking to someone that SBS 2003 from the install disks is about a year old as it RTM'd in September/October. 

RTM... you know... RTM?  Release to Manufacturing.  It's the point in time that the product team puts all their hard effort to it's final fruition and that is the final “baked” version that gets pressed on all the cdroms.  That's what RTM means. 

So what about other tech jargon?

If you want to have a little fun for a Friday night [okay I really DO need a life] Click here and leave the search box blank.

Well, we at least have 5 more minutes now

Dean posted in an article that quoted Orlando Ayala in an article

“The Small Business Server is a case in point. "That product has been on the market for six, seven years," he said, "and we finally got it right. It is successful now because we simplified things, we reduced installation time to about 20 minutes -- it went from a day to almost plug-and run."

Yo, Orlando, sweetie, dahling.  Patching?  Did we forget to patch this little guy after you plugged and run'd it?

Gavin's post points out what we already know out here.  It's a pain in the butt to patch these guys up to where they should be.

Shavlik “isn't enough“

Our patch page is missing the ISA patch, and sorry some of those “recommended updates“ I would consider a bit more important.

Heck we even have a Trend patch to track down [if using POP]

I'll be chatting about Patch management in the future in fact [both on an upcoming webcast and in print - stay tuned for details]

So Orlando, thanks for giving us 5 more minutes to set up a network but you are missing patching and totally misleading clientele into not realizing that there's these pesky things called workstations that also have to be delt with.

Man I must have majorly screwed up because my network install took a bit longer than 15 or 20 minutes, that's for sure.

P.S.  I'm sure that Mr. Ayala knows and was talking about the OEM install to the base system, but I still say that it's a bad message to put out in the marketplace for customers.  It sets the expectations that installing a network should be nothing more than “just” the server, when you still have all the workstations to connect.  My network is my server AND my workstations.  After that initial install is done, my work is “just” starting.

Wonder how many people read that manual?

Did everyone find it fitting that the end to this year also meant the end to something else.  The business press has been reporting that IBM has sold it's PC business.

I still remember my sister's second computer [notice I said second, not first].  IBM 8088.  Two floppy drives, no hard disks, green screen and a keyboard that weighed a ton.  Networking back then was sneakernet only.  Your operating system and your spreadsheet fit on one floppy disk.  She spent $3,000 on it.  IBM used the Charlie Chaplin character “The little tramp” in it's advertising and the documentation was [if I remember right] in a beige book and a pink book.  I think the pink book was the DOS instruction manual.  

She still has the computer.  It's out it the storage at our parents' house.  I think it still boots up... it did the last time we checked. 

The first computer at our office was an IBM AT computer...you know the one with the hard drive...the more expensive one.  We had everyone using that one computer.  When I think back to how one firm shared one personal computer to where we are now.  My goodness we've changed a lot haven't we?

I still remember my first oh #$#@ tech event.  I was attempting to delete a directory and instead deleted the root directory.  Oh yeah... One of my finer blonde moments.  Fortunately  I had an undelete program on there and went through and “un”-deleted what I stupidly deleted.

We've come a long way haven't we?

P.S.  In full disclosure I really don't remember reading either one of the manuals.  Hmmmm... the lack of reading documentation started even back then, I guess.

So "that's" what he looks like!

I trust people that I've never met. 

Weird statement isn't it?  But it's true.  Life on the internet is funny.  There are people that you have email and IM conversations with and have never met before.  Dana Epp is one of those people that I trust.  But you know what, never met the guy.  Just in fact seen what he looks like...well ...sort anyway.  It's a bit of a dark photo but I recognize the Acer Tablet PC so that's gotta be him.  

There's a quote in something I read today from “Business is a Calling” by Michael Novak:

"It's becoming clearer every day that one person's work is naturally interrelated with the work of others"

And the funny part is you don't necessarily have to meet them intially face to face.  Office Live meeting, phone calls, VOIP, IM, email, think of all the ways we can connect and not necessarily have the physical meeting.  Granted, there is a higher communication level when there's a face to face, but sometimes it makes the face to face meetings all that more effective when you've built up a communication level without it first.

I still remember fondly the very first MVP summit I went to.  Didn't know anyone and yet there was an IMMEDIATE spark of communication because I had been emailing with this group for about a year in advance.  Even at the recent Security MVP summit I went to, again, the communication level was above the normal for people just meeting face to face for the first time.

I was chatting earlier today with a fellow MVP who has never gone before.  I'm hoping that he too can experience what I've felt.  The “kick” of communicating at a higher level with people you've never met before.

It's cool.

Uh..Walt..nice but tell me how to run "my" business apps on that APPLE will ya?

The Microsoft monitor blog today points to the Wall Mossberg article where he takes Microsoft to task for not making computers more secure and easy to secure.  While he has some valid points, the fact that he recommends an APPLE MAC is a bit obvious that he's a person who can work in the MAC enabled world of journalism.  Sorry Walt, MACs are not easy to use for this tired brain of mine, I think it's just what you are used to.

The link to Walt's story will be active for a week.  Read it and see what you think.

While I agree that computers need to be more easily secured, as I just last night had a chat with my hairdresser and when I asked “do you have a firewall, is your antivirus up to date” brought a bit of blank looks, I think the issue can also be traced back to the computer vendors.  They sold us on the idea that computers are “toasters” and they are not. They've color coded the plugs on the back but NO WHERE do they include a “how do so safe computing manual“ in any of their installation documents.  Where's the information on phishing?  On how to BUY the subscription to the -- in 90 days this will expire antivirus that's installed on the computer.  Is it because as an industry we don't read manuals?  Or is it that we consider computers like “toasters“ that shouldn't need any maintenance.

Walt, only 5% of the worlds population run MACs.... if you are a virus writer would you want to write one for Windows with 90% of the marketplace or 5%?  Come on.  And as far as releasing patches faster?  I would hope so, MAC has had some doosies.  AND again, at only 5%, less applications, testing those patches is hardly a big thing.

No Walt, until MACs run Lacerte, and CCH, and time and billing, and tax planning, and ..... you get the idea.... sorry but you might be able to run a newspaper on that MAC, but not an accounting office.  Not this one anyway.

So to agree with Eriq - can you run a business on a MAC, yes you can... just not “this“ business.  Walt needs to realize that it's the applications that drive the platform, not the other way around.

5 Security bulletins next Tuesday with a Max rating of Important

SBS KBs of Interest

Trend Micro, and the HOT FIX for our SBS 2003 POP issue

Thanks Anne from Trend Micro for getting us our hotfix link that us SBSers need for the issue we've been having with the POP3 connector:

http://kb.trendmicro.com/solutions/search/main/search/SolutionDetail.asp?SolutionID=23065

+1 (888) 608-1009  (Mon – Fri 5 a.m.– 5 p.m. U.S. Pacific Time - US

Other countries click here

1. Overview of This Hot Fix Release
========================================================================
   When "SmexDelMail.dll" is registered, and email notification for SBS
   Health Monitor is enabled, then email messages downloaded using the
   POP3 Connector are not delivered correctly. The mails get stuck in
   the "Messages Pending Submission" SMTP queue.

   "SmexDelMail.dll" is the module for Outbound Message Filtering.


   1.1 Files Included in This Release
   ======================================================================
   Module Filename                 Build No.   
    SmexMa.exe              1127
    SmexDelMail.dll                  1127


2. What's New
========================================================================
   Hotfix B1127 ensures that messages downloaded using the POP3 Connector
   will not queue up even if "SmexDelMail.dll" and email notification for
   Health Monitor are both enabled.


3. Documentation Set
========================================================================

   o Readme.txt -- basic installation, known issues,
   
   Electronic versions of the printed manuals are available at:
     http://www.trendmicro.com/download


4. System Requirements
========================================================================
   No special requirements for installing this hot fix.


5. Installation
========================================================================
   This hotfix will automatically restart the following services -

ScanMail_MailAction
Stopping ScanMail_Web
ScanMail_RealTimeScan
ScanMail_Monitor
IMAP4 Service
                Connector for POP3 Service
Information Store Service
MTA Stacks Service
POP3 Service
Routing Engine Service
NNTP Service
SMTP Service
World Wide Web Publishing Service
HTTP SSL
IIS Admin Service

   NOTE : When the problem occurs, the SMTP service may become unresponsive
   to a stop command. This will cause the hot fix installation to fail.
   Should this happen, please execute the "IISReset" command first to
   manually restart the IIS Admin Service and all the related services. This
   will also clear up the queue. The hotfix installation can be executed again
   after running "IISReset".

   5.1 Installation on a Single Server
   =====================================================================
   1) Copy "SMEX621_WIN_EN_HFB1127.exe" to any location on the ScanMail
      for Microsoft Exchange server.
  
   2) Using Microsoft Windows Explorer locate "SMEX621_WIN_EN_HFB1127.exe",
      and then double-click it. The message "Installation successful!" appears
      after the installation is complete.

   3) Verify that the build number of SmexMa.exe and SmexDelMail.dll is 1127:
      i.   Navigate to the SMEX folder
           (i.e. :\Program Files\Trend\SMEX).
      ii.  Right click the file.
      iii. Click Properties.
      iv.  Click the Versions tab.
      v.   Under Item name, select Special Build Description. 1127
           displays in the Value field.     

   NOTE : When the problem occurs, IIS Admin Service may become unresponsive
   to a stop command. This will cause the hot fix installation to fail.
   Should this happen, please execute "IISReset" first to manually restart
   the IIS Admin Service and to clear the queue. The hotfix installation
   can be executed again.

   5.2 Installation using the Deploy Tool
   ======================================================================
   1) Copy "_SMEX621_WIN_EN_HFB1127.exe" to the Data folder in the Deploy
      Tool package.

   2) Replace the old package.ini in the Deploy Tool folder with the new
      package.ini file included with the hot fix.

   3) Run Setup.exe. The License Agreement appears; agree to the license
      conditions to proceed with Setup. Click Next to proceed.
     
   4) Select the server name(s) where you want to deploy the hot fix.
      Use the Add, Remove and Remove All buttons to add and remove servers
      from the target list. When you are satisfied with the list of target
      servers, click Next to save your modifications and proceed. The server
      logon screen appears.
 
   5) When asked for a username and password, specify a Domain Administrator
      account with "Logon as a Service" privilege on the target server. Click
      Logon to proceed.

      Note: To verify privileges, go the Security Policy Console ->
            Security Settings -> Local Policies -> User Rights Assignment ->
            "Logon as a service" policy.
   
   6) After logging on successfully, the deploy tool will copy the hot fix
      to the target server and will execute the file.

   7) An installation status of "Done!" displays when the remote deployment
      is complete.

   5.3 Rollback Procedure
   =====================================================================
   To roll back to the previous build using the backed-up files:
  
   1) Stop IIS Admin service and all Exchange related services.
  
   2) Stop the ScanMail for Exchange services.
      i.  Click Start > Programs > Administrative Tools > Services to
          open the Services screen.
      ii. Right-click , and then click Stop.
  
   3) Rename SmexMa.exe and SmexDelMail.dll for the current build:
      i.   Using Windows Explorer, locate the ScanMail home directory:
           :\Program Files\Trend\SMEX.
      ii.  Rename SmexMa.exe to _SmexMa.exe and SmexDelMail.dll to
           _SmexDelMail.dll.

   4) Copy SmexMa.exe and SmexDelMail.dll from the previous build to the
      folder for the current build:
      i.    Using Windows Explorer, locate the hotfix back-up directory:
            :\Program Files\Trend\SMEX\Hotfix\0003.
      ii.   Copy SmexMa.exe and SmexDelMail.dll from the back-up directory
            to the ScanMail home directory.

   5) Start IIS Admin service and all Exchange related services.

   6) Start the ScanMail for Exchange services:
      i.  Click Start > Programs > Administrative Tools > Services to
          open the Services screen.
      ii. Right-click , and then click Restart.


Note: Register online with Trend Micro within 30 days of installation to
continue downloading new pattern files and product updates from the
Trend Micro Web site. Register during installation, or online at:

http://olr.trendmicro.com/


6. Post-Installation Configuration
========================================================================
   No post-installation steps required.

Note: Trend Micro recommends that you update your scan engine and 
virus pattern files immediately after installing the product.


7. Known Issues
========================================================================
   There are no known issues for this hot fix release.

Life without Microsoft

The other part of last night's Tech user group meeting was a presentation on the topic of “Life without Microsoft”.  The presentation was very interesting but there was one comment that always puzzles me.

”It's free”

Well, I guess I'm a dumb beancounter because to me, nothing is free.  It's still my time and energy to set things up.  I set up my firm's network all by myself and while the firm didn't have to pay an outside consultant to set it up, the fact that it took me the weekend before to pre-set up the accounts, to the fact that I was in the office during Thanksgiving weekend, to the fact that I was at the office last Saturday night setting up Live Communication Server 2003, while the office may consider my labor cost “free”, I certainly don't quite consider it in the same light.

But here are some of the tools that the organization used:

Monitoring -- MRTG: The Multi Router Traffic Grapher:
http://mrtg.hdl.com/mrtg.html

Graphical console for Snort - Analysis Console for Intrusion Databases (ACID):
http://acidlab.sourceforge.net/

Intrustion detection -  Snort.org:
http://www.snort.org/

Monitoring - Nagios: Home:
http://www.nagios.org/

Traffic probe - ntop - network top:
http://www.ntop.org/head.html

Nmap - Free Security Scanner For Network Exploration & Security Audits.:
http://www.insecure.org/nmap/

ClamAV: Project News:
http://www.clamav.net/

Now there's one concern I have with this approach... I see a lot of good tools here but a great deal of attention to the servers.  There's no tools here to control the desktops, ensure enforcement of group policy, ensure that workstations are up to date and patched. 

I, for one am looking forward to Network Access Protection.  I've shut off nolmhash values, I have group policy controlling internal firewalls on my workstations, I have a patch management solution.

I know that this firm doesn't strip off the attachments it should, I know they don't patch workstations like they should [I know someone who works there], so while they may be doing a great, kewl job with using LInux for backend services like DNS, DHCP and Radius, I know that sometimes it's not the servers that are the risk factors that we need to worry about, it's the desktops as well.

There's a recent post on the MS download site that sums up risk analysis of a network:

Risk Assessment

Before conducting any Attack and Penetration Testing, it is important to understand and prioritize the risks. Highest risk targets should be assessed first; the lowest should be assessed last.

At Microsoft, a separate Risk Assessment team is charged with identifying and prioritizing targets for the Attack and Penetration Testing team.

Risks should be assessed based on several dimensions, including:

• How critical or valuable is the data? For example, the core intellectual property assets of the company, Human Resources data, and personably identifiable data such as credit cards and social security numbers should be assessed as critical.
• What exposure does a target have? For example, how is it connected to the network?  What users can connect to hosts containing the data?
• What is the potential for damage? For example, how much would it cost the company if a particular host were broken into, or brought offline?
• For known vulnerabilities associated with a technology, are exploits available? Is it easy for an attacker to exploit a vulnerability? Could a worm or a virus be developed to exploit the vulnerability?
• What are the legal constraints? For example, what applications contain data that are required to comply with regulations such as HIPAA, Sarbanes Oxley, or California SB 1386? [a]

The Risk Assessment team uses these criteria, and others, to determine the overall risk for a particular target, and prioritizes it for Attack and Penetration testing.

To minimize overall risk, testing only the critical targets is not enough. Sampling of all targets on the corporate network should be done at some point, even for low value targets. For example, a successful exploit of a low value host could expose a higher value application to a more damaging attack.

[a] and now AB1950 as well

I would argue that we should look at the ENTIRE network including the desktops.  If you don't control your desktops, you aren't managing all of your risks.  And for now, and I predict for a long time, that means you live with Microsoft and you learn better ways to control.

So my Sharepoint hired a few employees

I got Live Communications server 2003 set up in my office and noticed that when I opened Sharepoint that it had “hired” a few people.  I had “Admin template”, “Mobile user template”, and “Power users template” as “contacts” inside of Sharepoint.  Knowing that this would freak out my end users... “who are these people?”, I asked around if there was a way to remove these.

Chad who is Sharepoint power user around here said to

Open your companyweb | Site Settings | Manage Users.  Check the

templates and then 'Remove Selected Users'

Also Chad pointed out... 

the Domain Power Users security group is a member of the Sharepoint Administrators group by default.  So if you have any Domain Power Users running around,

they'll still have full access to your companyweb site even if you

remove them from the user list within the site . . .

Remember too the BEST Sharepoint integration is with Office 2003.. you might have to “rig“ up some stuff with other Office versions:

Windows SharePoint Services FAQ - Can I simulate "Edit in" functionality

using...:

http://wss.collutions.com/Lists/FAQ/DispForm.aspx?ID=308

Upcoming Webcasts for December

I was reading the MSDN webcast blog and they have a monthly calendar of webcasts.

Kewl!  I'll be checking out both the Small Business one and [of course] the Security ones.  I normally throw them up on my second monitor and listen to them [sort of like a geek version of radio, if you will]

MSDN Webcasts

MSDN Architecture Webcasts

TechNet Webcast Calendar

Security Webcast Calendar

Microsoft Executive Circle Webcast Calendar

Microsoft Business Solutions Webcast Calendar

Microsoft Office System Webcast Calendar

Small Business Webcast Calendar

Ray-Ism: Are you getting prompted for username and password when you connect to http://localhost/backup and http://localhost/remote?

Are you getting prompt for username and password when you connect to

http://localhost/backup and http://localhost/remote?

This one may help

Add Local Service and Network Service account Read & Execute, List Folder Contents, 

and Read permissions to %windir%\Microsoft.NET\Framework\v1.1.4322

Add Local Service and Network Service account Full Control permission to  

%windir%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files.

This will allow Backup and Monitoring folders under "Temporary ASP.NET

Files" folder to have full control for Local Service and Network Service.

Ray-Ism: Default permissions for User Folders in Small Business Server 2003

So screwed up the default permissions in your user folders?  Here's the defaults:

Users Shared Folders:

Folder Name:

• Users Shared Folders

Share Name:

• Users

Sharing Permissions

• Domain Admins - Full Control
• Domain Users - Full Control
• SBS Folder Operators - Full Control

NTFS Permissions

• Domain Admins - Full Control
• Domain Users - Special Traverse Folder/Execute File, List Folder/Read Data,
• Read Attributes, Read Extended Attributes, Create Folders/Append Data, Read Permissions)
• SBS Folder Operators - Full Control
• System - Full Control

The Ray-ISM category is dedicated to Ray Fong who sufferred through teaching a bunch of unruly SBS MVPs in Charlotte.

He's just about to come right side up again

 Well you guys missed it.  The “Down Unda” Lycra Tour of Wayne Small, Dean Calvert and Jeff Middleton is coming to an end and Jeff is getting on a plane tomorrow to arrive tomorrow [you see Australia is a day ahead and you get on a plane “date wise” tomorrow and arrive within about 30 minutes of the “date” you left.  Kinda funny.

While he was there he utilized VOIP to stay in touch with his clientele in the Southern US.  He and I were chatting earlier that he's planning to type up a “how I spent my time remotely away from my clients, upside down AND 12 hours opposite time zone” and put it on his web site.  He found the VOIP to work very nicely.

The Small Business Trends blog talks about the VOIP trend for small businesses in one of their latest blog entries.

So I went to a Computer "user" group meeting last night

Last night I went to a Fresno user group meeting.  I couldn't make last months as I was up in Redmond for the Security MVP summit, so this was my first meeting.  The event had a vendor sponsor, Xiotech Corp which had an interesting presentation on SAN storage and Pat Zielinski had a technical talk about how they are moving towards a “tiered” storage structure.  I was thinking of Anne during the presentation as the “tiers” started at the low end using SATA drives, SCSIs, then fibre channel and ended up at the top with Solid State Storage.  Anne used to work for a Stolid State Storage Company.  Me being the wacko, I asked if there was a process to totally “overwrite” as the SAN was used and reused for privacy purposes and forensics and what not.  [Yes, there is a way to automagically do this]  They also had Justin Kauffman there and I just had to laugh a bit as in typical sales fashion, he walked around the room shaking hands saying “Hi, I'm Justin” which reminded me of the Tim Matheson character in Animal House who kept saying “Hi, I'm Eric Stratton...... I'm the Rush chairman.  Damn glad to meet you”

One interesting part of the presentation was that he kept his sales talk VERY short.  In fact he turned most of it over to the greatest salesman he had in the room.... a customer.

That customer gave a testimonial on how they had another SAN storage product and over the Christmas holidays a couple of years ago the SAN died and they tried to get service and support and the company was closed over the holidays.  They made the decision then and there to find a company that could provide SUPPORT.  He said that the Xiotech's responsiveness was superb and he could not say enough good things about them.

Hmmm.... see a pattern here?  If you depend on something.... support is key to a decision a business owner makes.

Understanding Small Business Licensing for Microsoft Customers

In case you or your Small Business customers have not registered for
this yet and are interested in attending, the session is THURSDAY

Thursday December 9th at 11:30 am Central Time U.S. (Chicago, Illinois
time as reference).  You and your customers still have time to register
today :
  

 
Thursday December 9, 2004
11:30 am - 1:30 pm  Central Time U.S. (9:30 am - 11:30 am PST) 
Event Location: Register here:

Notes:
Your customers should consider this a MUST ATTEND event if:

1) They have between 2 and 200 PCs.
2) They want to know the real differences between OEM, Retail, and
Volume License software and which is right for their company.
3) They want to understand the differences between Open Business and
Open Value and when to use each.
4) They want to learn what Software Assurance REALLY is and how to get
the most from it
5) To learn about current rebates, promotions, and tools they can use to
save money on their Microsoft purchases today
6) They want to know learn how to get the most from their investments in
Microsoft technology for the least amount of money 

This event is most relevant for U.S. based companies that have between 2
and 250 PCs.
Presented By: Eric Ligman - Business Development Manager, Microsoft U.S.
Central Region Small Business Team	

Patience...all good things come to those who wait

Windows 2003 sp1 just hit release candidate status which means we are getting closer to our SBS 2003 sp1 bundle.  Remember, SBS 2003 sp1 WILL include ISA 2004 for the Premium folks with our SBS wizards specially tuned just for us.  Jeff at TechsoEasy the other day pointed out in a blog comment that while we “could” run all of the install/configurations of the “Connect to the Internet Wizard” [known in SBSland as the CEICW] you would be quite daft if you would

As he pointed out, there are 506 lines of instructions that the wizard goes through as it configures.  Now mind you if the testing folks on the USA today honeypot would have either done all 506 lines manually or just ran the dang wizard, or merely read any of the documentation for this little guy they would have tested the SBS box in a “real” production setting and not a bogus honeypot test, but I probably need to back off on the Mountain Dew so I can calm down over that article.

As we get closer to the SBS 2k3 beta, let me remind you of the fact of how important feedback is.  Granted I'm a bit of a nutcase to track down authors that I consider to be putting out bad information, but if you are anywhere and see incorrect information, stuff that just doesn't make sense, stuff that needs clarified, just say so.  Send an email.  Speak up.  A little email goes a long way.

Remember too the SP will be shipping/media costs.

An open letter to Steve Ballmer:

Mr. Ballmer: 

My name is Susan Bradley and I'm a Small Business Server MVP.

This is my open letter to you:

A while back in the blogosphere there was a blog post that [per reports], made a lot of impact on Microsoft.  It was a post on how Microsoft lost the API wars by breaking backwards compatibility and focusing on web applications.  The infamous Joel on Software post was discussed and even nominated as one of the top essays on software for the year.  There’s another trend out there in the tech world that disturbs me even greater than APIs and web applications.

In general, in my view there are three things that impact Microsoft: 

Security. 

Licensing. 

Product Support. 

I’m putting you, Mr. Ballmer on notice that I’m going to be very carefully monitoring one of those three.  I sincerely hope you are not making a grave short term mistake that will have huge long term consequences more than you realize.

Security is still a big public relations nightmare.  Even though I believe that any operating system can be made secure and you have employees of your firm practically living out of a suitcase trying to get CIOs, admins and techs to realize this, that’s a long term problem still being worked out.  But for the most part, all in all, I’ve seen the changes that the Security push has made and am quite pleased.  I think we're on the right path.  Sure, we’re still fighting over features versus security, but we’ll be doing that until our dying day.

Licensing and simplicity in the Microsoft world is an oxymoron.  I can’t tell you how many times myself and my fellow Most Valuable Professionals have brought up to even as high as to you at the Microsoft MVP summit last April, that licensing “sucks” and the attitude we constantly get back is that they’ve tried to make it flexible.  It’s not flexible, it’s complicated and confusing and you practically need a team of Attorneys to figure it out.  When 32 SBS MVPs have long threaded email discussions over the interpretation of what a DEVICE CAL is all about, sir, you’ve got a problem.  Small Business Server platform in particular is “supposed” to be easy, simple, and I’m sure I’ve got a few grey hairs under this hair coloring I apply every now and then that I’m sure are directly caused by me trying to track down my correct information for Software Assurance.   To top it off when we’ve had to go up the ladder to clarify licensing and then go back to local Product Managers because THEY were giving incorrect information about licensing, sorry, but you have a problem. 

And now we come to the reason for this blog post in the first place. 

Support.  In my mind it’s the ONE absolutely positively one thing that Microsoft has over any other platform, over any other operating system out there.  Support.  You’ve supported me.  I could be guaranteed that if I called in and specified “SBS” that there would be a person on the other end of the phone call that was an SBS expert, might even have it installed at home, and might even have been around the product longer than I have been.  As has been discussed on other blogs, the beancounters at Microsoft apparently have been looking around to cut costs and one area that is now under the block to chop is support.  

I just heard that starting next year; front line support for the Small Business Server platform [the first call] will be to India.  Now before you think that this is about nationalism and loss of jobs or anything, it’s not.  I’ve heard that the folks that used to be SBS product support team members in Charlotte will just be moving around to other areas and Mothership Los Colinas will be our main escalation “home base”.  [The term of “Mothership” is an affectionate term that I use that refers to the places in the world where the technical support staff that live and breathe SBS work out of].

While we will still have “Mothership Los Colinas”, “Mothership Shanghai”, but we will no longer have “Mothership Charlotte”.  It’s not about a concern of where SBS will be supported; it’s a concern of the loss of history with the product, a loss of team members, a loss of connections to the community out here.  Now to give credit where credit is due, we’ve expressed our concern and those folks in Microsoft that understand how special the SBS community is, are ensuring that there are connections and ties be put back in place.  But it still concerns me that the first call will be to a person who might not have the depth of history with this product that I do.  I’ve lived and breathed an SBS box since SBS 4.0 in 1999.  I have a network at the office and one at home.  I have a Virtual PC version on my laptop.  I know when this system sneezes and catches a cold.  I know when Security Patches hurt us and when they don’t.  I know what works and what doesn’t work on this box.

Already we’ve seen erosion in the support surrounding the SBS platform.  We used to get 2 free calls on the SBS 2000 platform; now on SBS 2003 we have guaranteed newsgroup response.  Even then, some folks have indicated that they are not getting the guaranteed response that they thought they would.  Me, I’m just a volunteer in the newsgroups and it’s not my job, it’s just a hobby.  Granted an addictive hobby, as addictive as blogging, but I do it out of passion for the platform, for this community.

I’m always amazed of the attitude towards product support I see elsewhere [and sometimes with large firms with premier contracts], that the attitude is that support is not good and sometimes useless.  I’ve never felt that way about the support that the Small Business Server platform has received.  SBS product support rocks.  In fact the folks that first coined the phrase SBS Rocks was Product Support Services in Charlotte [at least that’s my understanding]

Funny thing, though, this is only a USA phenomenon.  In fact outsourcing of support has been going on overseas for some time and my fellow MVPs from the International arena were actually quite pleased to see that your firm is finally outsourcing US support because they hope that once we in the United States have as lousy support as they have had to suffer through that perhaps, finally, the overall quality of support will be universal… that is we will ALL have lousy support. Perhaps only then will a long term systemic plan of action to the problem of support at a level and quality that is appropriate throughout the world will be addressed.

I wouldn’t call myself a Microsoft partner but your support policies impact a lot of Microsoft Partners out here.  The ones that sell your products.  Your Small Business Server boxes.  Your real sales staff members.  I will say that I’m a wacko end user who only wants what’s best for SBS and the customers of SBS.  I always have since the first day I went searching for help and guidance and found the SBS communities and used the SBS support. http://www.microsoft.com/windowsserver2003/sbs/support/default.mspx

There’s a scene in the Goldie Hawn movie “Protocol” where she’s testifying in front of the Senate and she tells the Senators …the gist of it is…. that it’s her fault that the events of the movie happened… that there is no such thing as a free ride…that it was up to her to make sure that they, the Senators and others in the Government, were doing their jobs.  Her character in the movie said “I’ll be watching you.”

Well Mr. Ballmer, this is a blog post to put you on notice.  I’m a SBS community member.  I’m used to a level of support that I and my community have come accustomed to.  I’ve called in the past, paid the US$245 and more than gotten my money’s worth.  I’ve been pleased with the support I’ve received.  I think my community has been too.

Here and now, I’m putting you on notice that I’ll be watching out here and monitoring.  And making sure my SBS community gets a fair deal.  We deserve the support that we’re accustomed to now. We’re rolling out your new technologies faster than those big firms.  We deserve folks that care about our Community, about our platform.  We deserve long term support and not short term solutions.

I hope you understand, Mr. Ballmer that I think this cost cutting binge your firm is on lately is very short sighted.  I’m a shareholder and I’m concerned that the short term decisions that your beancounters are doing now will hurt the company in the long run. 

Partners can learn other operating systems and tend to choose the best solutions for their clients in the long run.  You take away support, or have it lowered to a level that makes it comparable to everything else out there, combined with the complexity of licensing, and small businesses don’t have quite the same resistance to rip out and totally change that large entrenched firms do.

Bottom line, Mr. Ballmer, if I see erosion in the level or quality of support that I see now, that my community is used to now, you’ll be hearing from me again. 

I’ll be watching you.

Update:  12/14/2004:  Director of SBS, Eugene Ho responds:

Dear USA Today...now the story is even better

Follow up to our lovely USA today article about the “finagle vulnerability”...you remember they did a honeypot and "To hijack the Windows Small Business Server, the attacker finagled his way into a function of the Windows operating system that allows file sharing between computers. He then uploaded a program that gave him full control."

Well at first I was thinking they purposely chose p-a-s-s-w-o-r-d as the password to get the system SMTP auth attacked [which, yes we ARE vulnerable for -- remember CHOOSE PASSWORDS WELL like Dr. Jesper Johansson tells us to].  But it didn't dawn on me what they really did to purposely get this box hacked.  They set it up with one network card and no firewall.  Yo, folks. READ THIS.

• Because the Internet connection device is the default gateway to the Internet, the device must provide a firewall service or you must add a firewall device to protect your local network from unauthorized Internet access. In this topology, you cannot configure the firewall provided by Windows Small Business Server 2003 because the server is not the gateway to the Internet. If you want to use the firewall provided by Windows Small Business Server 2003, you must install a second network adapter in your server and use the topology shown in Figure 2.4. For more information, see Appendix B, “Understanding Your Network.”

Does everyone understand how totally bogus of a honeypot test this was?  They purposely set it up such that the file sharing ports were exposed as part of their server honeypot test.

We never EVER do that.  No self-respecting server does.  So for this article, the honeypot experiment was such a bogus test.  Did the article say in any place in that article how bogus of a test this was?

Sorry folks.. but I”m still blown away by this article and it's content.

No you don't always need to reinstall!!

Folks, just a reminder but when there's issues with OWA or issues with Sharepoint.. don't knee jerk think that reinstalling is the way to fix things.

OWA issues with images?  GZIP patch folks --

831464 - FIX: IIS 6.0 Gzip Compression Corruption Causes Access Violations:
http://support.microsoft.com/?id=831464

Sharepoint problems after applying SP1?

841216 - "0x80040E14" or "HTTP 500" error message when you connect to your Windows SharePoint Services Web site after you install a Windows SharePoint Services service pack:
http://support.microsoft.com/?id=841216

Before you rip out things and start to uninstall and reinstall...come out to the newsgroups and ask!  That's what we're here for!

The BTDT credential

We have a saying in SBS land... BTDT.  It stands for “been there, done that”.  It's the highest credential anyone can have in fact.  It means you have first hand experience of “fill in the blank”.  You read the instructions, interpreted them into your environment, and then made the project work.  It's higher than an MCSE credential, higher than an MVP award, it means you made something work. 

Sometimes people come into the newsgroup and say “well I'm not a MCSE or a MCP” and you know what... that doesn't matter one twit.  Because each one of us bring our experiences, our BTDT to the table and we can share our ideas.  Remember the other night when a calm voice on the other end of the phone let me stop and think “oh yeah, I have the firewall turned on and I bet it's blocking the Windows messenger”.

Sharing your experiences, knowing that there are others out there just like you.  On the SmallbizIT yahoogroup that I hang, Doug started a database of SBS consultants so that when he has a need for a branch office install or a remote installation or some other install issue in an area of the country he's not in, he'll have a database of fellow SBS consultants to call on.  A new consultant was asking some questions about starting out and the consensus came back that you didn't necessarily have to have employees, you could contract work out.

This week a person I was chatting with was talking about the SBS community, that he was blown away by how we share info out here.  Pat yourselves on the back folks, because that is what we do.  We've learned long ago that when we share we all win. 

Look around you, especially during this holiday season of the places where “sharing” of knowledge, of information means we all win. 

• Did you know that the web site handlers at Incidents.org aren't paid for what they do?  But their daily diary keeps me informed of what is going on in the Internet.
• Did you know that many fine folks volunteer at Broadband reports and share their experiences don't get paid for that?
• Did you know the posters at PatchManagement and the moderators at that listserve don't get paid for that job?
• Did you know that the communities where people share information like those at SBS2k yahoogroup [all versions of SBS], SmallbizIT [the business/marketing listserve] the CRM listserve, that we all win when we share our BTDT stories?
• Did you know that the Microsoft communities have tons of “BTDT“ credential holders all ready to help?

So Gordon out there my friend...you just come on over and introduce yourself to my community.  We do matter, we do care, we get results, ...and we do know it means something out here.  I think your problem on day 2 may be NIC related but you know what? Come ask in the newsgroup or listserve and will give you lots of ideas of what it might be.

Chad talks about what being a consultant for small businesses is all about.... “there's nothing better than being able to truly help a small business by taking their percieved IT liability and make it an undeniable IT asset . . . “

Nice going Chad!  That's what we're all here for.

Ray-Ism: An error occurred while creating distribution groups

Problem:

I Continually get this error after attempted install.
"An error occurred while creating distribution groups. 
Open Active Directory Users and Computers, and manually 
create a test distribution group to verify that Active 
Directory is running. Rerun Setup."
I Create the test distribution group without issue, but 
after reruning setup Same error occurs.

Ray-ism solution:

Register wizchain.dll before running setup again
   regsvr32 "C:\Program Files\Windows for Small Business Server\Administration\wizchain.dll"

Ray-Isms

I've added a new blog post category I'm calling “Ray-Isms”. Not that all the Microsoft SBS techy's aren't superb but normally if there's a “you screwed up Sharepoint and here's how to fix it” post... it's a Ray Fong google that I find will fix things right up.

I think we tend to rip out and reinstall Sharepoint a little bit too much around here.  At the drop of a hat people uninstall and reinstall and I don't think that's needed.

So look for some “Ray-isms” to be blogged about.

There's one coming up next...

So I'm all done, right?

Got my new member server set up. Live communication server 2003 working and I'm all done, right?

Uh... patching?  Did we forget patching?

Running the Shavlik now to patch up that member server. 

Was chatting earlier with someone who was going to install SBS 2k3 and was going to “just install it to RTM“.  In other words what it was as of October of last year.  Uh...no.  That's a DDT [Don't Do That] event.  Now mind you, right now, today, with our firewalls in place, a NICE [Dr. J sized] password, you would actually be just fine, but to be nice and safe and paranoid and not have me come after you with my 2x4, you want to

• Go to Windows update FIRST [don't install drivers..that's my personal preference]
• Then visit the SBS download site
• AT A VERY MINIMUM

For the record it needed 24 patches on that system [remember that Live communication server also loads up MSDE as well.

Domain naming revisited

Just for the record, I named my server .lan....not .local....not .com...but .lan.  Why?  Because on the far far far remote chance that some other device or computer has a .local reservation [MACs in particular] I can connect anything.  Jeff Loucks uses .otl which stands for “on the lan“ [pretty smart huh].

Remember we don't want to use .com in our naming and when we run the Connect to the Internet wizard we then name our Exchange mailbox to our true .com mail name.

Sometime when they ask for “fully qualified domain name“ they are NOT talking about the .com “out there“, they are talking about the name of the computer AND it's domain address in here.

So, for example on my “set up home server“ LCS exercise, in the DNS settings the FQDN [fully qualified domain name] was memberservername.mydomain.lan.  In Jeff's case he uses .otl.

We were chatting that more of us are moving away from .local just in case.

So what are you using in your domain naming schema these days?

When troubleshooting setting up anything new....

Word of advice... don't forget to turn off the firewall on a XP sp2 machine when troublshooting stuff.  Isn't it funny how the minute you talk to a nice calm person you can suddenly have brillance you didn't have before.  Called up one of the Motherships [sorry didn't get the location] because I just could not get LCS 2003 working.  I put in the DNS records [both in the .lan section AND in the new domain.com forward zone that I built, flushed the DNS and ensured that the service was stopped and restarted the service on the member server, went to my desktop and still no go.  Reviewed everything, found a KB and still nada.

"Signing in to SIP Communications Services failed" message when Windows Messenger users try to sign in to Live Communications Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;834470  Hmm... still not working.

Well guess what.  Seems like Windows Messenger uses about 4 ports and I forgot that I didn't have Windows Messenger as an automagically excluded program.  Jeremy Oswalt [just got the SRX confirmation email - thanks Jeremy] said in a nice calm voice “How about we temporarily disable the firewall on XP sp2“ and bingo.  Boy did I feel blonde or what.  Remember folks to tell the technician everything about your environment INCLUDING whether you are running with the firewall enabled.  I checked the box to allow the Program [not just static ports] to go out the firewall and voila.

We're now set to order lunch on Monday :-)

P.S.  Jeremy's from a 980 area code... that's Mothership Charlotte! 

Ever notice geeks have lousy way of placing things in documentation?

So I'm looking for the Live communcation server documentation and keep findng all the LCS 2005 stuff...well I don't have LCS 2k5, I have LCS 2k3 [actually have to work on seeing if I can Software Assurance Live Communication Server 2003 but I may have blown it as I moved foward my SBS 2003 Software Assurance period from August to June and didn't realize I screwed up my 90 day window...but that's another post for another day].. so with the help of Chad I'm finding the 2k”3” stuff and in the literature [95 pages worth of stuff] I'm like... uh...guys.. can I have a LCS lite version?  This is ONLY for internal IM to let us coordinate lunch orders and tell someone that someone is at the front desk and get off the phone and I set up my old server [dual processors so it meets the minimum LCS requirements as per the documentation] and load LCS and then start looking for the stuff to do to get it operational.

It's “supposed“ to pull the info off the AD so I shouldn't have to add much “SIP“ info to the user section ...So I'm looking in the “user” section where I'm supposed to have now an Live Communication Server tab and dang if I can see it, so back I go to the 95 pages of ensuring that your LCS is fully spec'd out... and by the way...you don't need a dual processor machine for IM if you aren't archiving it and all that...I now have TWO servers that are sitting around filing their fingernails falling asleep.... so I'm looking in the documents and buried in this little tiny section on page 45 is this:

DUH, folks.. could you make that a little clearer that I'm supposed to take the LCS disk out of my member server, take it to my DC, install “just“ the admin tools and THEN I'll have my tab.  Now I went to each person, enabled LCS, ensured that my Member server was the home server and then back on the member server, there I have my IM's.

I have this prior blog post that I'm following as well, but since I'm not going “outside“ the firm, I'm not sure I need it.  Keep you posted.

Okay back to my desktop to see if that does the trick.

When adding a member server

Just a reminder that you want to choose

• When you install a new Windows 2000 Server-based computer on an SBS 2000 or a Windows Small Business Server 2003 network, select the Per Seat licensing mode. To do this, click Per seat on the Licensing Modes screen in the Windows 2000 Server Setup program.
• When you install a new Windows Server 2003-based computer on an SBS 2000 or a Windows Small Business Server 2003 network, select the Per Device or Per User licensing mode. To do so, click Per Device or Per User on the Licensing Modes screen in the Windows Server 2003 Setup program.
• http://support.microsoft.com/default.aspx?scid=kb;EN-US;327644

If you don't do this you'll get Event error codes 202 in your SBS 2000/2003 server indicating you are out of licenses... and you are not.  It's just the member server freaking out.

Remember that it's not necessary to buy umpteen Server CALS for your member server, the SBS CALS will cover that member server licenses. 

I went to the console, and to the “server computer” section and added a server and then on the member server, typed in http://insertedmydomain/connectcomputer to attach the member server to my domain.

• I'm not choosing Disk Quotas [if I run out of space I'll just buy bigger harddrives :-)
• Not choosing indexing service for now
• It pops up a Share a folder Wizard

Oh I also am Mirroring the C Drive, I went into Computer management and flipped the C: to dynamic, blew off the D: drive that was built, and then went back to the C: and right mouse clicked to “Mirror“ it.  The D: drive is a hardware RAID 5 already, so no need to mirror that.

It automagically rebooted, added the Trend Micro antivirus, and now [per Chad] I'm going to the Manage your server, to add a server role.  Since this server will ... in reality be... for the Live Communications Server so we can have internal IM to ask each other what we want for lunch... I don't quite find a “Lunch order server” role on the options,   Seriously I'm going to choose File server for the time being as it will hold additional storage. 

I also right mouse clicked on my data drive and went to the “Shadow copy” tab and enabled Shadow copies on this.  Remember that the Shadow “pull” runs at 7:00 a.m. and at noon.  So if your server runs a little sluggish at lunchtime, it's just pulling the Shadows.

P.S.  If you are like me and there's a time of the year you work 6/7 days a week you may want to have the Shadow copies run on the weekend.

If you are running the Exchange IMF you'll want this

E-mail messages that contain a virus remain in the SMTP local delivery queue after you configure Intelligent Message Filter in Exchange Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;883522

Download details: Update for Exchange 2003 (KB883522):
http://www.microsoft.com/downloads/details.aspx?familyid=dafc0ad9-6a5c-4bff-857d-5699e9a611e8&displaylang=en

After you install and configure Microsoft Exchange Intelligent Message Filter on your Microsoft Exchange Server 2003 computer, e-mail messages that contain a computer virus or a worm program are not permanently deleted. Instead, these e-mail messages remain in the SMTP local delivery queue in Exchange 2003 until they time out.

Update on the WINS security issue

[First a disclosure - I'm still not freaking out, probably won't install this, but just an update]

The WINS security issue that I posted about the other day has had it's knowledge base article updated.  First off they indicate as I stated that SBS 2000 and 2003 does indeed have WINS installed by default but, the good news is that we do not have the port 42 [the target port] open. 

Right now I'm seeing some reports on the Net that they are seeing port 42 pings but I'm not seeing any remote attack that is trying to wiggle its way inside.

There are two actions you can take if you want to be extremely paranoid [for now, I'd just keep this in mind if we see things kick up going forward]

• First off if you have no 9x/legacy clients and are like me, 100% borg XP/2k style of firm you can disable WINS with no ill effects whatsoever as confirmed by Charlie in the 2K yahoogroup [thanks Steve for saying "Piffle" and setting me straight.  [SEE just another reason to kill off those legacy workstations]
• Next there's a script that can be run to enable IPSec filters.

For now though, I'd just put these in your back pocket and not really make a big fuss.

Tomorrow I'm killing off SBS 2000 and news about the IE patch

It's been a good week on SBS 2003 and tomorrow I'll be in the office to start the last transition.  Taking my old server and making it into a member server with Windows 2003.  Bye Bye Windows 2000 and we're closing a chapter on that operating system.

Don't have to patch anything tonight because I'm on XP sp2 and Windows 2003 which do not need the patches.

For anyone out there seeing issues such as is discussed below, please remember that issues with a security patch are a FREE CALL to Microsoft

No-Charge Support - 1-866-PCSAFETY or 1-866-727-2338

Rick in the Midwest writes:

Installed this on Windows 2000 Pro that is behind ISA 2004 (don't know if
ISA causes the problem) and when using IE 6 and clicking a few links, IE
would lock up. Went to various site to test and rebooted 5 times, problem
was repeated every single time.
Uninstalled patch....IE works perfect as before.

Gary writes:

The installation of yesterday's IE cumulative patch on my SBS2K server
broke the Veritas Update function on BEWS 9.1. Removing the patch (I'm
guessing it was removable because I installed Windows Installer 3 last week) restores
the Veritas Update function. This function is highly convenient because it
keeps track of already installed updates.

One of the functions that the IE cumulative patch modifies is I-Frame,
which the Veritas Tech Support guy said is used on the Veritas Update site.

The IE patch has no other negative effects that I could see, but that
was at best a cursory look.

We'll keep you posted of any other issues we see out there.

You might also want to get the other IE rollup patch:

An update rollup is available for Internet Explorer 6 SP1:
http://support.microsoft.com/kb/889669

Which includes additional hotfixes that you may have received:

• You may receive an error message in module Mshtml.dll and Internet Explorer quits when you run a custom Web program in Internet Explorer 6:
  http://support.microsoft.com/kb/888092
  
• A fix for a problem that causes Internet Explorer not to be able to locate the correct program associated with a particular file type. This problem occurs if the content-type header that is returned by the server contains trailing attributes, such as the character set. For example, if the content type that is returned by the server is "text/xml; charset=utf-8," Internet Explorer may not be able to locate the program that is used to open the file. We will update this article as soon as the Microsoft Knowledge Base article that is associated with this problem, 871248, is published.
  

Webcast on SBS 2k3 and Mobility now online

 The SBS 2k3 and Smart phones and other mobility stuff webcast done by SeanDaniel.com is now online and included besides the smartphone stuff is a discussion of SBS2k3 sp1 [hint - due 1st quarter of 2005]

Classic line used in webcast by SeanDaniel.com -- you may have to "suck it up"  :-)  Loved that -- when referring to cell phone companies and carriers.  And as Karen pointed out ... it was brutally honest and was totally appropriate.  There are times that you have to “live with“ your cell phone carrier because that's all you have in your area or you are stuck with a contract.

Microsoft would like to thank you for attending the Web seminar entitled:

Windows Small Business Server 2003 and Mobile Devices

We appreciate your support! If you would like to view the recording, please visit the following link at your convenience: http://www.msreadiness.com/recordedeventregister.asp?eid=830.

Please be sure to share this link with anyone in your company who may have missed the live session! Remember to register for upcoming events at http://www.msreadiness.com/webcast/webcasts.asp.

We look forward to your participation in future Web seminars!

Thank you,

Microsoft U.S. Partner Readiness Team

SBS2003/Exchange/Messages stuck in pending submission issue with Trend Micro

Finally got the resolution on an issue that's been hanging around the SBS community since before September's SMBNation.  I think it was around the 04-025 IE patch time frame that we started seeing issues with stuck mail with SBS boxes and Trend.

Today I receieved word that there's a new patch for SBS2003/Exchange/Messages stuck in pending submission issue. 

PROBLEM: Outbound messages would hang in the pending submission queue
CAUSE: A function inside the registry monitor thread of Trend's SMEX
RESOLUTION: Trend has released a hotfix to address this issue. "SMEX621_WIN_EN_HFB1127.exe"

I have an email into Trend because I do not see that link on their web site so look for a followup post to this posting.

UPDATE THE LINK IS LIVE -- CALL AN THE HOTFIX HERE http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=22654

Oh Canada -- way to go guys!

  You know my attitude towards Terminal server in application mode being taken OFF our SBS 2003 boxes.  I FIRMLY and SINCERELY agree that it is the right thing to remove this because it's so totally insecure.  It was totally the right thing to do.  Well Canada turned the “right thing to do” into an even BETTER right thing to do.  Because they heard the comments about the folks [especially those on Software assurance] who lost out on the ability to keep TS in application mode, Canada went to bat and got 5 free TS cals for people deploying a second server.  Gavin blogs about it here.

Now before you US guys start saying “but what about us?” I LOVE IT that finally there is an offer that is ONLY offered elsewhere and not here.  Right now we get a lot of offers that are US only.  We so need to have International offers instead.    Like Gavin says, someday we'll have the ability to have an offer to be international, but personally I think it's very cool that Canada went to bat for this.  For once, our northern brothers should be proud that they have something that we don't.

Way to go Canada!

Check out the new Microsoft Small Business Center

 Recently Microsoft has opened up a new resource for Small Businesses!  Frederic de Wulf, SB web director will be showing Small Business customers and partners how to access information relevant to their business, such as technical support issues, technology topics and assistance, a community of other small businesses ready to share advice on business and management issues, free events and training, tools and tips for taking your business online, etc. through the Small Business Center site.  Also, he will be providing a great informational takeaway at the end of the session for all attendees.  :-)  This will be a live demo of the site, not a PowerPoint show so it will be using real-time info that all attendees will be able to leave the session with and put to use that day.

 Here is the link to the registration page which also has some additional information.
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032265662

When: Tuesday, Dec 14, 2004 11:30 AM (CST) – 1:30 PM (CST)
Duration: 120 minutes
Presented By: Frederic De Wulf - Small Business Web Director at Microsoft

SBS KBs of interest

We may have WINS but we don't have an issue

You may have heard of a security issue with WINS and the original bulletin forgot that we install WINS on our SBS boxes.  Remember though the previous post about how “if the port is open” ...well the vulnerability ONLY exists if port 42 on your server is open to the outside.  Trust me.  Unless you are really really really stupid... you didn't open port 42.  The SBS connect to the Internet wizard doesn't open it and you'd have to manually open it.  You'd remember if you did.

If you don't believe me go to the Shields up/Ports up website and do a scan of your system. Click proceed, then “all service ports”.  You should see green for most of those ports and ONLY have open ports where you intend to have them open.

Bottom line.. we don't have an issue with WINS and don't unistall it!!  Roll over and go back to sleep.

So like how many #$%# firewalls do we need?

The question was asked again in the newsgroup today --

“Do I need the XP sp2 firewall enabled on the workstations inside my network when I have a firewall on the outside?”

First off some background.  In your computer, in any computer there are over 64,000 ports... tcp/udp ports that are used to talk to one another.  Sometimes there is an application that is loaded up and “listening“ on a port.  Kinda like it's sitting on your computer going “I'm ready! I'm here!“.  For bad things to happen a couple of things have to align in the cosmos.

First you would have to have this open port with an application that is “listening“.  Then you would have to have a vulnerable application, something that you didn't patch.  Now knowing that I'd wack you guys upside the head for not patching, that's probably not going to happen, but let's pretend, shall we?  Then there would have to be a way inside your network.

If a bad guy knows that behind that open port [think of it as an open door] that application “X“ is waiting and ready to go, they can build a worm that attacks that “listening application“ that specifically targets that open port.  Now we all know that all we need to be absolutely positively 100% safe is a firewall, right?

Wrong.  A firewall is only as good as the ports you have closed.  Furthermore, its only as good if there's absolutely no other way to get inside your network.  In order to do “normal“ business, we MUST open ports.  Think of it this way, in order to do your job you must take the risk of driving a car.  You must get in the car and drive on the road or highway to get to your destination.  Thus you have opened yourself up to risks.  In a typical firm you probably have some ports opened up all the time:

• Port 443 - the SSL port that SBS 2003 needs for secure access to RWW and OWA
• Port 25 - needed for email

On port 25 in particular [the email port] spammers are trying to “hang off your nice IP address“ and do what is called an SMTP authorization attack.  They will attempt to “crack“ the password on that port and try to authenticate on the Administrator's account.  Keep in mind that the “attacker“ doing this... I wouldn't call an “attacker“.  It's a “bot“ a machine just trying to add another victim to it's lair.  There's no human “hacker“ on the other end of your rj45 connection manually trying to crack password, it's more likely that it's an automated program trying to get into your system. 

This by the way is the “finagle“ vulnerability that was discussed by USAToday... aka stupid cracked passwords...a “don't do that“ event as Jason out of Mothership Charlotte would say.

Okay lets discuss historical events in history that would have been prevented if a firewall had been on the inside of a network shall we?

SQL slammer would not have been as damaging for one - right now my file and printer sharing ports, my Trend listening ports and nothin' else are open on this workstation.  Thus 1433/1434 the MSDE/SQL server ports are not open.  Now if I had something like an application [like the new 2005 Lacerte will do] that has MSDE installed on the desktop, I can sleep easier knowing that that application is protected.

Remember too that the other way you got nailed was when you had unpatched machines, a firewall on that outside peremeter and somone remoted in/VPN'd into the network and infected the unprotected/unpatched network.  Most of us probably are not running with VPN quarantine features running as it's not quite SBSized, so unless you can guarantee that all your salesmen have nice, clean, protected machines as they remote into the network, you probably need to think about firewalls on the INSIDE of your network. 

Steve Riley will be including this in an upcoming book, but the gist is that the concept of the DMZ is dead.

So why do you need a firewall on the inside of your network when you have a perfectly good one on the outside?  Because stuff happens.  That's why.  And it's another layered defense to have on our side.

Speaking of patching... for those people that are 100% borg [aka SBS 2003 and Windows XP sp2.... there is no patching needed today whatsoever]

Non-Affected Software:

•	Microsoft Windows XP Service Pack 2
•	Microsoft Windows XP 64-Bit Edition Version 2003
•	Microsoft Windows Server 2003

SBS 2003 and Mobility Webcast

Windows Small Business Server 2003 and Mobile Devices
 

Hey Mir!  You didn't say that SeanDaniel.com was giving the presentation!

Kewl!
 
Date and Time: 
12/2/2004
9:00 AM Pacific Time (US & Canada) 
 
Description: 
Learn all about connecting a Windows Mobile device to Windows Small Business 
Server 2003. In this session we will discuss the server setup, client setup 
and mobile device setup aspects of joining a Microsoft Mobile device to the 
network, enabling users to maintain connectivity and stay productive while 
away from the office.
 
Free event registration: http://msreadiness.com/eventregister.asp?eid=830
(There's no need to be a partner to attend this event)

SECURITY PATCH FOR INTERNET EXPLORER - OUT OF BAND PATCH

Internet Explorer OUT OF BAND PATCH

http://www.microsoft.com/security/bulletins/200412_windows.mspx

If you are running XP sp2 you do NOT need this.  This is the patch for the IFrame attacks that occurred on systems not on XP sp2.

PATCH FOLKS!

Dear USA Today - followup - what our SBS box got "hit" with

I found out how the SBS 2003 got ”Finagled” into.... it was weak password

That's what the “hijack the Windows Small Business Server, the attacker finagled his way into a function of the Windows operating system that allows file sharing between computers. He then uploaded a program that gave him full control."  was all about in the USA Today article.  I checked with the person who set up the honeypot experiment named in the article [he's a moderator for the Patch Management.org listserve I hang out on] and he confirmed that it was a weak Administrator password [the chosen password was password] that was broken that allowed them access.  That once a strong password was chosen, SBS 2003 was snug as a bug.

Guys, read this post about choosing passwords.  Any questions?  No?  Good.  Roll over and go back to sleep.

Heck I'm not a coder or scripter or hacker but I think even “I“ could have “finagled“ my way into a server using that attack.

And I still say that SMTP auth attacks, worms and bots are not directly “targeted to us“ but like SuperG says, it's like buckshot, we get shot via the blast.  I'll repeat this again: