I'm bummed

Normally I try to come up with some kind of witty post title..but I just can't come up with anything else but.... I'm bummed.  I'm watching CNN.com/NEXT show and this is the last edition of this show.  First I lost CNet's computer TV show that used to be on Discovery channel.... and now CNN's NEXT show.  TechTV is into video games [which I'm not]... I mean what's a girl geek to do when all of her geek shows start going off the air?

Starts to make me think ...why is that?  Is it that technology just isn't newsworthy anymore?  Or is it that it's just more common place and normal?  I mean walk into any department store [like Target] and look at all the technology that is just normal.... digital cameras, DVDs, MP3 players, are just normal now. 

Daniel Sieberg... while you say you'll still be doing tech and science spots throughout CNN, it just won't be the same.  I'll miss you on the weekend.  I've been used to you every weekend for the past three years.  Thanks for what you did do, showing me some new things, and providing things for me to google.

Seems a bit odd when we should be emphasizing science and technology in this world, that in the media that I see, the level of science and technology feels like it's actually decreasing.  The Learning Channel seems like it is more home makeover shows than it is really teaching me anything these days.

Well I'll have to go in search of geek shows.  I'll let you know what I find to take Daniel's place.  It's going to be hard to fill his shoes is all.

Thanks for three interesting years!

How localized are you?

Out and about running a few errands today, I stopped and got gas and noticed at the gas station not far from my house the advertising banners at the station were half in English and half in Spanish.  Later when I went to Target [we call it Tar-shay you know], the voices around me were mixtures of English/Spanish and English/Laotian.  Keep in mind that I live in the 'breadbasket of California' and yet look at the United Nations around me that I totally take for granted.  It's just part of California and where I live.  In fact in Fresno, the Spanish TV and radio stations have higher ratings than the English speaking ones do.

It got me thinking on the localization issues that businesses must face on a regular basis, and of course Microsoft and SBS being an example of a business that needs to take something and translate it.  For SBS I think if I remember right, they come out with 17 different language versions of SBS.  Just the other day in the newsgroups a guy posted in about hotfixes and I used Google's translation service to translate the “hotfixes are free” but I apologized for using Google translation because I know how it can lose meaning and be a bit insulting sometimes to the poster.

Take for example this phrase: 

• Hotfixes es una llamada libre, servicios de ayuda justos del producto de Microsoft de la llamada. 

Let's see what happens when we now stick it in Google to go back to English.

• Hotfixes is a free call, right services of aid of the product of Microsoft of the call.

Uh...yeah... that's sounds self explanatory doesn't it?  Want to know what it started out as?  Hotfixes are a free call, just call Microsoft Product Support Services.  Yeah, see what I mean?  Loses a bit in the translation, doesn't it?  So now think of the problems we face in a global world of technology.  Geeks have a problem communicating in the first place and we lose things in translation.  Talk about a compound problem.  

I'll admit this is one area that I am vastly undereducated on.  I slid though my education without the need for a secondary language [and no, Geek is not officially designed as a language so I can't count that].  My sister knows enough French to say “My pencil is yellow“, I know enough Spanish to be able to order off the menu of a Mexican Food Restaurant.  Meanwhile in the ranks of my fellow MVPs from other countries... while they speak and write fluent English and it's not even their only language.  I think Mariette and Marina probably know about 10 languages between them.

Heck, look at Sam the SBS server... he speaks 17:

I barely speak English and he speaks two versions of Chinese, two versions of Portuguese and Russian.  I got a book on learning Russian in high school and more than anything else I remember that “e's” look like “'3's”.  Like I said, vastly undereducated when it comes to foreign languages and 'localizations'.

But remember, while we do have localized newsgroups, they don't get as much traffic as the English speaking ones.  As long as you can speak write English, can translate the error messages if Google can't do it for us, just remember that the communities of SBS that have the primary language as English, your geek peers, can still help you.  A computer error is a computer error and I still say that Geek truly is the universal language.  And if you don't mind if Google and I massacre your language I can always do this:

• Hotfixes sind ein freier Anruf, gerade Anrufmicrosoftprodukt-Beistandsservices.
• Hotfixes sont un appel gratuit, services de support justes de produit de Microsoft d'appel
• Hotfixes è una chiamata libera, servizi giusti di sostegno del prodotto del Microsoft di chiamata
• Hotfixes é uma chamada livre, serviços de sustentação justos do produto de Microsoft da chamada

For the record that's German, French, Italian, Portuguese .... well...it's supposed to be anyway.  In the original post I also included Japanese, Korean and Chinese but .TEXT didn't like the characters and wouldn't post them. 

So what about you?  Do you face any localization or translation issues where you are?

Like I said... I barely speak English. 

ROM updated and through the worm hole

It's always great fun sticking some new piece of software on your 'baby' and making sure it comes through the worm hole to the other side.  One HP ROM upgrade [burn from the web iso to cdrom] later I've got the following upgrades inplace:

ROM upgrade went from 2004.8.26 to 2004.12.2 [Which is what I need to be ready for SBS 2003 SP1]

Array went from 1.92 to 2.34  [ooh up a whole digit]

Lights out went from 1.62 to 1.64

My Insight Management Agent is still at 7.10.0.0 which means I still have the Data Execution Prevention issue on my box if I don't upgrade so I'll be upgrading the IMA to the 7.20.0.0 version. 

One update down, one to go and this is still our “homework period” of just getting ourselves in tip top shape before the service pack.

You want what?

So the Copier/Scanner/Printer company faxes me a network pre-installation/configuration information sheet to fill out and they want to know stuff like... oh...domain name, IP address, DCHP, default gateway, DNS [primary and secondary] ....and this is kinda cool, they specifically ask about SBS as a network device.  Hmmm that must mean they've had enough of them to be an item [sometimes us SBSers don't think of ourselves as Windows 2003 servers and sometimes network technicians need to know exactly what we are]. 

But then here's the kicker...they ask me for the mail server name and a username and password on that mailserver. 

Uh...I don't think so.....I give you a username and password to an email account on my box and I've handed you privileged information sir.  There is no way I'm giving you that information when I've signed no contracts, and this is merely a pre-configuration sheet.  Heck, while it looks good that we'll go with your system, I'm still not writing down a username and password and giving it to you to keep in your filing system since I don't know how well it's secured.

So I filled out 'some' of the information, prepared a Visio diagram to showcase the firm's current network and faxed that over to them.  But I didn't put in a username and password.

Did find something out ...when I was discussing the diagram with a co-worker, they looked at the Visio diagram of the 'cloud' and said “what's that?”

I forgot that not everyone knows the geek picture icon representations for the Internet....it's a cloud:

So in my office it's Cloud to router to ISA server to Server to Switch to workstations to my workstation and here we are where I'm about to press the post button so this blog post will go from desktop to cat5 wiring to HP Procurve switch to SBS 2003 to router to Pacbell to the World Wide Web to...well...that Cloud.

June 15th Chat on SBS 2003 sp1

SBS: Shiny and New with SP1
Small Business Server, Microsoft's all-in-one solution for small businesses, is getting its first service pack. Changes to an all-in-one system can be risky, especially since SBS is targeted towards businesses without full-time IT Staff to fix things if they go wrong. Windows IT Pro author Michael Otey has run SBS SP1 through its paces and will answer your questions about SBS SP1 deployment, features, and fixes. Come find out why you should consider installing SBS SP1 and what you need to do to help your business or your customers plan deployment.

Hello ...hold the phone...”why you should consider'?  Consider?  Whoa...as Yoda would say ..there is no Try ...there is only Do. 

Yo, folks... there is no 'consider installing it' when it comes to this important of a service pack... You DO it.  The only consideration here is WHEN...not IF...but WHEN.

In about 30 minutes I'm upgrading the ROM here to be ready for SP1... so remember.... DO IT not “consider it”.  In fairness though... it should be TESTED on a non production system first before you apply it.  Don't have a non production box?  Wait and have the community shake out any issues first and we'll guide you through it.

Paranoia

Sometimes it's funny how people react to things.  There was a recent set of stories of how the next version of Windows would have a 'black box' feature to aid in gathering data of system crashes and what not. 

In some circles you would think Microsoft has a division that just can't wait to read what stuff we have on the computers.  Just take some of these comments:

“My initial impression is that in the health care industry this will be a violation of the HIPAA security rules.” and “I've heard a lot of discussion on Microsoft's privacy issues. I was an avid Windows XP user, using it for personal web hosting and gaming. But discussions like this BlackBox and Palladium have gotten me spooked”

And yet, do many of you realize that as of right now, if this is a privacy issue to you later, it is a privacy issue now...and better yet, do you realize what benefit it is?

First off there is a setting, a registry edit that you can do to turn this off if you are that paranoid and concerned.  Furthermore, when the crash dump occurs, say no and don't send it.

HKLM\Software\Microsoft \DrWatson \CreateCrashDump is the registry key if you want to disable it...but wait... keep reading...

But do you realize the benefit of these dumps?  Case in point is SBS.  Last April we saw our SBS boxes blue screen and send a dump off to Microsoft, it ended up being a virus engine update that they knew BECAUSE of the crash dumps.  They knew within minutes while the rest of us were totally guessing.  Charlie Anthe has posted before of all the items that have been identified because of crash dumps.

You can take a look at this link http://oca.microsoft.com/en/Response.asp?SID=896 and see what kind of things have been found with the online crash report.  Change that SID number in fact and you'll see the kinds of things that have been found.  The Data collection policy is posted on the web site.

As it says on the site “When collecting information, it is possible for personal or confidential information to be present in the report. For instance, a snapshot of memory may include your name, part of a document you were working on, or data you recently submitted to a Web site. It is also possible for personal information to be included in a log file, a portion of the registry, or other product specific files needed to determine the cause of the problem. If you are concerned that the report may contain personal or confidential information, please do not send the report.”

Bottom line if you have a concern about the black box technology in Longhorn, you should have a security concern now.  The technology is not increasing, it's just enhancing what's already there.  It's like the concept of the SBS community.  Peer sharing so we can all benefit.

Now how about taking some if this paranoia against our line of business vendors can't do least user privilege coding, eh?

Law number 2 - get ready for LUA folks

Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore

There are a couple of things that are in the near future and one that we majorly need to get on the backs of our application vendors on that are touched by Security Law number 2.  This law says that if you don't protect your system registry, you may not have a good system.

Well guess what class...what do most of us do to our system registry?  We leave it wide open to be messed with all the time.  Show of hands... how many [including myself as I've got a couple of desktops that I haven't fully done this to] are running with full rights to that desktop?  We leave our registries wide open for attack.  I'll be the first to admit it's not easy running with least privilege user rights...what we have to do to classesroot to get Quickbooks to run in LUA is insane. 

So we don't even do ANYTHING to help even get close to protecting ourselves on law number 2, we leave ourselves wide open from the get go. And this is something we need our vendors to help out on.  My Threatcode site is back on the air and we truly need to get these vendors ready for Longhorn and LUA.

Got Dell?

If you own a Dell, the notification email you need to sign up for is here.  Andrew posted the link but the blog format means that it ended up a bit down below in a weird location so I thought I'd posted it as a new post.

So there you have it.  If you had a Dell or HP, you have some newsletters to sign up for, don't you?

Another patch email that I signed up for

I've signed up for Microsoft's security patch emails, but there's another category of patch emails that I haven't signed up for until now.  My hardware patch notifications. Out on the HP site [and look if Dell has a similar offering], there is a place to sign up for driver update notifications for my model of server.

Receive proactive customized emails on an as available, weekly, or monthly basis that provides drivers, software patches, product change notifications, customer advisories, softpaqs, patches, security bulletins, and more across 95% of HP’s business product lines. Each HP Technology at Work alert email provides a short description of each personalized alert and then links you to the location where you obtain the latest support information for your HP products

More Homework

Danny points out there's a one stop place to update the firmware in the server before the update.  The link it at HP and there is one thing I noted about it.  The link actually goes to a ftp site that unless you have the fix for 05-019 in place or passive FTP checked, your browser kinda sits there.

If you are having issues with FTP, remember get the hotfix here...or adjust ftp to enable passive ftp [go into Internet Explorer, Tools, Internet Options, Advanced, click the box 'use passive ftp'.

In the meantime I'm pulling down the zip file to build an iso image that will have the needed updates for my server to prep it for Windows 2003 sp1 which is included in SBS 2003 sp1.

Thanks Danny!

So don't forget to do your homework!

Doing my homework

Out on the HP web site and checking that I'm ready to go and it looks like I need to do some homework on my HP system.  This HP document is the recommendations for Windows 2003 sp1 on ProLiant servers.  Now I have a ProLiant ML370 G4 Xeon.  And according to this I need a minimum ROM date of 12/2/2004.  Hmmmmm.. well since I know I installed that little guy over Thanksgiving weekend that tells me I need some ROM upgrades in order to be ready to go when the Service Pack for SBS 2003 sp1 comes.  It also indicates that I should have the 7.30A Proliant support pack [I have no idea what I have] and it says the harddrives I have have the right digital signature. That's nice to know [I'd hate to not have the right drivers for those drives  :-)

Ah ha, there is a known issue with Data Execution Protection [DEP] and Windows 2003 sp1.  When DEP sees something trying to do something weird with memory it freaks out a bit and protects the system and there's an known issue with HP Insight Management agents and SP1 [I'll have to see if  I have those installed].  I saw this actually back in the beta as when Trend sent down their major update for the antivirus when they had a patch, the engine update caused a DEP exception.  You can put in an exclusion or you can get an update for the HPs from this link.

Bottom line... I have some ROM updating to do in the coming weeks before that SP comes out, me thinks.

Sniff, Sniff, Sniff...hmmm .....I think I smell something cooking.

Courtesy of Today's Microsoft Download site

Find the details about what’s new in Windows SBS 2003 with SP1. Service packs and updates are listed in tables and categorized by the Windows SBS feature area for easy reference.

Hmmmm..... I think I smell something cooking in the kitchen and getting near done, don't you?

Remember 60 days from March 31st is the official date, but if I were you I'd be checking Dell and HP and your hardware vendor for any compatibility issue with Windows 2003 sp1 now.

In fact, that reminds me, I need to go do that myself  :-)

The stuff you think about when shopping for a copier

So I've had a couple of vendors in to discuss copiers and scanners today and one of the ways the copiers can now connect is via SMB and of course the first thing that goes through my mind is SMB signing.  I've asked the copier vendors to get back to be on their requirements for smb signing because honestly I'd like to leave it on.  The Windows networking article here talks about the benefits of SMB signing and honestly I don't notice any performance hit in my network.

But it is interesting to think about... when attaching devices to your network, think about what insecurity they might be introducing as well.  They too are a device with software and may need updates.

I flattened a box tonight

It wasn't my workstation...but rather than of my hairdressers.  I was cleaning it up for her.  And even with Norton Antivirus and Microsoft's Antispyware I only  had about 3 minutes after bootup before 57 Internet Explorer Windows popped up ...mind you this was with the machine “not” on the Internet.  Oh and it had about.blank on there as well.  So what did I do with it?

I booted it long enough to get the necessary documents off [which fortunately didn' take that long] and then I booted it from a Windows XP cdrom, removed the partition, repartioned it and had it totally wipe the harddrive and reformat.  Now I'm putting programs back on.

Oh, and I'm doing something else too... I'm making the daughter and son's account into limited user mode and not giving them administrator rights.  You see that's how this computer got into this mess.  Even with Norton up to date... even though Microsoft antispyware was on the machine [which in fairness this was added later in a last ditch effort to clean the box, unfortunately it was unsuccessful], and even while I was getting the data off, the spyware cleaner was attempting to block stuff but it just couldn't do it. 

Now this system has XP sp2 on it with the firewall enabled and the auto updates turned on.  Antivirus is on, Anti Spyware is on.... and now I'm sending it back off to hopefully stay safe and secure.

May User group events - May Migration Madness

Anne Stanton and Jeff Middleton

On SBS Server Migrations ....and.....Migration projects as Business Opportunities

• May 17th  - New England Small Business Server User Group in Boston from 5 to 10 p.m. at the Microsoft office in Boston
• Registration link to come

• May 18th - NY SBS IT Professional's Group - from 5 to 10 p.m. at the Microsoft office in New York City
• Click here to register

• May 19th - Washington DC SBS User Group - from 5 to 10 p.m. at the Microsoft office in Washington DC
• Click here to register

For those of you on the East Coast you have three chances to meet up with this dynamic duo of Swing.

Law Number 1 - Would you eat that Sandwich?

I'm going to remind folks of the 10 laws of security....this came up because someone in the newsgroup asked if there was a weakness in SBS because someone reset the admin password [but that's to be covered in Law # 3 so stay tuned for that]

First up is:

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

Like the law says... if you didn't make that sandwich and don't know who did... would YOU eat it? The same is true for software.  And especially for anything that comes free.  If it sounds too good to be true, it always is, isn't it?

hmmm... why am I all of a sudden in the mood for a toasted cheese sandwich.....

There's only one ME last I checked

I was out googling today and don't ask me why I googled on my name [vanity kicking in or something] and on the right hand side I saw something that just made me flabbergasted.  On the right side of Google are 'Sponsored Links'.  And there was an ad for “Hey Susan Bradley SBS Fan”, and advertising tips and tricks for small business consulting.  Except there's one problem.... um...you see....that's not my web site. 

So to all those out there googling... know there's only one me and I don't advertise on sponsored links.  Heck... I don't advertise period, I just blog.

I've pinged Mr. Feinberg to stop advertising his site as being related to me.

I'm just an SBSer out here helping other SBSers and kinda feel a bit strange with Mr. Feinberg taking advantage of SBSers to get them to come to his site.  That's an old fashioned bait and switch tactic in my book.

For the record, I'm in the newsgroups, the blog, in Harry's Advanced book.  But I'm not on Josh's web site.

What I take for granted

I was helping my Dad and a neighbor with their computer [got them on XP sp2] and now they have a lovely red shield down in the system tray that warns when things are not as they should be.  I was there to help them with speakers that weren't working and they were thinking it was a driver issue.  Well I checked the control panel and could tell that it wasn't the driver as there was no “!” in there so I tried the next solution that normally works.... and that's merely to change out the speakers.  Yup that was the trick.

Sometimes you just know to try something like hardware.  But sometimes you know to look in software.  We had a scanner that needed an updated driver.  A pop out to the internet and all was well.

But it makes me think of all the things that I just take for granted.  Knowing that the event viewer is there, that I have www.eventid.net around.  That [and this is the really important one] I have a peer group that I can go to and say “Are you seeing this?”.

Benchline, Benchmarking, whatever you want to call it... it's all about knowing what is 'normal'.

To all those out here that help me do just that, Thank You.

Patch Information

A couple of links on patch management

First off is the recording of the Patch Webcast [where I only coughed once] and the second is a blog post regarding patch resources.

And of course don't forget my fav... www.patchmanagement.org!

Trend Pattern File 2.594 may cause high CPI utilization [is your system pegging the CPU at 100%?]

Pattern File 2.594.00 may cause high CPU utilization
http://www.trendmicro.com/en/support/pattern594/overview.htm

From the bulletin:

Why did this happen?

To protect its customers against the growing threat of the WORM_RBOT family, Trend Micro enhanced the decompression ability of its Pattern File by supporting 3 new heuristic patterns, including UltraProtect decompression, in OPR 2.594.00.

Due to an isolated anomaly in the engineering, development and pattern release process, the UltraProtect decompression may, in certain circumstances, cause some systems to experience high CPU power consumption. This can lead to system instability when this specific file type is scanned using Pattern File 2.594.00.

Hmmm... you know what I want to see though?  Something that says "we've put in place "this" to ensure that this anomaly doesn't happen again. 

This was definitely a world wide event as I got a link on a Japanese blog, Martin Roesler posted to the Full Disclosure list, and some newspapers in Japan had to resort to fax machines and it's reported in Incidents.org.

About 3:35 PDT in my office, the receptionist buzzed me saying her machine just 'went wacko' and when I went to look at it, it was totally unresponsive.  When I went to do a hard reboot and restart, it was totally grinding on 'applying computer settings'.  A few minutes later another co-worker walked by the front desk to tell me that he couldn't get to network and that's when I knew something was up.  I think fortunately because I have two processors, the server was still a bit responsive as I could get to the event logs and could see no unusual activity.  Knowing that the other 'change' introduced into my system is always antivirus, knowing that about a week before the dat file update on my workstation had ground my machine to a halt, I just for whatever reason, wondered if Trend had done something.  So I got into the virus dat update log files and sure enough, could determine that the timing of the update matched up with the 'event'.  The next step I did is something kinda weird...but it definitely came in handy.  I purposely have a wireless connection that goes around my server.  I set up a laptop, logged into IM and immediately looked at the folks that were online in my IM listing.  Chad's online!  I pinged him and asked if his server was doing anything wacko and he confirmed that he was right in the middle of attempting to get his server back into a responsive condition.  Bingo.  I'm not alone.  Then I checked with Super G.  About that time Michael C pinged me on IM to ask and sure enough he was seeing it too.  About that time Chad said that the SBS2k list was starting to report issue. 

I'm relaying this story only to showcase how understanding what changes might be occuring to your system [virus updates], what community resources you have [newsgroups and listserves], and access to the Internet in case of emergencies helps.

Hotfix for issues seen after MS05-019 [KB893066]

Network connectivity between clients and servers may not work after the installation of security update MS05-019 or Windows Server 2003 Service Pack 1:
http://support.microsoft.com/default.aspx?scid=898060

To obtain this hotfix, it is a free call.  [hotfixes are always free]  Call Microsoft, state you need KB 898060 and you'll get the hotfix.

How to run Quickbooks under user mode

I finally got around to documenting the needed changes to get Quickbooks running under usermode.

Quickbooks in usermode for Stand alone machines

Quickbooks in usermode using Group policy

The process is basically that you use tools like Filemon, Regmon and Inctrl5 to identify those 'sticking' places in the file permissions and registry.  Now you have to open them up.

Unfortunately you have to open up ClassesRoot unless you want to spend the rest of your life wacking the heck out of that thing since Intuit uses guid keys in that section.  If you want to see the printout of regmon's report on Quickbooks [this is the Enterprise version being attempted to be run in user mode] you can see this spreadsheet here.

Steve Friedl helped to distill that down to basically two file permissions and two reg keys:

• HKEY_LOCAL_MACHINE\Software\Intuit

• HKEY_CLASSES_ROOT

• C:\Program Files\Intuit

• C:\Program Files\Common Files\Intuit

So how was your Friday night?

Windows XP Service Pack 2 machines with critical patches and PC-cillin Internet Security 2005 starts to experience high CPU utilization after updating to Pattern 594

Yeah...slight understatement of the year in this KB from Trend. However the KB only talks about PC-cillin when mine was an issue with OfficeScan, and it not only affected the workstations, the server ground to a halt. 

Any workstation that was turned on at 3:35 p.m. when the 594 dat file was applied was totally pegged at 100% CPU utilization and unresponsive.  I had to sneakernet to each workstation, boot into safe mode, get the 594 off the machine and reboot to get any kind of control over the machine.  I even had to do this on my member server as it too was totally unresponsive.  Chad said that his servers and workstations fixed themselves... but mine were totally not fixing themselves as the workstations were too flatlined to get an updates.

Here at home, by the time I got home, the server had gotten up to 596 and had settled down, but the two workstations were still totally flatlined.

Krissy [that's my Dog] loved the experience though, he and my sister came to the office to keep me company since I was the only one there and he loves to run throughout the hallways at a fast clip as the carpeting allows him to have almost an interior dog run.  [BTW Krissy is a spoiled white toy poodle..yeah... I know.. girly dog all the way... even going to the poodle parlor for haircuts]

So while my Friday night wasn't exactly how I planned it to be, his turned out to be very fun for him.  As I left the office, my sister pointed out it was meant to be... it was a full moon.

...oh well... so how was your Friday night?  That's how I spent mine.

P.S.  This is why I make sure I have a way to the Internet that goes around the server.  I literally had a laptop on the wireless connection and it was nice to know [well not really THAT nice but kind nice if you know what I mean] to know that around the globe others were seeing the issue too.  To all of you out in the community that shared the 'Friday Flatline Experience” thanks for all of your help!

Trend dat file cleanup - clean up info after the Freeze Up

Thanks to Karen Christain for this info:

For problem XP boxes:
Logon to the WXP box in Safe Mode.
Manually delete LPT$VPN.594 (C:\Program Files\Trend Micro\OfficeScan
Client.

The 594 pattern update came down from Trend Micro at about 3:36PM PST.
This update has negatively impacted Windows XP Pro desktops. It did not
negatively effect W2K Pro or SBS2K3. If you already have 594 and the
system cannot get to the Internet or appears to have hung you will want
to do the following:

Open OfficeScan Management Console
Updates
Server Update
Change update from Hourly to Daily or Weekly
Save
Rollback
Rollback Server and Clients
Select

Also: If you have the pccsrv.exe line in the SBS Login Script, REM it out.

If the client is locked up a hard reset may be required.

Trend dat file 594 - FREEZEUP

>>>TREND A/V FREEZE UP OF WORKSTATIONS AND SERVERS<<<

Just a major heads up .. SBSers around the world are reporting that dat file 594 just did a major freeze up on all servers/all workstations.

We have many machines affected.  Roll back to the 592 dat file.

Per Technical Support of TREND 596 will be out around 6:30 p.m.

To roll back:

Go into the OfficeScan console | Updates | Rollback.  Click 'Rollback' button for Virus
pattern file.

Actually, SeanDaniel.com...no I don't have that link!

SeanDaniel.com [poor guy, I find it easier to make his name into a URL] out RSS's me today by talking about a new RSS feed page.   Kewl.  I did have a SBS RSS feed before, but it was from the community page and it wasn't this one.  His blog lists that page and talks about their hard work on SBS sp1. [coming soon... patience patience.....]

Popped the SBS one into Newsgator!

Kewlamundo!  Thanks Sean!

Issues with VPN and FTP revisited

I've been talking about the issues with Security patch 05-019 [KB 893066 tcp/ip] and VPN and FTP and wanted to make sure everyone understood that when you are seeing issues, DON'T uninstall ALL the April patches, you should ONLY uninstall the ONE patch. 

Removing all of the April patches is not the appropriate action and not the way to go. 

If you MUST, remove the patch and then hang tight for a fix.

If you CAN, leave the patch and use the workaround.

The main thing is don't merely remove all of the April patches as you need the others on there are they are not causing issues. 

Getting IT

We were discussing the other day the perfect firm for SBS.  It isn't any one type or industry, rather it was the type of Boss.  The first that installs and embraces SBS [or any network actually] has to 'get IT'.  Meaning that they see the value in investing in their firm's technology as a way to grow the business.  I met with a client today and a post in the newsgroup asking about upgrading went hand in hand.  The newsgroup poster was asking about upgrading to SBS 2003 and whether or not it was worth it.  He said 'the current Windows 2000 exceeded their needs'.  The client had a Windows 98 and I was unable to plug in a USB thumbdrive without search for Win98 drivers which I didn't have.

But I'm not sure I would agree with that statement that the OS exceeded the clients needs... certainly not without sitting down and talking with the client.  They might want more out of their current system.  I would argue the killer apps of SBS 2003 have to be seen before you can say “the current OS exceeds their needs“.

Next is the whole security issue....I may not agree with Dave Aitel's disclosure policies but I do agree with one statement he makes:

Securing software is actually quite easy. Both Open Source and Microsoft compilers have special flags to protect software from common vulnerabilities. There have been dramatic changes in the security of recent operating systems. These days, there's no excuse for anyone to run Windows 2000 on a network and then complain about it getting hacked. Upgrade to Windows 2003 SP1 or XP SP2 or any modern Linux and your problems just go away.

MTU anyone?

Last night I posted about some possible issues with Security patch MS05-019 [KB 893066] and here's a follow up you 'might' want to try.

First off..remember to call into Microsoft Product Support Services so you can make sure to get the latest info, but here's a possible workaround for the Win2k3 machines having issues with FTP:  You might want to try this with VPN issues as well.

Again, I have not seen this issue in my network.

First off go find KB 120642 for more details.  We're going to be setting the MTU value and this is a per adapter setting so you will need to change the parameter on each interface.  With KB893066 in place and not uninstalled, set the MTU on the clients AND the server to 1400 and see if the problem resolves.

 Key: /Adapter Name// /\Parameters\Tcpip

**Note **In Windows 2000 and later this value is under the following key:

Key: Tcpip\Parameters\Interfaces\ /ID for Adapter /

Value Type: REG_DWORD Number
Valid Range: 68 - /the MTU of the underlying network /
Default: 0xFFFFFFFF
Description: This parameter overrides the default Maximum Transmission Unit (MTU) for a network interface. The MTU is the maximum packet size in bytes that the transport will transmit over the underlying network. The size includes the transport header. Note that an IP datagram may span multiple packets. Values larger than the default for the underlying network will result in the transport using the network default MTU. Values smaller than 68 will result in the tranport using an MTU of 68.

UPDATE a hotfix has now been released for this, call Microsoft Product Support Services for this FREE HOTFIX:

Network connectivity between clients and servers may not work after the installation of security update MS05-019 or Windows Server 2003 Service Pack 1:
http://support.microsoft.com/default.aspx?scid=898060

Security bulletin 05-019, KB 893066 and VPN issues

Beginning to see some reports of VPN issues with 05-019/KB 893066.  I personally am not experiencing these issues here but it may be due to your router and what not.

Jerry Bryant from Microsoft reminds us that issues with a security patch are a free call in his blog posting of today.  That if you don't call, the issues will not be resolved.  Therefore it's vital that if you experience issues with a security patch to call in.

-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Darryl J Roberts
Sent: Tuesday, April 19, 2005 7:11 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: MS05-019 Breaks VPN

After installing the update in Microsoft Security Bulletin MS05-019 on
two servers at a customer site, we are no longer able to connect via VPN
to terminal services on those servers. (Other servers that did not have
the security bulletins from last Tuesday installed can connect via VPN.)

After many hours over two days working with Microsoft Product Support
Services, we discovered that forcing the MTU size down allowed the
client to connect to terminal services. Today Microsoft PSS reported
the they have confirmed that there is a problem with ICMP messages being
incorrectly discarded (other have opened PSS cases about this issue).
This could be why the MTU size is not being set correctly.

There will be an update to the patch in MS05-019, but as of this time,
that update is not available. A Microsoft KB article is being written
and has been assigned the number KB898060, but as to this time, that
article is not publicly available.

I will be uninstalling the update for Security Bulletin MS05-019 from
our customers servers this evening and waiting for the corrected patch
before reinstalling it.

--
Darryl J. Roberts, MCSE, MCP+I, CompTIA CTT+, CSSA
Software Engineering Unlimited, IT Professional Services Consultancy
Ventura, CA, USA

Presentations and webcasts

Thanks to everyone who attended today's Patch Management webcast.  I had great fun in presenting and will let you know when the webcast is up on the web.  Fortunately I was pretty much able to not cough during the presentation [I'm getting over a cold] so I was pleased that I wasn't hacking and coughing my way through the presentation. 

Speaking of presentations, you guys up in Canada know you still have the opportunity to meet up with some of the gang up in Calgary tomorrow. 

And then there's Anne Stanton [newly minted CRM MVP] and Jeff Middleton will be in New York on May 18th and give two presentations:  To sign up for that click here.

NY SBS IT Professional's Group invites you to join them to meet two well respected MVPs.  Jeff Middleton SBS-MVP and Anne Stanton CRM-MVP both are appearing as guest speakers. Do some business networking with other IT Pros before the evening presenations begin, and learn about the members of this SBS group at the same time.

And as always, sign up for Harry Brelsford's SMBnation newsletters where he always keeps up with all the SBS user groups comings and goings.  The Boston, Iowa and New Hampshire SBS user groups all shared a Live meeting presentation given by Scott Colson in Seattle [CRM MVP and a great SBSer].  Which is cool if you think about how three groups around the country shared one presenter.  Great fun!

Kicking up the geek factor

I'm in shopping mode.  No not the traditional female shopping experience... I mean geek shopping mode.  There are two things on my list of things to check out for the office:

• More mobilitiy
• More connectivity

What am I talking about?  Well the issue you have when you have people in the firm that don't live close enough into town to get a decent high speed connection.  While Remote Web Workplace is extremely effective, you kinda need some nice high speed access for it to be of business use.  So what's a person to do when you have partners/co-workers that live just far enough away from a decent high speed connection?  Satellite has pros and cons, there is the possibility of cellular using a Sierra Air Card [I still remember a SBS MVP who was in the hospital using his Sierra Air Card to access the internet and IM... the hospital staff let him.  In fact I'm hearing that more and more hospitals are actually installing wireless to allow family members of patients to be able to continue to be able to be connected and yet still be there for a family member]  So if DSL and cable isnt' available...what are others doing to provide remote connectivity?

Then I'm in the market for a color copier,scanner,printer that can be attached to the network and provide us with a backup to our HP 8550DN printer.  It will also provide the ability to do color scanning, which is something we haven't had before. On that one one of the issues that we are very much looking at is supportability by the vendor.  We've had good and bad experiences with various copy machine vendors and what drives our decision making is support.  Can we get a technician in, that knows what they are doing, to fix our 'fill in the blank' so that we have a minimum of down time.  We already have a Konica copier/scanner/printer that we've been happy with so we'll start our investigations there and will probably also look at a Ricoh.  But it is interesting that our decision is definitely guided by support.

You know.. I do need a new workstation here at home...

Cleaning up the desktop here at home before tomorrow's webcast and it reminded me that Chad sent me a reminder that I need a new computer here at home:

I'm tempted... really tempted  :-)

Have you checked out all the great stuff at www.mssmallbiz.com?

Today we had a question about OEM software and adding Software assurance to it and the [as always] tireless Eric Ligman already had the answer for us right on the Shared documents page [which btw is a Sharepoint you know] and had the answer.

For the record one of the MAJOR advantages of adding software assurance to an OEM purchase of Server OS or Office is that you can move it.  Don't buy SA and that license is tied to that hardware.

See why I like Software Assurance?  Remember too because I'm on the three year SA plan all the SBS 2003 sp1 cdroms will automagically be sent to me.  Cool, huh?

It's conference season

It's conference season and at the end of June I'll be at the AICPA Technology conference  the end of June in Las Vegas with Clint Kreitner from the Center for Internet Security talking about Server hardening and benchmarking. 

You know how I started volunteering at CIS don't you?  Because I went looking for the big blue 'secure me now' button.  I thought all I had to do was to find the 'secure me now' button and all of my worries would be over.  But I found there wasn't a secure me button ...and in fact that what I thought was black and white was in fact gray.  I found that I had to do my own risk analysis of what I felt acceptable in my firm.  I had to balance the business needs with the security risks. 

I still have a long way to go.  My workstations are helping a bit more in the battle in that they are running with the XP sp2 firewall 'inside' the network, but I can still do more.. and that's what it's all about.  I keep moving the benchmark.  Today I'm accepting of where I'm at, but tomorrow I probably won't be.

Security isn't a goal, it isn't something you can “acheive”.  It's a process, a procedure, it will keep changing and moving.  I'll keep moving the bar as to what I feel is acceptable risk for my firm.

For those in my CPA geek world, look forward to seeing you there, Mark Minasi and Roger Grimes [both fellow Microsoft MVPs] will be there so I'm looking forward to meeting them both.

Heads up folks - proof of concept released for MS05-021 Exchange patch

Evgeny Pinchuk apparently is under the impression that we need further reason to patch so he released to several security lists a proof of concept for the MS 05-021 Exchange security patch.  Remember while in SBS 2003 we are not as concerned, it IS a concern for SBS 2000 boxes as we don't have any protection between us and the bad guys if port 25 is open.  Put this patch on your critical list.

Remember for Exchange 2000 you will need:

SBS Chat tomorrow at 4 p.m. PST

Don't forget ..... Handy Andy Goodman leads the SBS chat tomorrow at 4 p.m.

http://mcpmag.com/chats/

Be there to chat about your Small Business Server issues... I just may have figured out how to get WSUS to find these stupid workstations of mine by then.

Just a reminder...your patch tool may need a patch

If you are having issues with Shavlik's HfnetchkPro with the .NET patch and trying to offer up Windows 2003 sp1 when it shouldn't, I forgot to patch my patch tool.  At the office I applied this patch http://hfnetchk.shavlik.com/downloads/shavlik_skb588b.exe but here at home and at first I couldn't figure out why the patch tool/scan verifier I was using here wasn't matching the office and then it dawned on me... I hadn't patched my patch.

One problem solved...now wish me luck in getting WSUS to see my workstations.

Mariette had some troubleshooting suggestions:

Did you run a wuauclt.exe /detectnow on the client? If you have done
that and this did not work can you do the following:

- Unjoin the workstation from the Lan
- Delete the computer account in AD users and computers
- Delete the computer within WSUS
- Join the workstation with the Lan the old fashion way (not
connectcomputer)
- Run wuauclt.exe /detectnow on the client

If this works can you try the following:

- Unjoin the workstation from the Lan
- Delete the computer account in AD users and computers
- Delete the computer within WSUS
- Create a computer account using the SBS wizard
- Join the computer using the SBS way (connect computer wizard)

Wish me luck in getting WSUS working here at home.  Right now all it's doing is reinforcing how much I like Shavlik...I'd be done and patched by now rather than trying to get one web site seeing two computers.  Oh well... keeps me out of trouble.

Sometimes patching is annoying

So I have this one workstation that just will not install the .NET sp1 patch no matter what I do.... I've Shavlik'd, I've opened up ISA server to all/all/all to ensure that's not the problem and in looking at the Windows Update log file...... what?  You don't know what that is?

C:\windows Look for a file called Windows Update.log

Open that sucker up and if you've been having issues with a patch not installing, look for the error messages inside...see that code “0x80070643“?  When I google on that phrase I hit a knowledge base article that is a good Windows Update troubleshooter article:

You receive error message 0x80070643 when you try to install updates for Windows XP from the Windows Update Web site:
http://support.microsoft.com/?kbid=836937

So if you have a patch that just won't... open up that log file and see what's going on with it.

17:06:29-0700 1 182 101 {AFCFDECF-2B9F-4881-8CFE-F56ED0DD81AF} 100 80070643 WindowsUpdate Failure Content Install Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft .NET Framework 1.1 Service Pack 1.
2005-04-18 17:06:39-0700  968 c54c ISusInternal API failed CClientCallRecorder::DisconnectCall with error 0x8024000c
2005-04-18 17:06:39-0700 2260 c3a4 ISusInternal::DisconnectCall failed, hr=8024000C

I'll admit..finally getting back to WSUS

I'm finally getting back to WSUS and finding some things in the instructions I don't get.  If I follow the WSUS wiki instructions for SBS:  

WSUS on SBS:
http://wsus.editme.com/WSUSonSBS

It says:  

In the meantime I'll be talking about patching on Wednesday in a webcast for “Wednesdays on the Web“  Hope to see you there!  Hopefully by then I can figure out WSUS.

SureWest Anyone? Get ready for email issues

 First Verizon...now word that SureWest will do a mail change... head's up folks!

Dear SureWest Broadband Customer:

SureWest Broadband is taking positive steps to help combat junk email and
spam.  In addition to network upgrades, spam filtering and anti-virus
software, SureWest is implementing outbound email SMTP port controls to
ensure that its network is as reliable as possible for our customers.

SureWest customers using SureWest mail servers (smtp.surewest.net) for
outgoing email are not impacted by this filter. Incoming email connections
are not affected by this filter.  

Customers using a private company, university or hosting provider mail
server will not be able to send outgoing email from dynamic DSL and Dialup
connections.

There are two solutions for customers that are impacted by this change.

1. Contact your mail hosting provider for information about using other
alternative access methods to connect to their mail server, such as VPN,
Web mail or Outlook Web Access to send outgoing email.  

2. SureWest customers who can not use the preceding alternative may be
converted to a static IP customer for an additional charge.  

SMTP Port 25 filter does not affect customers using Web mail to any mail
provider, VPN connections to a private company or university mail server,
dedicated (e.g. T1/T3 or EtherMan) or "static" IP addresses.

These upgrades are part of SureWest Broadband's continued efforts to
improve the service we provide to you and make your Internet experience
the best possible.

Thank you
SureWest 

From now on I'm reading Japanese Security bulletins

Steve Riley has said in presentations that in Japan their security bulletins are much clearer because they use cartoons.

And he's totally right...check it out.  Go to the Microsoft Japan Security bulletin page and click on the right hand side hyperlinked bulletin and you'll see what he's talking about.

Here are graphical representations of the bulletins from last week:

MS 05-016 - Windows Shell

MS 05-017 Message queuing

MS 05-018 Kernel

MS 05-019 TCP/IP

MS 05-020 Internet Explorer

MS 05-021 - Exchange

MS 05-022 MSN Messenger

MS 05-023 Word

Just remember after you patch you'll look like this:

Any questions?

Start patching!

[sorry Sean for all the pictures in this post]

I hate hardware

Give me a software issue and I can google up a solution... attempt to image my sister's laptop harddrive from the existing drive to a new one....and well, I'm about near to just giving up and installing her operating system from scratch.

The ghosting software that came with the laptop drive 'should' work but isn't.  Mind you this is the same software that did work for an older laptop I have that I upgraded the harddrive on.  This time, and of course, with my sister's infamous customized Disney desktop hanging in the balance, it's not cooperating.  Right now I'm using the image software to image 'backwards” that is, to go from the already inserted new drive that's inside the laptop to the old drive hanging on the pcmcia attached card.  Then of course I did the geek thing and didn't go to the Dell site to read where to remove the harddrive so, of course, I removed every screw but the ones I really needed to remove the harddrive.  You would think us geeks would learn to read sometimes...but we don't do we? 

So now the laptop is there in a blue dos-y window imaging the bits from the one drive to the other. 

The reason I joke about the 'customized Disney Desktop hanging in the balance' is that when I was running the beta for SBS 2003 a couple of years back, every time I build a new build of the server my Sister's desktop would change and icons would be moved and man did she ever hate that.  While you can use the XP file and transfer wizard, and you can copy over the profiles, it's still never quite as perfect as the exact desktop is it? 

And yet, I'm putting her customized Disney Desktop in jeopardy one more time....as sitting to the left of me is my new baby server that looks like that black one up there that I need to slide in and replace my existing server here at home.  It's a lot faster and peppier that the one here and well, it's just a lot geekier.  It glows a bit purplish blue even.  Believe me, I'm definitely planning the migration method that doesn't require a new domain name otherwise she'd kill me if I messed up her customized desktop one more time. 

I'll keep you posted how the imaging goes this time....

So what's been your greatest frustrating hardware experience?

Do we protect you? I think not.

"I have lost confidence (if I actually ever had it) in the ability of companies to keep pii secure"

This thought of “is this a secure way to transmit things“ came to mind today when my managing partner today was mentioning that Attorneys really use email these days...and then he asked “Is that as secure as faxing?”. [With of course the thought being that a direct to direct telephone transfer is probably a smidge more secure than a plain text email sent and bounced through ISPs, routers and what not].  Here's the thing... it 'can' be.  If we would all set up digital signatures and swap public certificates so we could encrypt the email....but we don't.  Why?  Why hasn't this caught on?  Especially in the financial industry?   And why is it that every time I attempt to even try to sign emails digitally, clients call me up going “what is this?”  The day someone asks ME for my digital email certification, I may fall over in a faint.

I'm sitting here tonight, trying to look at a faxed schedule and wondering if it's a '5' or an '8' I'm looking at.  The reality is that old fashioned analog may be more secure [faxing] the reality is that it's terrible as a readable media.  Just last weekend in fact I took a bunch of origianal documents of listings of checks, scanned them into a tif file and used an OCR program to convert that listing into numbers that we could use.  Because the numbers were clear and crisp, they could easily be scanned and covered into digital documents.  Faxing doesn't do this.

Tonight I was going over the process to take an Adobe PDF file and add encryption and password protection so it could be emailed to the client.  While we could fax it, the chances were better that the person on the other end had a computer, email and the free adobe reader program. 

In today's Senate Judiciary hearings, Choicepoint's CIO said “ We support independent oversight and increased accountability for those who handle sensitive personal data, including public record data;"

So should we all...all of us who handle your confidential records.  I was opening up a tax file tonight [my own] and couldn't remember the password I put on it to protect it [rats, oh well] and wondered what the raw datafile looked like in note pad when it was password protected. 

Guess what?

I could still read the tale-tell marks of a three-two-four number in the notepad that screamed Social Security number.  You do know there are forensic programs than can grep on that three-two-four sequence as it's the traditional number pattern?  And there it was, still in plain view in a notepaid file in the tax prep program that the office uses.

Bet that makes you feel like the Tax industry keeps your records nice and safe, doesn't it?

Dear Mr. Aitel

I sent an email tonight...one that won't do any good other than to make me feel better......

Mr. Aitel is Dave Aitel from ImmunitySec who's firm has already released a proof of concept for yesterday's security bulletin MS 05-017 [message queuing] and in the email to his “Daily Dave“ listserve he taunts Mark Dowd and Ben Layer of ISS X-Force to release the exploit for Exchange [MS 05-021]

For us in SBS 2000 land this one is a real concern....as we have the port open and we're a bullseye for this one.... remember when you go to apply this you will need [if you don't have the prerequisites already]

• Exchange 2000 sp3
• Exchange 2000 sp3 post rollup pack
• and then the patch

Pardon me while I go off to email Kathryn Quigley, Public Relations Manager for ISS to tell her to tell Mark and Ben to “don't you dare“ release a proof of concept for this.  Not until we've had a chance to patch out here.  It amazes me the lack of responsibility toward businesses that this post from Mr. Aitel showcases.

Remember for SBS 2003 it is NOT the same concern and thus not the same urgency.  On the 2000 platform an annoymous connection can 'nail' the mail port with this crafted 'verb' but on 2003 it would only be exploitable from authenticated connections [and folks, if some bad guy has authenticated on your SBS 2003...you have way way bigger problems...trust me...like sucky passwords..you know?] 

Bottom line folks...let's patch up those SBS 2000 boxes shall we?  Let's not give Mr. Aitel the last laugh.

 -------- Original Message --------
Subject:     Let's not egg them on...
Date:     Wed, 13 Apr 2005 22:26:11 -0700
From:     Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

To:     dave@immunitysec.com


"[Dailydave] mqsvc fun:
https://www.immunitysec.com/pipermail/dailydave/2005-April/001719.html

So Immunity released our exploit for mqsvc in CANVAS. It's only rated "Important" but I think it's neat anyways. Next up, I guess Exchange (go Mark Dowd and Ben Layer) and TCPIP.SYS. (go Neel Mehta!) "

How about let's not.....

Excuse ME dude...down here in SBS 2000 land where we're still waiting for WSUS to come out can you give us some damn time to muster our troups down here to patch ...come on dude.... these are folks that won't be migrating to Linux [not for awhile anyway] ...and you don't sell your services to us and guess what dude...our port 25 is hanging open on those suckers.....

This isn't a laughing matter or a race dude... these are small businesses that your firm doesn't sell to, nor are you out in the newsgroups helping folks to patch....you aren't hurting Microsoft ...you are hurting customers of Microsoft... how about NOT egging these folks on and give us community folks time to patch huh?

As a security firm.... I cannot understand how you can not think of the impact on businesses and the economy here.   If you think this gets you more credibility as a professional firm... it doesn't in my book anyway.

Yeah yeah... I'm putting my head in the sand that this stuff isn't out there already...but you know what...you don't have to put the gas can and matches out there for a worm to be built.

To all other vendors/researchers....whatever ...that are building this POCs...just think about that business impact will you?  Consider that...please?

Sincerely,
Susan, community member for SBS newsgroups
and Patcher

We've got a new cousin! Congratulations Anne!

As you can tell, I'm sort of big on community, so when a dynamic FEMALE geek joins a community, even if it is a 'cousin' community it feels really special.

 It is my esteemed pleasure to know that the Microsoft CRM MVPs now have added to their ranks Anne Stanton.  In honor of that she's carved out a CRM only blog to pull out those specific things about CRM.  Anne's the kind of person that you step back and go, okay how and when did she go from just being an acquaintance to a good friend, a mentor, an ear, a shoulder...you get the idea.

Soon Anne will be listed on this page.

Congratulations!

Handicapping the bulletins tonight

For those of you who may not be aware, I do the Patch Watch section of the Windows Secrets newsletter [in the paid version] and Brian Livingston has a very unique way of doing the 'paid' version.  It's whatever you want to pay.  Now that's a “Pay it forward” concept if I ever heard one, isn't it? 

So in reviewing the patches and the action on the patch management community, there are two in particular that we in SBSland need to really watch out for because they are the HARDEST to patch for.

• Vulnerabilities in Microsoft Word May Lead to Remote Code Execution (890169)
  http://www.microsoft.com/technet/security/Bulletin/ms05-023.mspx

That one is a concern because if you don't have a tool like Shavlik, you won't necessarily get the patch.  WSUS is still in beta and you have to manually go to Office Update.  A icky word document [and how could we get this?  what else via email] can nail a desktop.  Hopefully the A/V writers will have something to help soon.

Next is the one that SBS 2000 boxes running with SMTP mail [you know you've set it up with MX records and all that] really really need to be aware of:

• Vulnerability in Exchange Server Could Allow Remote Code Execution (894549)
  http://www.microsoft.com/technet/security/Bulletin/ms05-021.mspx

Someone banging on our port 25 with some bad crafted 'gunk' could nail our boxes.  Exchange 2003 doesn't have this same issue...it can only be attacked from another Exchange box [which ..obviously we don't have here], but 2000 boxes are a concern.  And as of right now, again we don't have a patch tool that will scan for this. 

I cannot stress ENOUGH that Windows Updates is NOT enough to patch our boxes.  You must manually install that Exchange patch on your Small Business Server systems.

Test the patch on your test systems, and if you don't have a test system, hang off for a few days, we'll tell you want we seen in the community.  Don't forget on April 20th I'll be doing a patch webcast and will specifically talk about what I look for in bulletins to evaluate risk and deployment issues and will use these April bulletins as examples.  See you then!

Security patches out today

 April 12, 2005
Today Microsoft released the following Security Bulletin(s).
Note: www.microsoft.com/technet/security and www.microsoft.com/security
are authoritative in all matters concerning Microsoft Security
Bulletins! ANY e-mail, web board or newsgroup posting (including this
one) should be verified by visiting these sites for official
information. Microsoft never sends security or other updates as
attachments. These updates must be downloaded from the microsoft.com
download center or Windows Update. See the individual bulletins for
details.

Because some malicious messages attempt to masquerade as official
Microsoft security notices, it is recommended that you physically type
the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summary:

http://www.microsoft.com/technet/security/Bulletin/ms05-apr.mspx

Critical Bulletins:

Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial
of Service (893066)
http://www.microsoft.com/technet/security/Bulletin/ms05-019.mspx 
Cumulative Security Update for Internet Explorer (890923)
http://www.microsoft.com/technet/security/Bulletin/ms05-020.mspx
Vulnerability in Exchange Server Could Allow Remote Code Execution
(894549)
http://www.microsoft.com/technet/security/Bulletin/ms05-021.mspx
Vulnerability in MSN Messenger Could Lead to Remote Code Execution
(896597)
http://www.microsoft.com/technet/security/Bulletin/ms05-022.mspx
Vulnerabilities in Microsoft Word May Lead to Remote Code Execution
(890169)
http://www.microsoft.com/technet/security/Bulletin/ms05-023.mspx

Important Bulletins:

Vulnerability in Windows Shell that Could Allow Remote Code Execution
(893086) http://www.microsoft.com/technet/security/Bulletin/ms05-016.mspx 
Vulnerability in Message Queuing Could Allow Code Execution (892944)
http://www.microsoft.com/technet/security/Bulletin/ms05-017.mspx
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and
Denial of Service (890859)
http://www.microsoft.com/technet/security/Bulletin/ms05-018.mspx
This represents our regularly scheduled monthly bulletin release (second
Tuesday of each month). Please note that Microsoft may release bulletins
out side of this schedule if we determine the need to do so. If you have
any questions regarding the patch or its implementation after reading
the above listed bulletin you should contact Product Support Services in
the United States at 1-866-PCSafety (1-866-727-2338). International
customers should contact their local subsidiary.

WhooHoo Winnipeg!

Vancouver, British Columbia Apr 19, 2005 6:00PM	SBS Usergroup Workshop - hosted by SBS MVP's Audience: IT Professional, Partner, Technology Decision Maker Language: English Registration Fee: No
Calgary, Alberta Apr 21, 2005 6:00PM	SBS Usergroups Workshop - Hosted by SBS MVP's Audience: IT Professional, Partner, Technology Decision Maker Language: English Registration Fee: No
Winnipeg, Manitoba Apr 23, 2005 1:00PM	SBS MVPS Community Groups Outreach - Canadian Workshops Tour 2005 Audience: IT Professional, Partner, Technology Decision Maker Language: English Registration Fee: No
Mississauga, Ontario Apr 25, 2005 6:00PM	SBS Usergroup Workshop - Hosted by SBS MVP's Audience: IT Professional, Partner, Technology Decision Maker Language: English Registration Fee: No
Montreal, Quebec Apr 28, 2005 6:00PM	SBS Usergroup Workshop - hosted by SBS MVP’s Audience: IT Professional, Partner, Technology Decision Maker Language: English Registration Fee: No

Four SBS MVPs on tour in Canada invite resellers and consultants who want to understand solutions for small business customers to join together for an evening of presentations and discussion. Each of the SBS MVPs appearing on this tour is an experienced resellers and a community leader. This event is generously sponsored by SBS MVP Jeff Middleton from SBSmigration.com as well as Microsoft, and will be presented in collaboration with your local SBS and Windows Server usergroups.

Content Overview:

Using SBS to empower Line of Business Application

Presenter: Jeff Loucks (Available Technology)

In this presentation Jeff Loucks illustrates why SBS is the ideal server for a small business seeking big business results with a low-TCO (Total Cost of Ownership) and high-ROI (Return on Investment). As a leading expert on Small Business Server for Line of Business Applications, Jeff has guided end-customers and IT Pros worldwide to success in using products including MS CRM, Microsoft Project, Navision, Great Plains, and Small Business Financials.

Swing Migration: Upgrade SBS servers on weekdays, take the weekends off!

Presenter: Jeff Middleton (SBSmigration.com)

This blockbuster presentation Jeff introduced last fall was rated by attendees as best of Reseller Summit 2004 Tour in Australia, and the best SMB Nation 2004 technical session. Replacing a Windows or SBS Server transparently, open timeline, same domain, no workstation impact…this migration method rocks!!

Open Forum Discussion on SBS Business and Technology Issues

Getting rootbound and needing a bit of repotting

Time flies doesn't it?  Just over a year ago a tiny seed was planted and nutured and the plant grew.  It's leaves stretched out to see the sun and it reached up towards the sky.  Now a year later, the plant looked around and realized it needed a new pot to grow in.  Something bigger and better.  More room to spread out it's roots and get bigger.  It needs a bit of repotting.

I think it's only fitting on a sunny spring day where the birds are chirping and the leaves are coming out in full force on the trees that I get word that someone is getting a bit root bound and moving pots.... or locations as the case may be.

What started out in a sheltered location in the center of the country in now branching out to touch the entire nation.

The tireless Eric Ligman is off to join the U.S. Small Business Team in Redmond.  This September, that means he'll have no excuse not to be there for those SBS hugs and handshakes at SMBnation.

Like Eric says.... now is definitely the time to be a Microsoft Small Business Partner!  So tell your peers and anyone else you know who offers Microsoft solutions to the Small Business segment to get onboard.

1) Become a Microsoft Registered Partner: http://www.microsoft.com/partners
2) Join the Microsoft Small Business Channel Community: http://www.mssmallbiz.com
3) Join the Small Business Partner Engagement Program: https://partners.microsoft.com/pep/SmallBusiness

Thank you too Eric, Senior Manager - U.S. Small Business Group for Community Engagement and here's to you and your family having a very very wonderful day! 

And congratulations on your new pot.

If you are on XP sp1 you won't wake up with XP sp2 tomorrow

Dear Microsoft/WagEd/whomever was in charge of your communication on the 'expiring blocking mechanism of 4/12/2005”:

Next time, can you try to do a better job of communicating than you did?

Your article here totally is confusing, misleading and quite frankly scares people.

Conversely Paul Thurott's article here gives the facts:

To all those people on my IM listing

To all of the people on my IM listing who've had to suffer through my long 'tag' lines on IM...they are no more.  I upgraded to MSN 7 so that the tag line is no longer something that wraps around in IM windows.  It's now in the “personal message“ screen area.

So like today instead of “Susan B. SBS-MVP aka “Ebitz“ - so exactly what was that on Camilla's head“ which is what my tag line on MSN 6 looked like, now it only says “Susan [SBS-MVP]“ and the rest [which still questions what exactly that was on her head], is down below so that when the IM chat session is going on, you dont' have that whole thing wrapping it's way into the conversation. 

Actually I may need to revise my tag line upon seeing what Laura Parker Bowles had on...okay so what is THAT?  I think I'm glad I'm an American where we don't even know how to spell the word millinery let alone worry about wearing it.

...so ...what's the funiest or silliest or wacko-est tag line you've seen on an IM window?

So how do you handle patch day?

Next Tuesday is patch Tuesday.

Okay ...you folks reading the blog BETTER know what Patch Tuesday is.  It's the day that patches come out...security patches.  Microsoft Security patches to be exact. 

We already know there are indeed bulletins this month, some critical, some need a reboot.  So how do you handle Patch Tuesday?  Or even get prepared for a Service pack installation?  Want to know how I do it?

April 20, I'll be doing a webcast on Patch Management for the SBS world. [right now that title doesn't say anything but trust me... that's my event].  And what will I be talking about?

• How to read a bulletin
• Risk ratings
• How to set up a testing environment
• Key clues to look for in security bulletins that may warrant additional review [hint what I'm going to point out here is key files and what they've historically meant in prior patches]
• Deployment strategies
• Making sure you can roll back
• Resources for 'ooops that wasn't so good'
• And community resources for patching [where to get good information]

I will be talking about WSUS and other patch tools as well as talking about getting ready for SBS 2003 sp1.  Like for example one thing that Dell customers using Dell Open Manage 4.3 and earlier should be aware of is that you will need to wait for the release of Dell Open Manage 4.4 before you deploy SP1:

So join me on April 20th for some discussions on “Handling Patch day”.

So what's YOUR excuse?

Dual monitors means I multitask.... doing a spreadsheet on one screen, got last years TechEd DVD content playing on the other [geek radio you know].  And I'm listening to Steve Riley's presentation on the changes in XP sp2...and he says that the computing industry is in it's infancy really. 

Think about it...it's true isn't it?  It's really only about 40 years old and the things we've relied on were truly built in an age that we trusted a lot more than we do now...and thus because the world in which computers live in is less trustworthy that the world that the underlying architecture was built for and intended for, means we need to change, to update how we do things. 

He goes on to predict that we might even see some more RPC issues crop up [you remember 03-026/03-029 Blaster right?] because the underlying architecture on what RPC was based on assumed we could trust the network.  But we can't anymore, can we?  He goes on to say that the move to making sure that you can trust a machine with your life [aka trustworthy computing] is about a 10 year process...and they've just begun.  RPC Interface Restriction is just one of the first steps.  And he finishes it out by saying:

“This [Windows XP sp2] It's a victory for the security guys.  It's a step to get your hosts [desktops] become particpants in the security stance of your organization.  “

Hmmm... interesting... so if XP sp2 is a win for the security guys....

So what the heck are YOU waiting for? 

You heard me.... why haven't 75% of you deployed it yet?  Why has only 1/4 of those on Windows XP rolled it out?

You know your desktops are your weak spots, why haven't you empowered them with all the layers you can to protect them?

You know .... someone was asking in the newsgroup about upgrading from SBS 2000 to SBS 2003 and whether they should upgrade and you know.... it truly isn't just about the killer app of Remote Web Workplace to me.  It's also about Security.  About the better patching experience I've had.  [truly I do mean that]  Someone on a listserve mentioned that IIS 6.0 was rock solid.  That while they have attacked boxes, they've gotten in via poorly written applications and not via the native IIS.

That's why you should upgrade to Windows 2003/SBS 2003 and Windows XP sp2.  Because truly both platforms are a win for the Security guys.  And soon for us, our own service pack, SBSers SP1.  I've literally seen the Data Execute Projection mechanism where a potential buffer overrun is flagged [in my case it was a major update to the Trend virus engine that needed to be 'approved' as a DEP exception], I've seen the impact of the firewall as the system is built.  The changes in XP sp2, in Windows 2003 sp1, the beginning of the band wagon for LUA for Longhorn.

Like this feature for example....

Post-Setup Security Updates (PSSU). Servers are vulnerable in the time between being installation and when the latest security updates are applied. To counter this, Windows Server 2003 with Windows Server 2003 Service Pack 1 blocks all inbound connections to the server after installation until Windows Update has run to deliver the latest security updates to the new computer. This feature also guides administrators through Automatic Update at the time of first log on.

Do you realize that never again will a box be nailed with Code Red/Nimda as it's being built?  Wow, I mean how cool is that?

So if you aren't on XP sp2, if you aren't getting prepared for SBS 2003 sp [don't install Windows 2003 sp on our boxes], why aren't you?

SBS MVPs Community Groups Outreach – Canadian Workshops Tour 2005

Left to Right, The Four Musketeers, Jeff Loucks, Cal McLennan, Les Connor and Jeff Middleton

Just a reminder...spots are going fast for the MVP - the Four Musketeers Tour, better known as the

 ,

Just a reminder that Vancouver's event location in fact has now moved to a local hotel in order to accomodate more people. 

For those in Calgary, Toronto and Montreal, the sooner you sign up the more you are ensured that you won't be standing room only.  Remember these aren't your normal presentations from a 'talking head'.  These are folks that are consultants who walk the walk and talk the talk. 

Have to install a line of business application?  I mean isn't that what drives the business in the first place?  You'll want to listen to Jeff Louck's presentation.  Have to migrate from one server to another?  Jeff Middletons' your man with a process that means that the desktops see no [or very very little] impact.  Then Les Connor and Cal McLennan [two of the best SBS technicians around] will lead you in a SBS discussion. 

[For more infformation, see the prior post]

DNS, poisoning, pharming attacks and the SBS impact [part one - background information]

If you are a fan of www.incidents.org like I am you've been wondering if you should be worried about all this DNS cache poisoning aka Pharming that's been going one.  As they state in today's entry:

http://isc.sans.org/diary.php?date=2005-04-07

(Note: Windows systems are not protected even with their magic registry entry IF they trust an upstream dns system that doesn't clear additional dns records from the answer to the query and site the article. - upgrade to the right SP on W2K
- not forward to vulnerable windows DNS caches
- not forward to pre-BIND9 bind DNS caches

If you know anything at all about how SBS is set up in our default wizardized mode, we set up DNS forwarders.  Okay, so I know I have my DNS set up to Pacbell's DNS forwarders:

So of course the first question I am asking myself is ...okay..what version of either Microsoft DNS or BIND does Pacbell run?  I “AM” an SBSer that forwards to their DNS.  I emailed their tech support last night... [okay yeah that's a vain hope that I'll get an authoritative answer..still waiting on an answer].  So in asking the real gurus like Andrea “ObiWan“ Zenobi, Microsoft MVP in Windows Server and Networking, he did a check on a server at Pacbell and found that the server at 206.13.28.11 is running BIND 8 not BIND 9. 

dig pacbell.net NS

Troj_Small.AFG alert out there today

The newsgroup today had reports of this Trojan file... a browser helper object... being reported on systems.  And at first we were wondering if it was a false alarm... but it appears to not be one.

Now I'm not saying I'm perfect here at the office but I do try to be proactive, and if you'll notice I don't have too many tips and tidbits about cleaning up malware [other than I personally would be having a heart attack and flattening the system because I wouldn't personally trust it anymore].  Besides all of the critical data isn't on the desktop....remember?  It's on the server in SBSland anyway.

But here are some clean up information that may be of help:

Courtesy of MVP Bob Celrelli:  http://www.onecomputerguy.com/ie_tips.htm#winsock_fix

If no Internet application like IE, Outlook Express or other browsers are

working, it may be due to corrupted Winsock registry entries.  First make

sure you can connect to the Internet.  Ping a web site by name (e.g. ping

www.yahoo.com) If you get a response back, then you can connect to the

Internet.

The basic steps are to:

Delete the corrupted Winsock registry entries Import clean ones Reboot the

computer

For Win98:

Remove the old registry entries - Download Registry Entry

http://www.onecomputerguy.com/reg/xp_del_winsock.reg

Import the correct registry entries - Download Registry Entry

http://www.onecomputerguy.com/reg/win98_winsock.reg

For WindowsXP:

Remove the old registry entries - Download Reg file

http://www.onecomputerguy.com/reg/xp_del_winsock.reg

Import the correct registry entries - Download Reg file

http://www.onecomputerguy.com/reg/xp_winsock.reg

For Windows2000

Remove the old registry entries - Download Reg file

http://www.onecomputerguy.com/reg/xp_del_winsock.reg

Import the correct registry entries - Download Reg file

http://www.onecomputerguy.com/reg/winsock_2k.reg

For Windows ME

http://www.onecomputerguy.com/ie_tips.htm#winsock_fix

From MVP Jim Byrd:
 
#########IMPORTANT#########
Before you try to remove spyware using any of
the programs below, download
both a copy of LSPFIX here:  
<http://www.cexx.org/lspfix.htm>
 
AND a copy of Winsockfix for W95, W98, and ME
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Directions here:  
<http://www.tacktech.com/display.cfm?ttid=257>
 
or here for Win2k/XP
 <http://files.webattack.com/localdl834/WinsockxpFix.exe>
Info and download here:
<http://www.spychecker.com/program/winsockxpfix.html>
Directions here:  
<http://www.iup.edu/house/resnet/winfix.shtm>
 
The process of removing certain malware may kill 
your internet connection.
If this should occur, these programs, 
LSPFIX and WINSOCKFIX, will enable you
to regain your connection.
 
NOTE: It is reported that in XP SP2, the Run command
 
netsh winsock reset
 
will fix this problem without the need for 
these programs. (You can also try
this if you're on XP SP1. There has also 
been one, as yet unconfirmed,
report that this also works there.) Also, 
one MS technician suggested the
following sequence:
 
netsh int reset all
ipconfig /flushdns
 
See also:  for additional XPSP2
 
<http://windowsxp.mvps.org/winsock.htm>
info/approaches using the netsh command.
#########IMPORTANT#########
Don't forget to try out the Microsoft Anti Spyware beta. 
I've been very pleased with it here on the machines 
in the office...and I didn't get any Troj_Small.afg's today.

Trial Balloon? How about a Attack Squadron?

The Security mentor says they may have to give a Medal of Cluefulness award to Microsoft for their Trial Balloons about something called “least-privileged user account' or LUA.

Trial Balloon?  Trial Balloons are what you send out if you aren't quite sure if the idea will work and you 'float it out there' to see if it's going to be shot down or not.  This isn't a trial balloon...I'd say get ready to see an attack squadron on the horizon.  I can hear the low droning sound of a squadron of planes off in the distance now as a matter of fact.

But here's the catch.  I still say we have to help.  This is do-able...tractable [new word for the blog]... but we as consumers of software have to help out here.  We have to tell our vendors now to get a clue of their own and start coding 'now' with this LUA in mind.  More and more people are asking about 'how do I get desktops to run in user mode' and I'll be the first to tell you.... it flat out is not easy for some of this software.  ClassesRoot...man.... do some software vendors love to put their hooks into classesroot in such a messy way that you have to open up the reg key carefully in there.  Regmon and Filemon are two tools we have but we should also push our applications developers to just natively handle this.

If you are out there and are still saying that Microsoft needs to get better on security ... then how come only 25% are on XP sp2 nearly 6 months after it shipped?  Why aren't you testing Windows 2003 SP1? [And that comment is directed toward non-SBSers because as we know, we have our own to come out later]

I think we need to have International XP sp2 install day.  And for the record ...that day ISN'T April 12.  Let me say again for the umpteenth time....borrowing from Paul Thurott  "However--and this is the most important point--Automatic Updates won't automatically install SP2 at that time. Instead, you must first agree to the End User License Agreement (EULA) before SP2 will install via Automatic Updates. If you decline the EULA, SP2 won't install. End of controversy. "

Secondly, reports I've seen that state that Windows 2003 SP1 is being automatically applied isn't right either.  Even on normal servers it isn't automatically coming down... it needs human interaction either through Windows Update, or the admin approving SPs on SUS.

Bottom line.... I hear a squadron of change coming... I'd say our vendors need to get ready... don't you?

The 'right' way to install SBS 2003

SBS 2003 has a very scripted, wizardized install.  Thus the way I've always installed it [straight install, no migration, nothin'] it stick in disk 1 and go grab a book to read [while not out yet, when it comes out you might try Dr. Jesper Johansson and Steve Riley's book].  Once disk 1 is done, I stick in disk 2 and so on.  Or if I have a DVD and DVD drive [but not a dvd burner as that's not a backup platform in my book], I just read the book and enter in the info when prompted. 

I “might” in a new hardware that I've never used before, stop after disk one and make sure the hardware devices are all loaded up with no “!” in the way, but I'm certainly not installing disk 1, patching the base of Windows 2003 and then sticking in the disk 2 and going on.

It will be a bit funky for the folks 'right after' SBS 2003 sp1 comes out because of the fact that you won't have the slipstreamed media.  But pretty soon you'll have the SBS 2003 with SP1 and then you'll just install the cdroms [or dvd] and sit back and read a book.

Bottom line don't stop the install.  Let it run.  Patch the server “only” at the end.

Followup due to comment:

To clarify ... at some point in time all media will ultimately be shipped with the Service pack included [you know how you can now purchase a Windows XP with SP2 already slipstreamed? Same concept.  They always do a refresh on the retail and OEM media] 

So while there will be a time when you will be installing systems with SBS 2003 RTM gold code [as it's called] and then bringing it up to SBS 2003 sp1, at some point in the distribution pipeline, you'll see SBS 2003 with SP1.  Can't tell you how long that takes, but ultimately you will not need to “apply” SP1, it will be included already in the product.

Also Steven mentioned that he stops after disk one, only to partition the rest of the disks, mount the cdrom data on a drive, and then he finishes the install from that.

Another followup.. this article that states: 

"Having completed this you will get the SBS Setup Wizard welcome screen. At his stage you should not proceed with the wizard. Instead you should configure the server to support the rest of the installation.

Before commencing with the installation it is of utmost importance that you install all available patches at http://windowsupdate.microsoft.com.

Otherwise, some components might not install properly."

Don't follow that advice.  You should ALWAYS complete the SBS install and then and only then go to Windows update for the final upgrading.  At the time that article is recommending that you go to Windows Update you don't have good enough firewall protection in a pre SP1 operating system.  Besides if you followed that advice today, you'd end up with Windows 2003 sp1 on a pre-built box and you need a non SP'd Windows to install Exchange with it's SP1 in a specific order.  This advice was a bit of leftoverness from the issue we had with Sharepoint.  We don't have that issue anymore.  And even if you do end up with old media that has the “Sharepoint bug“, you just WU the machine AT THE END of the install routine.

Again, just let the install do it's 'thing' and don't go to Windows Update until the system is fully built.

Also spotted this:

Windows Server 2003 Service Pack 1 application compatibility:
http://support.microsoft.com/kb/896367

This article contains information about application compatibility testing that was performed for the English version of Microsoft Windows Server 2003 Service Pack 1 (SP1). The Windows Application Experience test teams tested 127 server applications on computers that were running Windows Server 2003 with SP1. This article contains two tables that summarize the results of the tests.

Heads up ... April Patches!

Microsoft Security Bulletin Advance Notification: 
http://www.microsoft.com/technet/security/bulletin/advance.mspx

In response to consumer feedback, Microsoft is expanding the categories
of information provided in the Microsoft Security Bulletin Advance
Notification.  

Starting in April 2005, the Microsoft Security Bulletin Advance
Notification will include the following additional information each
month:

 - Information about the release of updated versions of the Microsoft
Windows Malicious Software Removal Tool.

 - Information about any detection tools that are applicable to the
upcoming security updates.

 - Information about the release of NON-SECURITY, High Priority updates
on Windows Update and Software Update Services. Note that this
information will pertain ONLY to updates on Windows Update and only
about non-security updates being released on the same day as security
updates. Information will NOT be provided about Non-security updates
released on other days.

As part of the monthly security bulletin release cycle, Microsoft
provides advance notification to our customers on the number of new
security updates being released and the products affected. This is
intended to help our customers plan for the deployment of these security
updates more effectively.  We are now expanding the notification to help
customers better prioritize monthly security updates with any
non-security updates released on Windows Update on the same day as the
monthly security bulletins. On 12 April 2005 the Microsoft Security
Response Center is planning to release:

 - 5 Microsoft Security Bulletins affecting Microsoft Windows. The
greatest aggregate, maximum severity rating for these security updates
is Critical. Some of these updates will require a restart. These updates
will be detectable using the Microsoft Baseline Security Analyzer
(MBSA).

 - 1 Microsoft Security Bulletin affecting Microsoft Office. The
greatest aggregate, maximum severity rating for these security updates
is Critical. These updates will not require a restart. These updates
will be detectable using MBSA.

 - 1 Microsoft Security Bulletin affecting MSN Messenger. The greatest
aggregate, maximum severity rating for these security updates is
Critical. These updates may require a restart. These updates will be
detectable using the Enterprise Scanning Tool (EST).

 - 1 Microsoft Security Bulletin affecting Microsoft Exchange. The
greatest aggregate, maximum severity rating for these security updates
is Critical. These updates will not require a restart. These updates
will be detectable using MBSA.

In addition, Microsoft will release an updated version of the Microsoft
Windows Malicious Software Removal Tool on Windows Update and the
Download Center. Note that this tool will NOT be distributed using
Software Update Services (SUS).

Finally, Microsoft will release two NON-SECURITY High-Priority Updates
for Windows on the Windows Update site. These will be distributed to
Software Update Services and are not required to install the security
updates.

Although we do not anticipate any changes, the number of bulletins,
products affected, restart information and severities are subject to
change until released. 

Microsoft will host a webcast next week to address customer questions on
these bulletins. For more information on this webcast please see below:

 - TechNet Webcast: Information about Microsoft's April Security
Bulletins (Level 100)   

 - Wednesday, April 13, 2005 11:00 AM (GMT-08:00) Pacific Time (US &
Canada) 

 - http://go.microsoft.com/fwlink/?LinkId=43750

At this time no additional information on these bulletins such as
details regarding severity or details regarding the vulnerability will
be made available until 12 April 2005.

Thank you,
Microsoft PSS Security Team

When monoculture makes sense

James blogs about the Fortune article on how Linux just hasn't caught on in the medium businesses to match the media coverage.  I agree even in the small ones.  Not in American anyway.  As a business owner here who doesn't make a decisions about whether my firm stays on SBS and Microsoft products just because I'm wacko about it, here's the reality for my sized business:

It's still a business decision that still makes sense from a Security one as well.  And even if I wasn't a wacko SBSer, it would make sense to chose Windows 2003.

I still say that it's in my best interests to stay on a monoculture platform.

Patchable.  Soon there will be a Windows Server Update services coming out... and like I say...while it won't be my perfect SBS patching platform, it will go a long way to making patching in a SBS network easier for SBSers.  [At the same time in full disclosure ... I'm staying on Shalik just because ... I'm staying on Shavlik... it's like why I stay on Microsoft.  When something works and works well.. I'm not changing].  I know the resources for Security information on this platform, the issues to watch.  I have communities of support information, knowledge on how to test and deploy patches, on how to mitigate threats on this platform.  I wouldn't have the ability, nor the energy, to keep up with multiple platforms [and trust me every platform has issues]    

Supported.  I have way more resources to understand, protect and defend the Windows platform.  My IM listing has technical resources and contacts bar none.  So why would I want to move to a platform where I don't have these resources?  I've been extremely fortunate to be involved in a platform that has close ties to the people in the product support communities. 

Sometimes it's the knowledge that makes me more secure...not necessarily the platform I'm running.

Operation Small Business Server Service Pack 1

Windows 2003 Service Pack 1

Note: If you use Microsoft Windows Small Business Server, we recommend that you wait to install this service pack until Service Pack 1 for Windows SBS is released later in 2005. For more information, see Windows Small Business Server 2003 and Windows Server 2003 SP1 Known Issues.

Okay troups.

There change in our future.  A service pack heading our way within 60 days.  It's been amazing to me how people on listserves are applying in and in various successes and failures.  Of course the ones with issues are the ones that post...but what's amazing to me is that many say that “They don't have time to call Microsoft to deal with the issues caused by the Service pack”.  Well then...why did you install it if you didn't have the time to deal with the issues.

Folks this is CHANGE.  And to handle CHANGE you need to plan.

First.

Reboot your server.

You heard me... reboot it.  Everything okay? Good.  Now you can think about applying the SP.  If you can't reboot with no issues, then applying a service pack isn't going to help.

Next.

Have a way to get out to the Internet no matter what. 

There's a reason that my wireless access is separate from the SBS server because I need a way to get information and data from the Internet should something happen.  Always leave yourself a good back door.

Next.

Backup.

You are going to be changing a lot of bits and bytes... Hello?  You had better have a backup ...you know...system state the whole shebang.

Fully back up your servers. Your backup should include all data and configuration information that is necessary for that computer to function. It is important to perform a backup of configuration information for servers, especially those that provide network infrastructure, such as Dynamic Host Configuration Protocol (DHCP). When you perform the backup, be sure to include the boot and system partitions and the System State. Another way to back up configuration information is to create a backup set for Automated System Recovery.

Next

Test.

Don't just roll it out on a production server the day SBS 2003 comes out.  [I“m amazed at how folks in SBSland just downloaded that sucker on day one...granted the folks at Microsoft dogfooded it to death but you COULD NOT have had done a backup before you started applying that service pack.  Then, either try it on a test server first [again for MS partners, sign up for that action pack for this very purpose] or watch the newsgroups where we'll let you know if there's some overriding issue.  But do understand that by the time they reach release ...they have been through a level of testing on a variety of SBS machines up at Redmond.  Remember too, this is a SBS service pack so it truly has been tested on SBS boxes.

Next.

Drivers and third party stuff.

More often than not, your issues [if any] will be caused by drivers and what not.  When I rolled out XP sp2 throughout the office, two computers with digital video cards were my problem children.  I had to boot into safe mode and roll the driver back to the SP1 version and all was well.  Be prepared for finding drivers.  I know at home on my test box, merely applying the Windows 2003 sp1 lost my ancient scsi card that I use to attach an old HP surestor tape drive, thus I need to track down a driver for that before I install it for real at home.  But it's drivers and third party software that more often than not are your issues.  This is why even testing on a VMware doesn't fully capture any issues because sometimes it's specific to your hardware.  As a consultant, this is where standardization on hardware helps you out as you can follow the patterns [if any] that show up.

Next.

Don't panic.

Windows patches come off.  This one does.  Now granted in SBSland it messes a bit with faxing ...but it's totally fixable.  And YOU DO have a backup anyway...right? So don't panic and set aside enough time that 'if' issues arise you can deal with it.  Don't start doing this when you have a short window of time.  Be prepared to call Microsoft support either through customer service at 1-866-PCSafety or through Microsoft partner portal, and get help.  Many times Service pack installation issue calls are a free call.

Lastly.

Don't have the server autoupdate

Not for this, this one is too big and some parts of it [especially the Premium version] will need cdrom media for the ISA 2004 part of the installation [remember this will be available for shipping, media, handling charges for owners of SBS 2003 premium boxes], so if you are using Automatic updates and allowing the server to auto reboot....well....stop doing that.  You truly want to only install things when YOU want to...not second Tuesday of a month.  At this time all I know is that normal Windows 2003 sp1 will be coming down via autoupdate in July.  I've not heard the plan of attack of how “Operation SBS sp1“ will unfold but if Automatic updates is in any way part of the action plan... please don't use that as your main install vehicle...not for this one, it's too important. 

You really and truly want to install this SP exactly 'when' you want it, preferably...

• ....after a reboot
• ....with a backup Internet access
• ....after a backup [with system state]
• ....after a test
• ....with needed drivers
• ....and being calm about it.

So how about it troups?  Are we about ready?  Within 60 days, Operation SBS sp1 will begin!

The Coffee Machine

We have a Keurig coffee pot machine on loan in the office from Yosemite Waters.  It makes one cup at a time.  We're trying it out to see if we like it.  We've already heard a lot of great things about it, including the story of one Attorney who tried it in an office in Atlanta where he was visiting and when he got back home he called up the vending company to install it at his office. 

They have different sizes of the coffee maker, one for smaller firms, and one for larger ones.  They provide you with all sorts of different flavored coffees and teas so it's very flexible and everyone is happy with their own type of coffee.

We're liking it so much we're probably going to keep it.

Okay so what the heck does this have to do with Small Business Server and technology?  Is this another blog entry of a personal boring nature that blog authors drift off into?  Why does Susan think that a discussion about coffeemakers would be interesting to SBSers?  I think the Mountain Dew has gone to her head.  Has Susan gone mad? 

...okay let's not answer that last one....but think about how that Coffee maker just got 'sold' to my firm and how it might relate to how a Server is sold in a firm.

• Word of mouth

We first heard about the coffee maker through other users of it.  They loved it.  We didn't take action on it then, but the seed was planted.  Time and time again, in my firm technology gets sold on the golf course, on the plane, in the meeting room, around the water cooler.  So much of the geek stuff “has“ to be seen in action.  There are even times that I have to internally “sell” it, so I make sure my 'near uber geeks' have a really nice technology experience with the use of the mobility features and they in turn 'word of mouth' it internally to others.  

• Trial use

Now I'll be the first to admit that I personally have a hard time seeing the value in installing a test network, attaching machines to a domain and then ripping it back about again is too much work for me, especially when I can already see the vision of a network, but there is a trial version of SBS.  It only comes with 5 user licenses but it 'can' be installed and then a full retail version installed over the top of it to 'make it' permanent.  I've personally done this at home on the SBS 2000 platform and it indeed works.  So if you indeed have a small firm that just can't see the need of a server, you might consider the trial version.  Sometimes they have to really see it to understand it.  If you don't want to trial out the server [and I wouldn't], then make sure you have a plan b...that is a firm that is willing to be your showcase client...your 'customer evangelist'.  One that you can take your new client to and show them how the technology works...or... you also be the 'demo' firm.

• Technology in bite sized pieces

Dave said it best the other day, to his boss the 'network' was Outlook and OneNote.  Mess with those and he's not a happy camper.  Don't talk to the business owner about the techology behind the server, the network, show him or her the finished product.  Make sure you have a demo site to log into.  Show the owner what a fully organized Outlook can do.  What a nice looking Sharepoint can be used for.  Don't have one of your own?  How about these?

1. The Microsoft Small Business Community site [yup it's Sharepoint]
2. Chad's poor man's CRM
3. TeamCenter Community
4. SharePoint Sample

Other sample sites

1. Central Piedmont Community College
2. A demo site I threw up one time
3. More sites..and yes that link is courtesy of the Google hack site so keep that in mind when you expose Sharepoint

But don't overwhelm the owner... provide it in single servings.

• Sales via relationships and relationships for sales

Yosemite waters delivers our bottled water.  They did that first.  They added the coffee later.  So maybe you'll start selling in that firm by just fixing one part of their techology.  Maybe you'll build a relationship with a line of business application as a niche market.  The point is something other than 'gee we need a server' drives the sale of that system.  There's a need not being met.  A problem that needs solving.  A business process that needs a better processing than it's getting now.

• The instructions

Stick the container of coffee or tea in and press this button were all the instructions we needed for us users.  For the Office administrator, she got the instructions on how to clean the machine and keep it in good operations.  Know your audience and once you've installed that system, don't give everyone in the office the same set of instructions because you'll lose the folks that just want to know how to make a cup of coffee.

I think you get the idea... either the idea that I need to stop talking to myself ...or ways that you can better demo SBS 2003 to clients.

Give them a cup of coffee with the instructions that they can handle.  Nothing more, nothing less.

Oh...and one other thing... notice that we buy our tea, coffee and water from a firm that specializes in this?  You might call them 'Water consultants' if you will.  And there is monthly monitoring of the service and how we like things.

Just another parallel item to think about in how an industry that is a commodity ensures there is a level of service added.

Monthly monitoring.  Imagine that.

Oh Canada! The Four Musketeers are heading your way!

The Four Musketeers -- From Left to Right, Jeff Middleton, Cal McLennan, Jeff Loucks, Les Connor

I was hoping for a cartoon of some musketeers but this will have to do.  :-)

SBS MVPs Community Groups Outreach – Canadian Workshops Tour 2005

The Canadian SBS MVPs invite resellers and consultants who want to understand solutions for small business customers to join together for an evening of presentations and discussion. The local chapters of SBS and Windows professional groups across Canada are joining together with sponsorship by Microsoft to bring a group of Microsoft Small Business Server “Most Valuable Professionals” to meet with you. Each of the SBS MVPs appearing on this tour is an experienced resellers and a community leader. You can expect the same no-nonsense expertise on SBS and related technology applications you read in the newsgroups to be brought to this discussion.

You will have a unique opportunity to speak informally or ask technical questions from some well respected MVPs from across North America, including our special guest, Jeff Middleton SBS MVP (US). For this event series (except Toronto), Jeff will be explaining how his Swing Migration method for SBS and Windows server upgrades ends working on weekends or extensive business shutdown.

Toronto welcomes Jeff back to the TWSUG for the second time this year, and a discussion of “Using Group Policy for force Desktop Applications to run without providing Administrator Rights”.

MVP Name	Home City	Province/State	Home Country
Les Connor	Brandon	Manitoba	Canada
Jeff Loucks	St. Catherines	Ontario	Canada
Cal McLennan	Toronto	Ontario	Canada
Jeff Middleton	New Orleans	Louisiana	United States

During April 2004, this first-of-its-kind series of Canadian events will bring IT Pros to meet with IT Pros across Canada. This is being made possible by Microsoft, SBSmigration.com, and the local chapter professional groups hosting meetings in each of the following event cities:

Event City	Dates	Event Location	Local Group Chapter	Register / Contact Info
Vancouver	April 19	The Fairmont Waterfront 900 Canada Place Way	VANTUG, John Eyre & Graham Jones	Vancouver
Calgary	April 21	2nd Floor MS Building	CITPUG Bil Simser	Calgary
Toronto	April 25	MPR room B – MS Mississauga	TWSUG Cal McLennan	Toronto
Montreal	April 28	Centre Mont-Royal	MITPRO Mitch Garvis	Montreal

Find out how your business and customer scenarios compare to those of professionals across Canada, North America, and even worldwide.

The SBS MVPs are experienced IT Pros with unique perspective on SBS the gained working with it personally, and from years of observations from others in the global online discussion newsgroups. Don’t miss this chance for a local meeting where you can join in the discussion.

SBS KBs of interest

Dear Diva...Rejected in Greenwich

Dear Diva:

I got a “Dear Ehlo” letter last night....seems I was rejected.  No hint of a problem in our relationship just all of a sudden he hits me with a #5.5.0 error.  We were going along fine in the relationship and then this.  <Helo command rejected: invalid HELO usually associated with SPAM> is all he sends me. 

How should I go about repairing this relationship.

Signed.... Rejected in Greenwich.

Dear Rejected:

First off have a kleenix and dry your eyes dear, you are not the first to get a #5.5.0 rejection, nor will you be the last. 

A #5.5.0 rejection is defined as follows:

Possible Cause: Generic protocol error (SMTP error). e.g. The remote SMTP response to our EHLO with an 500 level error and the sending system will QUIT the connection and report this with NDR indicating the remote SMTP server can not handle the protocol. (For example, if a Hotmail account is no longer active, a 550 SMTP error will occur.)

But we have to start fixing you first.  You are the real problem here.  I hope this helps, keep me posted on how the relationship works out.

What's the best POP connector?

From the mailbag today comes the question “What is the best POP connector program?” 

I'll start with an answer from the “Consultant crowd”:

SMTP instead

And I'll include my answer:

A patched one  :-)

But if you'd like additional options for using a POP connector program remember both Popbeamer and GFI have a pop connector programs and both are highly recommended.  And yes...they can collect faster than 15 minutes but if you want the pop program to collect every 30 seconds...like the guy in the newsgroup today....move to SMTP otherwise you will corrupt emails.  The reason why the SBS Pop connector program only does it every 15 is to not overwhelm the Internet with these hits on ISPs and also to not corrupt emails as they get pulled in. 

So let's just look at so pro's and con's about using a POP connector program versus SMTP

Pro:  POP means that you need no ports open to go grab email.  It triggers the pull and pulls the email in.  There is no need to open up port 25 or 110.  Thus you won't see SMTP auth attacks on your port 25 trying to nail your administrator account which ...while an acceptable risk... is still annoying nonetheless

Con:  That POP connector sends out that username/password in clear text.  Set up a sniffer program on that connection and voila... you'll see usernames/password go across the wire.  Hopefully that's not the 'same' username password as the domain credentials of the firm.

Pro:  POP is faster to implement in a formerly peer to peer firm and more 'warm fuzzy' to the consultant setting it up.

Con:  Some ISPs have no clue when it comes to setting up Mail Records and what not.  Javier has an excellent post that we put up a long time ago about on Smarthost versus DNS.

Pro:  uh... hmmmm...not sure there is a Pro in this one as you have to rely on word filtering

Con:  Can't use Exchange IMF spam filters for spam filtering or any number of other anti-spam techniques that typically have better 'catch' rates.  You must have SMTP to use Exchange IMF.

Pro:  Using POP your email is always safe because it only comes off the mail server when your Exchange server pulls it down.

Con:  Using SMTP your email is always safe because you can use a service like TZO.com to provide a backup MX or mail delivery in case in the rare chance your SBS is offline. 

Uh..... This one is a dead tie because there are ways to provide backups for that mail delivery no matter what.

Pro:   Using POP I can use cheaper dynamic IP services rather than the more expensive static ones.

Con:  Using SMTP I can still use the cheaper dynamic IP services rather than the more expensive ones. 

Huh?  Yup, this too is a dead heat because you can use port redirector services and other such tools to still host your email on a dynamic IP

So what's the best?

One that fits what your clients needs.  And sometimes that even includes that annoying 15 minute patched pop connector built into SBS 2003.

Home computers

  No, I'm not talking about XP Home computers.. I'm talking about 'home computers.   Tom in the mailbox asks if I work on home computers and what do I do when a clients asks you to?  Tom says he used to do it on the side but is getting tired of it.

They are pretty gunked up aren't they Tom?  And yet they won't let you do what you really need to do which is flatten those boxes and start over because they really don't have a good backup strategy for home systems.

I know that I do indeed support home computers of the folks here at the office... of my neighbors....of my clients......but it does indeed get a little annoying when you can't truly do to those machines what you want to do. 

I know that while I count the 'physical' computers here at the office, I also count the computers at home of the people that work in the office under my supervision as well.  Their 'health' affects my network's health.  In my mind, at this time with the Remote Web Workplace, my major concern is someone not following my firms policy and using a kiosk computer to log in.  I've set passwords appropriately, my issue is more of a people one.  I mandate that they must use firm equipment when making a remote connection or only a home computer that I've handed them antivirus and what not on the machine.  While my 2x4 security device works well, there will come a day that I'd like to have some better technology enforcing how folks log in rather than a piece of Douglas Fir.

On another note, I personally haven't used the VPN connection into the office in such a long time I'm thinking of closing off the connection.  A VPN connection back into an office from a home computer can be and has been a major risk if the machine tunneling in was infected with worms and viruses.  Remember too of the added benefit in the RWW connection isn't making a drive connection between my computer and that of the office, the VPN split tunnel effect that is a concern isn't going on.

Remember your big issues with Home computers discussed in a how Microsoft does remote access are....

• Unmanaged and infected remote devices put corporate resources at risk
• Viruses, trojans, worms
• Home users machines are a frequent hacker target

So many times in SBSland the question comes up when a VPN connection is made from home that they can't surf the Internet.  But you need to understand what is going on.  You are bridging back from that potentially infected machine into your network.

Think of those home machines you've cleaned up.... you really want 'that' on your network?

So.....how many 'home' computers...not XP Home computers.... do you support?

The normal stuff of SBS

When someone comes into SBSland there's stuff that you just don't know until you've seen a few boxes, or hung around newsgroups.

When an SBS box first boots up there are certain events that are just 'normal" and the MAD thing is one of them:

Process MAD.EXE (PID=3784). All Domain Controller Servers in use are not responding:

In reviewing the info on the Event ID site for 2102 this is a totally expected error in our SBS boxes.

Event 8026 and 8250 are also NORMAL to SBS and expected.

That Store memory referred to in this blog is totally normal and in looking at that servers 'committed' memory... oh man..that is a normal, healthy SBS server in my view.  That has plenty of memory.  That Store issue is a result of not applying the post Exchange sp1 patch from the download site.  Remember that Store 'by design' takes memory that it needs and then puts it back in.  I've personally only had an issue with SBS Monitoring that I had to 'throttle'

Next I leave netbios over TCP/IP enabled.  That laptop sounds more like it has a DNS resolution issue.  All computers in the network should be pointing to the server for their DNS resolution and all 'DNS' entries on the internal NICs should be pointing to the internal nic of that server.

If the 'red cross' you are talking about is the mapping of the drives, I've found that to be caused by the autodisconnect setting on the server and I've always shut that off.  I think it's totally unnecessary.

Robert?  One thing I'd recommend is that you join a SBS community because we could have saved you a ton of googling and investigating.

Course... you wouldn't have then quite had so nice of a blog posting for me to find....but hey  :-)

Time Travel

One of the guys in the office yesterday needed to get into a 1999 tax program yesterday.  I could 'barely' remember how to load it and install it.  Once it was loaded it wasn't 'WYSIWYG” [what you see is what you get], it was DOS-y, it was batch entry driven, it was... well it was a Windows 98 world in a Windows XP era.

Which reminds me that once again I need to harp on everyone to get off of a platform that has no security.

I'm sorry but should you really be running your business on an operating system that has on it's technical support page tips for surviving Y2k?  I understand those firms that stay on an older platform because of a line of business application issue, but for the rest of you folks, getting off of a platform that....

• Has no event viewer program to use Eventid.net with
• Doesn't do blue screen dump files so that they can be properly debugged
• DOES do blue screens on a regular basis
• Needs to be rebooted...just because....
• Has no Online Dr. Watson technology

Lately we're finding that when we've gotten the online error redirect we're finding suggested fixes.  I've even gotten requests for “what exactly were you doing when this blew up“ dialog boxes.  Remember that Microsoft isn't tracking you and the information you provide helps the next guy on the Internet highway.  Remember you can even get a passport sign in sometimes and track the error.

As you can tell...sometimes a description doesn't have to be 100% accurate for them...more for you to track the issue.  [That is what it did...It kinda barfed...what can I say?]

Oh and that 1999 tax program?

We ended up doing what we needed to do by hand.  We couldn't remember enough of the program, nor was it an efficient program so we went around it and didn't use it.  We've upgraded our brains and couldn't go back.

So sitting next to my monitor at home tonight... a gift from my sister

Sometimes a picture says a thousand words... doesn't it?

May 19th you know....

Losing it....and Checking it

I'm sure there are friends of mine that will read this headline and say that I'm speaking about myself personally [especially this time of year], but no, I'm not talking about personally, I'm talking about Time.

We're losing an hour tonight.  Uggggh.  An hour.  60 minutes is all really.  Not a biggie, but it means a great deal to a night owl person like myself.  It means that 8:00 a.m. isn't 8:00 a.m. any more.  It means that tomorrow will seem a little bit shorter than today. 

[And this will be a very US centric posting, for other countries, review the time change info here]

Now here's the dumb part....it's not observed in Hawaii, American Samoa, Guam, Puerto Rico, the Virgin Islands, most of the Eastern Time Zone portion of the State of Indiana [huh?  How weird is that?], and the State of Arizona [but not the Navajo Indian Reservation].  Got that?  We'll have a pop quiz later.

 I've travelled to Phoenix and the other wacko thing they do there is have television on at the TOTALLY wrong hour.  I was sitting in a hotel room at 10:45 p.m. one evening watching Jay Leno thinking...why am I feeling tired when I don't normally go to bed this early?  It was Jay's fault.  I 'felt” tired because his show was on and that's normally the time to go to bed.

Say, not only is this a reminder of setting those clocks forward, ensuring that your computers are set to synchronize with the server as they will automagically adjust, but check those batteries in your smoke detectors and in your UPS's in your computers.

Do watch the Dell OEM computers as well for time change issues.  In fact that reminds me to go check the Optiplex in the office for this.  For a while there whenever you bought a Dell OEM system, the little check box that ensured that you adjusted automagically for daylight savings would not 'stay' checked if you checked it while you were running the OEM/install routine.  It stayed checked if you went and checked that box any other time.  But if you only checked the box during the 'wizardized' setup it would not stay checked and suddenly one guy in your office would have all of their Outlook appointments off by one hour.  The last I heard [and checked] the Dells were not doing this anymore, but it's something to keep in mind if you or your clients call up about one workstation not seeing appointments at the same time as everyone else.  Check the time [both the physical time AND the Daylight/Standard time zone setting] of the system.  For a long time you'd call up Dell and they would blame it on Microsoft but I've set up many Windows XP machines from scratch and NONE of them had this quirk and yet many of my Dell OEM machines did.

As far as checking for a backup power supply, I'm sure you'll ask the question....How is the best way to check the UPS?  Yank the cord from the wall [okay, how about nicely remove them] and ensure that your computer 'stays on' for enough time for you [or the UPS software] to shut them off.

....just don't do this...middle of the day...middle of the week... on a production network... wait until Friday night or some other better time to do stuff like yanking cords and other such maintanence things.

Hey Mikey! There's information about the Service Pack 1 on SBS!

Now Mikey, remember our previous lesson of why you don't want to be first in applying these service packs.  Even though [as has been pointed out] that they have been 'dog-fooded' to death by Microsoft, it's still better if in SBSland that you do that first download not on your production server....at lunchtime...middle of the day...middle of the week.....well .....you get the idea. That's just not the time to be going first...or second... as the case may be.

Today on the Microsoft site is the 'known issues' that were discussed in the newsgroups the other day.  Mikey...you should AT LEAST wait for this kind of stuff to be released before trying it you know.

Windows Small Business Server 2003 and Windows Server 2003 sp1 Known Issues

This document covers the top known issues you may encounter when installing Windows Server 2003 Service Pack 1 on Windows Small Business Server 2003.

I also found another hotfix that 'if” we were stupid enough to apply SP1 to our SBS 2003 premium boxes today we'd probably be needing for ISA 2000.  BUT the good news is ..we totally DON'T need this because we're getting ISA 2004 when SBS 2003 sp1 comes our and ISA 2004 is not affected by this.

See Mickey, why you need to just hold your horses and wait until 'our' service pack comes out?

We've even gotten some requests about ISA 2004 in the newsgroups.  It will be interesting to see if more people jump on the lovin' ISA bandwagon when 2004 comes out for us.  Remember if you already have Standard, all you need is that Standard to Premium upgrade SKU of T75-00140 which gives you 'both' ISA and SQL.  You also do not have to have Software assurance [but ...I would argue that SA is still a good thing nonetheless...remember I'll automagically get the media sent to me while you 'normal' types will be going online and ordering a cdrom...shipping, handling, docking fees, etc...etc...]  ISA gives you a lot more ability to control and report on Internet access.

So Mikey?  Just be patient just a little bit longer!

To the Windows Update team

First off... I have to say I'm sorry to you guys and gals for jumping on you guys over the last couple of days and a huge thank you.  Consider yourselves kinda the punching bag folks for my frustrations with patching in SBSland.  Like I've said before I know there's a lot of movement and change regarding patch management and well, you guys kinda bear the brunt of a lot of my frustrations and you guys and gals don't deserve it. 

Thank you to the Windows Update team for proving that Microsoft is agile and responsive.  Thanks to whomever for removing the offering up of the SP1 patch to SBS 2003 boxes on Windows update.

I think there are still lessons to be learned in SBSland from this experience:

Being the first on your block to install a patch is just plain dumb.

I'm sorry but it is.

You know ...just because you go to Windows update on the DAY that a service pack releases doesn't mean that you should install it.  Look at us....there are some issues [granted no blue screen of death and if you didn't need to change the RRAS or change the IP address of the server or uninstall it and see the fax issue, you'd probably never see these issues], but you don't have to install this the first day it comes down.  WAIT for those of us that have test boxes to let you know that it's okay.  Wait for the communication to come out.  That patch was WAY to freshly baked to be installing it on SBS boxes.  That's what the SBS patch community is all about... you let someone else go first. 

You remember the Life cereal commercial...'I'm not eating.... you eat it.....I'm not going to eat it.....let's get Mikey to try it”.  Let the SBS community out here 'be Mikey” for you and let you know if the patch is okay to put it on your box.

When we say “hey our boxes like it!“ then you can go ahead and install it on your systems.  If you have a test network at home, install it there first and even then, still look at the community for feedback.  One that I hang around is on the listserve at patchmanagement.org

Just remember..if you don't hear us say:

Don't install it on your SBS box.

RFCs for today

Today is the day that the Computer geeks turn into comedians

RFCs that are dated 4/1 ...well...they just are in a class all of their own....

Requirements for Morality Sections in Routing Area Drafts

UTF-9 and UTF-18 Efficient Transformation Formats of Unicode

I think my favorites are still:

A Standard for the Transmission of IP Datagrams on Avian Carriers

IP over Avian Carriers with Quality of Service

And who said geeks had no sense of humor?

That was then, this is now...and a thanks

This was yesterday when Windows update offered up Service Pack 1 to SBS 2003 boxes:

This is today when it doesn't:

[And I have to 'out' myself.... I left off .NET sp1 for now because of a few wacko hotfixes I've seen and didn't want to mess with the .NET service pack ..... as I hate Service packs as you can tell and planning to apply it after busy season is over at the office...so yes...I'm missing a service pack on purpose because I hate them]

And just to confirm this is my member server where Windows 2003 sp1 is indeed still offered up:

Thank you for your quick action gang... and one blog hug to all the folks that scrambled to take action on our concerns.  For a big company...you showed you had a bit of agility in you today.

And if you installed it, and then uninstalled it to find that Fax services now does not work try this:

After you remove WS SP1, Change registry value
HKLM\software\Microsoft\windows\Currentversion\Telephony\Country List
\CountryListVersion to 0.
Then, reboot (you must reboot, restart fax does not work) and and re-run the
Fax Configuration Wizard from the Fax Snap-in.

SBS 2003, WU, AU and SUS

 I'm stealing a post from Les Connor from the newsgroups:

There are three cases here that must be addressed separately.

1. SBS server with Automatic Updates enabled, automatic

download only, or install also.

- Windows Server 2003 SP1 will not be automatically

downloaded, or installed, until July.

- Action: No action required.

2. Manually run Windows Update from the SBS Server.

(this is not the same as Automatic Update). Windows Server Sp1

will be shown as a critical update.

- Action - do not select the SP to be installed.

3. SUS installed, with SBS as an SUS client. If the Windows

Server SP1 has been approved in SUS, *and* the SBS

is an SUS client - then the SP1 will available to the SBS.

Whether it is installed automatically or not to the

SBS will depend on your specific GP settings for SUS.

- Action: Best practice is to *not* have the SBS as an

SUS client. Your SUS policy should apply to workstations

only, not servers. But if your SBS *is*

an SUS client, then see the next action.

- Action: Best practice is to *not* have SUS configured

 for automatic approval of updates. All updates should

be approved manually. You may elect *not* to approve

WS 2k3 SP1, then it won't be available to your SBS.

Update SUS is also getting the configuration change.

You may need to resync your SUS to 'get this“

So you see, WU, AU, and SUS are all slightly different

technologies, and the configurations also allow for

variations in how the update technology in use

will react in relation to WS2k3 SP1.

UPDATE - 4/2/2005 - Windows update no longer offers up SP1 to SBS boxes.   Thank you Microsoft for responding to our concerns. 

Windows 2003 SP1, SBS 2003 and Automatic updates

Dan emails “ I'm concerned that it has not been made clear that Server 2003 SP1 will be installed if Automatic Updates is enabled on SBS 2003. At least, this is what I read in the newsgroup. I fear that many SBS implementations are configured this way.”

Dan, I purposely turned on Automatic Updates on my SBS 2003 server at home [the one that I test stuff on] and no automatic update came down.  So I can state that the statement that was sent to me earlier that said AU delivery would not occur until July is a true statement.  Don't worry..just like news reports on XP sp2 that supposedly will be blasting down on April 12th...NOTHING will happen.

Therefore to the community out here....know that at this time, it is still offered on Windows update, but it will NOT be offered up on Automatic updates.

 UPDATE - 4/2/2005 - Windows update no longer offers up SP1 to SBS boxes.   Thank you Microsoft for responding to our concerns.  Thank you for your very quick action and response.  If you've already installed it.. leave it on .... as the only issues are with the RRAS wizard and Change IP wizard.  If you haven't installed SP1 ..no problem.... just wait until the SBS unique sp1 comes out.  As is shown below it will be shortly.

 This Alert is to make you aware that Windows Server 2003 Service Pack 1
(SP1) today reached Release to Manufacturing, and is now available to
customers for download.

Customers will be interested in Windows Server 2003 SP1 as regards
security for the following reasons:

- Windows Server 2003 Service Pack 1 is a unique service pack that
provides customers with significant security enhancements and
reliability and performance improvements.
- Building on a comprehensive collection of critical updates, Service
Pack 1 addresses additional core security issues by providing customers
with a reduced attack surface, better protected system services with
stronger default settings, and reduced privileges.
- With Windows Server 2003 Service Pack 1, the development team took
the time to treat the root cause of many security issues, not just the
symptoms. This service pack is very significant and should help address
certain classes of exploits.

In addition, Microsoft is announcing that Windows Small Business Server
2003 Service Pack 1 will also be available to customers within 60 days.

Note: Customers who have Automatic Updates enabled with automatic
download should be aware that Windows Server 2003 SP1 will be made
available through Automatic Updates (AU) as a High Priority update in
July 2005. More information about SP1's availability through AU will be
made available closer to this deadline.

Customers can obtain Windows Server 2003 SP1 at this location:

If you have any questions regarding this alert please contact your
Technical Account Manager or Application Development Consultant.

Thank you,
Microsoft PSS Security Team