E-Bitz - SBS MVP the Official Blog of the SBS "Diva"

Well that was fast!

Microsoft has received your order, and it is being processed.

Ordered From: Windows Small Business Server 2003 SP1
Order Number: 01112007580056
Order Date: May 23, 2005
 

Order Status: Shipped 

Sure enough... I have three cdroms in my possession 
that are the official Premium SP1
TRUST ME ... you WANT to order the cdroms.  
They are SOOOO much better than the manual download. 
None of this update.exe or manual extraction stuff.
Not to mention the Smallbizserver.net page says 
exactly what to expect.

Planning a beach vacation in Florida? How about adding a dash of swing to that?

The Gulf Coast SMB Partners Group will hold its second meeting on the
23rd of June at 7 PM at Univ of West Fla Bldg 71 Rm 133 with Jeff
Middleton (SBSMigration.com) presenting Swing Migration and bringing a
great door prize. You are cordially invited to attend. Details and
registration at  http://www.clicktoattend.com/?id=103062   and
registration at Link is required. Please register early so we can get an
idea of attendance and seating is limited so insure your seat now!
Driving Directions link is on Registration site.

hmmm....wonder if the extension cord for the laptop will reach that far on the beach. 

Ya think?

Fellow SBS MVPer Frank McCallister is the leader of this group and brings a ton of varied and wide variety of experiences to the table.  Just reading about the stuff he's done it the past is amazing.  Grab a beach chair, a bit of suntan lotion and say Hi to both Jeff and Frank for me, will ya?

Yeah Sean, I know... too many pictures....

Amazon...you are not coming through for me

Okay I'm bummed.  You see I have the opportunity to go to Redmond as part of my last official act as Chairman of the Technology Committee of Caliornia Society of CPAs and I just might have the opportunity to get the book “Protect Your Windows Network:  From Perimeter to Data” signed by the authors.... except for one teensy weensy problem.  Even though Amazon says it's released [heck they even say they have used versions of a new book for sale], the book looks like it's not going to make it in time for me to have it for an autograph. 

Rats.

Oh well, remember if you can't be at TechEd to hear them in person, you can listen to them via a live webcast:

Steve Riley on Security policies, and Dr. Jesper Johansson on the Security Configuration Wizard.

Okay who wants to place a bet that someone is going to ask him during the presentation if you can run the SCW on SBS?

Remember that while it truly won't 'kill' us, it really doesn't do much [other than if you hit the settings to kill off Windows 98 machines, then you truly will indeed have an security impact], so don't use this tool to harden the SBS box.  It's pretty well tweaked for now.

But that will fix it right?

When something is broken, it's wise to fix 'that' before doing a work around.  I had two examples come across my desktop today.  The first was a poster on the PatchManagement.org listserve who was having issues with Mapped drives being messed up after a security patch and the way he was fixing it was to reboot the server....at first weekly...now more like daily.

....that's not exactly the greatest fix for a issue with a patch in my book, I'd be calling Microsoft Product Support Services [remember issues with a security patch are a free call] and properly diagnosing that issue with some netmon tracing and what not.

The second was a blog poster who asked me to blog about the manual way to set up the ntbackup because if he used the wizard the server would spontaneously reboot in the middle of the night.  If they ran it by hand, it wouldn't.

Uh... that's not exactly a topic that I plan to blog about and I'll tell you why.... the wizard...and all wizards on a SBS box ...should world.  Remember Yoda?  Do or do not, there is no try?  Well the same holds true with the wizards.  They work.  If they don't work, fix the fact that they aren't working...but they should be working.

Applying a service pack on top of a broken connect to internet wizard isn't going to fix the broken wizard.  It might reregister a dll or two, but if there is some foundational setup part wrong, applying a service pack over something that is broken isn't going to help too much.

If something doesn't work...google the exact error or call Microsoft Product Support Services [it's called CSS these days...but I'll probably always call it PSS].  Get it resolved 'before' the service pack install...not afterwards.

Undelete and Volume Shadow Copy

Once upon a time in a galaxy far far.... oh wait...sorry ...wrong story...

Once upon a time on my SBS 2000 box I used to have a Undelete product that would help me keep files that people stupidly deleted.  Well one day one of my drives dropped out on my server array and due to that undelete product ... I ended up with a bit of a mess on my hands afterwards.  Needless to say, and especially with SBS 2003, I haven't installed it back on the 2003 platform because it's not needed anymore with the Volume Shadow Copy. 

Handy Andy put up a tip on how to better utilize Shadow Copies that came from the O'Reilly book Window Server Hacks.  I like the book series but honestly, wish they would change the titles...the “hack” part just doesn't have the same meaning it once used to.  The old definition meant to do something really cool, the new one, well it doesn't mean what it used to anymore.

Check it out and enjoy!

Talking owner to owner

Got a potential customer who is on the 'edge' of buying SBS?

This just might shove him or her over......

Microsoft Canada is happy to host the first SBS webcast directed at
end-customers. Les Connor will be presenting the SBS benefits valued by
most customers. From Owner to Owner. I urge you all to invite those
customers who are currently considering their first server purchase.

Increase Your Productivity with Windows Small Business Server 2003
Webcast - June 14, 2005 or June 16, 2005
<http://www.microsoft.ca/increaseproductivitywebcast>

Learn the real facts about Small Business Server 2003 as shared from one
small business owner to another.
Register Now: www.microsoft.ca/increaseproductivitywebcast
<http://www.microsoft.ca/increaseproductivitywebcast>

When the download button 'isn't' the download button

One of the very confusing things about this service pack is when you go to download it and you blondely click the download button it blondely only downloads the last patch of the series and does not direct you to install the five parts.  And of course if you don't read..which of course none of us geeks do, when you go to install this ... it says you need Windows 2003 sp1 first.

No wonder everyone is getting confused about this....

Order the cdroms...trust me.. you life will be a lot easier.  Then follow the how to on the Smallbizserver.net site.

I don't think it's "that" complicated

Found a blog that said that Exchange was too complicated and while I would argue that setting up Exchange with a MX mail record just might be a little ...well... sometimes frustrating depending on your ISP...the wizard of SBS to set up email...it's not that bad.  Not like Tim makes it sound.

The dirty little secret of the SBS world is that while many of the consultants turn their noses at using POP...it's the most comfortable transition from a firm who's used to peer to peer and based on my unofficial view, probably used way more than we think.  Yeah, yeah you still have the 15 minute issue, but do you honestly truly need Spam that much faster?

I just think we need to recognize that Pop is probably used a heck of a lot more than we'd like to admit around here.

Just remember run the Connect to Internet Wizard.

That thingy that is now in the corner of the server after you apply SP1

Someone in the newsgroup asked about that 'thingy' in the corner that is now in the system tray after the application of the Service pack.  Well for one, if you are just NOW noticing it because you never had it before...you kinda missed a critical patch along the way as this is caused by an update that came down on Windows Update ages ago.  KB 829358 is the one that brings down that \\ thingy.  But not to worry you can either just get used to it down there or delete it off.

I guess I'm a lazy bone because I've just ignored it. It's only a cosmetic issue and you easily remove it from the start tray...but Windows did that one to us a long time ago... so if you've never had that before now... you might want to remember that second Tuesday of the month is Patch Tuesday and put in place a Patch Management process to ensure that you are getting patches on that Second Tuesday of each month.

Struck up a conversation in the plane back from Texas as a matter of fact with the lady who sat next to me who was in charge of application updates for her firm and she didn't know that second Tuesday was patch Tuesday.  Guess I should warn people when they sit next to me on airplanes that you might get geek speak for the plane ride.

Setting expectations and better communication

If there's one thing we newsgroupers don't do sometimes is properly communicate.  One of the misunderstandings around the SBS 2003 sp1 install is that we in the newsgroup went out and said “oh you don't need Windows 2003 sp1” and then now we are saying you do as step one of the SBS 2003 install.  Also the next expectation that was set was that a service pack for SBS would just as easy as adding water and stirring. 

So let's take the miscommunication... first off what we should have said was that “Don't install the Windows 2003 sp1 service pack 'just yet'.  I knew we needed it as part of our SBS installation and just said “don't install it“ but we should have been clearer that we meant that you didn't need to do it just yet.

As far as applying service packs, I've been patching SBS servers since SBS 4.0 days and because we have a lot of components, the service pack part is always done in a modular setup.  For those that haven't worked with the SBS platform before, I'd strongly recommend that you order the cdrom media as the fabulous M&M's have put together an exact how to with the cdrom install.  The cdrom install in my opinion is way easier.

I've said this before, I'll say it again, I don't like service packs in SBSland.  Give me a security patch, give me a non regression tested hotfix, but security patches have always been icky in SBSland.  I still remember how I found the newsgroups in the first place, I was running SBS 4.0 and doing either the patch to 4.0a or 4.5 and discovered the newsgroups around that time that let me know that there was a window you had to close to find the box you had to click to  say “Yes continue” or something like that.  So I guess I”m a bit jaded in that I think Service packs are just plain icky, period.

My 'mini' SMBNation event

Once every year there is a SBS love fest called “SMBNation”.  Hosted by Harry Brelsford, it is THE SBS var/vap event that gets folks from around the world together.

This weekend I popped over to Texas and sort of had my own mini SMBnation event with some folks here [The Mac guru Eriq Neale being one of the folks that I met up with and had 'geek dinner' with].  I warned Eriq that our mini geek out dinner was a preliminary event to SMBnation....it's where you can speak SBS geekdom for several days and no one rolls their eyes..no one thinks you are insane because they are just as insane as you are.

Rooms are filling up fast.... and if you haven't booked... you'd better.

Dana Epp and I will be presenting on “How compliant is your SBS” which will basically be trying to blast through as best as we call all the confusion about security, HIPAA, and any other industry that your clients may have to deal with and is concerned about security of their SBS box.  Even if you are not in a regulated industry, it will be a 'let's look at SBS from a risk level and make smarter decisions about our boxes' discussion.  So many times we just do security tweaks and stuff and don't even understand why we do what we do.

SMBNation.... if you are a SBSer... you should be there.  I will.

I have connectivity ...but now I need juice

At the Dallas Fort Worth Airport getting ready to fly back home after a quick trip to Texas and while there is Tmobile hotspot available hear... finding a power plug in is near impossible.  What is up with these airports that think we are just going to watch CNN while waiting for the plane rather than blogging and reading emails?  I mean really.....

Remind me that I need to buy a spare battery for my tablet pc so I can have juice to entertain myself in the airport and then juice to entertain myself in the plane.  My Acer Tablet is a perfect size for traveling but the lack of airport plug ins usually means if you see someone sitting cross-legged on the floor next to a plugin in an airport... introduce yourself.... it just might be me.

English, French, German, Italian, Japanese, Spanish

What's that?  It's the localised versions of SBS that are now available!  Remember SBS supports ... I think it was 17 languages and as they are done, that drop down on the download page will start offering more languages.

Remember that Asia, Australia and Latin America, you need to call for the Premium cdroms, all others you can put in the Product key code and order online.

It's a sign

Flew into Dallas/Las Colinas Texas for a quick trip and right across the freeway exit from where my Hotel is... is a Frys Electronics store.

It's a sign.  If you don't hear from me, it will be because I'm passed out from breathing in the 'new electronic smell' from the entryway.

Stay tuned... more later.

So if we told you NOT to install Windows 2003 sp1.... how come we now need it on the box to install the SBS sp1?

The impression that some are getting is that the only patch they need is the last download called SBS 2003 sp1.  That's an incorrect view.

You remember back in school geometry classes when you had sets and subsets?  Okay SBS 2003 sp1 is a glob of patches which are Windows 2003 sp1, Sharepoint sp1, Exchange 2003 sp1, XP sp2 client updates, and then some specific SBS patches that includes the MSDE updates.  For premium you also get another disk that has SQL Server 2000 sp4 and ISA Server 2004.  But all of those together make up the Service pack that SBS needs.

So when we went screaming to the newsgroup “don't install Windows 2003 sp1” what we really should have been screaming is “Don't install it just yet”  We had to have you wait because Windows 2003 SP1 all by itself would break a few things here and there and the full SBS patch bundle fixes everything back up.

You have to lay that down as a foundation 'BEFORE' you do the rest of the patches.  So for those of you reading in the Dell information that Windows 2003 sp1 isn't supported on SBS 2003, Dell too should be saying “we support it IF you apply the rest of the SBS patch bundle”.

Get it now?  Just like we are made up of parts, so too is our patch.  We have normal server under the hood and need the normal server patch FIRST before we get the rest of the parts.

Now if you already patched for Sharepoint, you can skip that....and Exchange...skip that...but I'd install the XP sp2 client folder update.

Any questions?  I see that the cdroms are starting to get delivered... fun for the Memorial Day weekend!

SBS 2003 with ISA 2004 and running a Member server that does Terminal Services?

Then you'll need a patch for that main server to fix and issue where Outlook 2003 running on Windows Server 2003 sp1 [a terminal server box] cannot connect back through that SBS 2003 SP1 box running ISA 2004 and pick up new messages.

RPC data may be blocked, and Outlook may not start in Windows Server 2003 with SP1:
http://support.microsoft.com/default.aspx?scid=kb;en-us;897716

You can find the download you'll need for the ISA 2004 server on the SBS 2003 box here:  Apply it on the main SBS box, but it's purpose is to fix the issue with the member Terminal Server box.

ISA 2004 Enterprise edition patch:

Outlook 2003 running on Windows Server 2003 Service Pack 1 cannot connect to an Exchange 2003 server through ISA Server 2004 Enterprise Edition. Earlier versions of Outlook may also be affected. 

ISA 2004 Standard edition patch: 

Outlook 2003 running on Windows Server 2003 Service Pack 1 cannot connect to an Exchange 2003 server through ISA Server 2004 Standard Edition. Earlier versions of Outlook may also be affected.

ISA 2000 edition patch

Outlook 2003 running on Windows Server 2003 Service Pack 1 cannot connect to an Exchange 2003 server through ISA Server 2000. This problem may also affect earlier versions of Outlook.

The eggshell

There are times when us SBSers are like cockroaches...we are just EVERYWHERE.  So I'm listening to geek webcasts  which are way more useful than talk radio anyway and someone in the audience chides Steve Riley [and SBS for that matter] for default loading the client desktop into local administrator.  Wizard, wizard, click click and there you are as local admin.  And while... I guess you can beat up SBS for that... I'll show you my stupid line of business applications that force me into local administrator whether I like it or not.  I would argue at this time, the average small business is not ready for running without administrator rights without a lot of guidance from a savvy IT consultant.  

In the meantime, as consultants, as consumers of software, we need to seriously start yelling our heads off each time an application we use won't run with restricted user rights. 

I do need to correct Mr. Riley for one point he made, the default is INDEED to have SBS 2003 'enable' the XP sp2 firewall on the local machines and this helps our machines join with the ISA 2004 server in a 'fortress' inside the network as well as the outside firewall. 

Now many have asked ...”why do I need a firewall on the inside of the firm when I already have __fill_in_the_blank___ firewall on the outside?  I'm protected just fine from the bad stuff out there.

Ah..but that's the problem.  The bad stuff isn't just out there anymore..it's in here.  In the wintertime, when you know you will go out into subzero degree temperature [not that I know what that is living in California as I do, but I can imagine], I don't think you just put on a parka and nothing else.  No it's the silk longjohns and then it's the leggings, and then the parka, and then the hat, and the scarf and even feet and hand warmers if need be.  It's layers to protect you.

Okay so let's move over to that workstation in your office.  Without the firewall helping it to protect itself, it's just sitting there all ooooshy and gooshy just waiting to talk to anyone and everyone wanting to to talk to it.  Our networks have been built up like eggshells, with hard outer protection and nothing on the inside at all.  And we can't do it that way anymore.  It's not working.  And I can stand here and tell you that I have the firewalls on the inside of my network and I do not notice any annoyance at all.

Try it with the layers left on.  Add your own program exceptions.  But try it.  You might find like I do, it's no bother at all. 

Entourage anyone?

Now that SBS 2003 sp1 is out, you can also get the Mac Outlook client called Entourage by calling 1-800-360-7561 in the US/Canada [5 a.m. to 7 p.m. pst] and ask for part number Q56-00005.  I just checked with that number and that's all you need to get a copy of Entourage for your SBS 2003 clients.  As a [three year] SA customer I got the media for this AGES ago [see why SA is a good thing] and thus haven't needed to worry about tracking this down.  For those overseas, I'd track down your supplemental part phone number and again, use that SKU number.

If I need Premium/ISA 2004 should I install the rest of the service pack now?

A question from the blog comments that I want to bring up front... If you have SBS 2003 premium edition, you will GET ISA 2004 merely by ordering the service pack on CDrom and choosing the “Premium” drop down.  You don't need to “buy” it, just need to pay for shipping and handling.

I would not install the rest of the service pack without ISA for the very important reason that once you install Windows 2003 sp1 you will need a patch for ISA 2000 to fix Outlook over http...this is not an issue in ISA 2004, but is with ISA 2000.

So for Premium folks... order the cdrom.

Savez-vous quand SBS 2003 sp1 sera disponible en France?

Savez-vous quand SBS 2003 sp1 sera disponible en France? ...which if Google Translation did it right...means “Do you know when SBS 2003 sp will be available in France?”

If you notice on the SBS 2003 order page there are two ways to order... group number one is doing it the 'geek' way with drop down order forms.  At this time only German and English versions of SBS 2003 sp1 are available but more are on their way and should be out soon.  I'm not sure exactly when, but normally the software is 'localised', ensured it is as secure as it's other languages and then gets shipped.

So for all of those waiting for Spanish, French, etc... be just a bit more patient.  It's in the works.  And that's why you only see English and German options now, and why certain countries aren't listed.

For those in Asia, Latin America, Caribbean and Australia, you need to call.

I expect that as the three year SA customer [as opposed to the two year version] that I'll probably get my SBS 2003 sp1 media automagically, but I've gone ahead and ordered a copy just in case. 

Again, for Premium customers, you must order the cdroms to get ISA 2004.

P.S. Fixed the spelling of localised and all languages are as secure as each other...except maybe the Klingon version of SBS might be a tad more secure than the others.

Do I really need to order SBS 2003 sp1 media for every client I have?

One of the questions coming up in the newsgroups is 'do we really need to order a cdrom media kit for every client I have? The order form does not allow me to order multiple copies and charging $5 fees for every transaction may put my credit card company on notice and they may think my account has been hacked or something”

First let me put on the Consultants' viewpoint and answer that question:

It's dumb to be ordering 20 copies of the same cdrom if it's merely a service pack.  Therefore all I need is one copy of the media.

Now.... let me put on the Client's viewpoint and answer that question:

My consultant sold me this server and never gave me my original media.  I think I have the original install disks, but nothing else.  That makes me kinda nervous.

See the difference?  Look at this not from YOUR view but from your CLIENTS.  I'm not saying that any of you guys reading this do any such thing, but I've helped a couple of customers get replacement cdroms because their consultant never left behind any media.  That customer for whatever reason left that consultant, and the fact that they now see that there's either no media ...or the service packs are on burned in cdroms...well it just opens the door for that client to badmouth your business practices.

So... if I were in your shoes...I'd look at ordering cdrom media as a good business practice for your clients.

If you are having issues ordering, or getting an error registering you can call the support number:

Product Registration Error: Unable to verify Product Key. (9090)
Please contact your Microsoft Support Center
For U.S. and Canada - 1-800-360-7561
For Europe, Middle East and Africa - direct-mar@msdirectservices.com

One for Mei

To Mei:

I never knew you, only knew of your Dad via emails and postings on an MVP listserve, but I want to thank you.   You've reminded me that life is precious and in this fast paced world we live in, we shouldn't be in such a hurry.  We should slow down and savor things. 

On the door to my office is a plaque.  It reads:

Today....... mend a quarrel, call a friend, send a note, give a hug, wear a smile, laugh a little, enjoy the day.

Mei, you had just a few “Todays”.  And right now the only way that I can cope with that fact is the knowledge, the blind faith that <insert cosmic higher being of your choice> knew that your family was strong enough, that you were special enough to be needed to teach us all a lesson.

Slow down.

Hug more.

Reach out.

People matter.

Mei's Grandmother runs a free children's clinic in Guatemala and I think you were also sent to remind us to look out for others as well.  A lot more than we do now.

Carl Sagen had a comment once on the folly of human nature, “To me, it underscores our responsibility to deal more kindly with one another, and to preserve and cherish the pale blue dot, the only home we've ever known. “

Thank you Mei, thank your family, and help them see that you were sent to teach us the same lesson....to be more patient, more loving, more caring with our fellow mankind out here in this world.  Things don't matter....but people do.

Thank you Mei for your Todays that you gave us.  And thank you for your lesson.  

Password for Money?

On Tim Mintner's blog he talks about a novel way of getting folks to choose better passwords in light of the headline about “Writing down your Passwords“

PAY THEM.

That's right, you heard him, you set up a contest to make sure your employees choose good passwords.  One slight problem I see with Tim's solution though, is that it appears that the password cracking program/contest is only done at the 'end' of the 90 days.  So say I have a really stupid, sucky password that could be cracked in mere seconds, it's not going to get tested for 89 days, 23 hours and 59 minutes.

The idea behind expiring passwords is that you should make them strong enough that if you had someone attempting to brute force your passwords, that they'd withstand these attempts for 89 days, 23 hours and 59 minutes before they'd fall to the brute force programs.  We don't just pick 90 days or even 60 days to change passwords because us network admins sit back here and chuckle on how often we force you guys to re-memorize passwords, choose new ones, make sure you don't reuse the old one, etc. etc. to make your life miserable.  It's supposed to be the time it would take a brute force cracking program would take to guess your password given a reasonable CPU processing power. As long as that password stands up 89 days, 23 hours and 59 minutes, then we can set the policy for a 90 day expiration.  See the reason behind this?

Also keep in mind that many of these cracking programs have their jobs merely made a lot easier because either one of two things occurs....

1. You have older OS's like Win 9x that you have to make sure can still authenticate...or
2. You don't realize that once you've beaten to a pulp your last Windows 98 [sorry to make it so graphical but as you can tell ... I really have personal issues with 9x boxes that are still alive], you can easily wack off the LAN Manager setting in group policy, and the next time the passwords are changed, the hashes won't be left behind.  On my SBS 2000 system [where I did have hashes turned on] I ran @Stake's LC5 program and it was frightenly amazing how fast that software was able to match up the hash with the password.

I'll be the first to admit that while I DO write passwords down... I DO NOT use enough of them in the various places that I use passwords in and I use way too many variations of the same theme.  Then there are some sites that I just don't go into enough to memorize them after a time and if I don't write it down, I'll be resetting it.  Well hopefully I'll be resetting it... there are some websites that merely EMAIL you your password if you forget it.  Oh, that's nice isn't it?  Clear text...emailing me my password?

I did a presentation with a fellow Geeky CPA the other week to several groups of high school students on the topic of Financial Literacy, aka credit card use, budgeting, etc, and one of the last points I made to the class before the class period was over, was that I warned them, urged them, that as they go through life, knowing that they would probably set up many online accounts and passwords, was to choose them wisely.  I tried to trick them into giving me their ATM Pin number but none of them would fall for the bait [good for them!].  Think about it.  At any time have any of us truly gotten a class in passwords?  Training? Anything other than maybe the written password policy part of the Computer security section of the Employee Acceptable Use policy.  And when's the last time a geek or near geek truly READ a document?  Yet look how important they are!  [And yes, 18 year olds did indeed have ATM cards and PIN numbers]

Want to know lots more about Passwords, all sorts of cool stuff about the 'onion layers' or defense in depth?  Any day now the Dr. Jesper Johansson and Steve Riley book, Protect your Windows Network:  From Perimeter to Data will be out and will have tons more information.  And oooh cool, it's even going to have tools:

SBS 2003 sp1 Chat on RIGHT NOW

Join the Small Business Server product team on May 24th, 2005 at 3:00 PM PST 
to find out what Windows Small Business Server 2003 SP1 is all about and get 
your questions answered!

Chat room: http://www.microsoft.com/technet/community/chats/chatroom.aspx 

Sorry about the late notice... almost forgot about this!!

Join the chat NOW!

Dear ZDnet:

Dear ZDnet ..when posting a headline could you include the 
words "known PATCHED flaw"... just a FYI.  
You make the headline sound like this flaw is NEW 
and it's something that's not been patched, but 
it's been fixed since like LAST JULY.
 
Hello people ... you know that most of these computer
 issues we're still seeing these days are due to NOT PATCHING?
 
Online extortionists exploit a known flaw in Microsoft's Internet Explorer 
Web browser to download and run a malicious program.
http://ct.zdnet.com.com/clicks?c=191786-2072731&brand=zdnet&ds=5 

So why wait for SBS 2003 premium cdroms?

So why are we saying to order the premium CDroms and wait for them before installing SBS 2003 sp1? 

First off, you can't just use any old ISA lying around, you need the SBS-wrapped version.  This patch will ensure your ISA 2000 rules are retained during the installation as it exports them out and pulls them back into ISA 2004.  [Make sure you disable antivirus and shut it down during this part as my Trend didn't play nice-nice with this part of the install].

Next, you can't put the other parts on first and then wait for ISA 2004 without messing up your ISA 2000 and Outlook over http.  You do this now and you'll need this hotfix to fix that issue for ISA 2000.  Which you could do.... but I'm lazy and would rather do it in one sitting is all.

So that's one of the reasons that we're saying for Premium to order the cdroms.  And yes, you'll need to order one per client, unfortunately.

Chad ran into an issue with his self signed certificates in ISA and Outlook over http so you proabably will want to export out that and re-import back in [or something along those lines] if you rely on Outlook over http and your end users have already set up the certificates and what not.  Not a biggie but just a inconvience that needs a heads up so you are forewarned before you install ISA.

Any good installs of SBS 2003 sp1, the newsgrouper asked?

In the newsgroup today came the post “SP1 - any good installs?” and I had to laugh a bit.  First off, I'd say most sane folks are ordering the cdroms and waiting for the media, but keep in mind, the newsgroup is after all..for tech support you know.  When's the last time you ran to the newsgroup and yelled out “Hey Windows update worked perfectly!” or how about “I rebooted just fine!“.  See what I mean?  We don't see the good results, just the problem ones.  So a few days after the SP was released and what's the biggest things we've seen so far?

In general, I think I can sum up the preliminary report as follows:  When you haven't been an SBSer, you've gotten into issues with this service pack.

What am I talking about?  You didn't let the install put everything in the system and you customized your install. We see when Outlook isn't installed, the service pack will actually complete properly but will indicate a failure.  We see when Sharepoint or Monitoring in moved in an unusual way, the service pack doesn't know where to go to find it.  In my own personal case, I totally blew it when I forgot and left on antivirus and didn't manually disable it for the entire install process.   Unplug the RJ45, disable the antivirus, reboot the system so the a/v is not in memory and THEN install the service pack.  My ISA server installation got a smidge stuck on IISadmin being held 'on' by Trend antivirus. 

Just remember, in the folder under Program Files\Microsoft Integration\Windows Small Business Server\ you will find the files: Eventlog.txt, Errorlog.txt and Setup.log.  Review the last few entries in each looking for error messages.

Again the main things to keep in mind for a standard vanilla install is watch the harddrive space and disable the antivirus.  Other than that, ask yourself... how good of an SBSer have you been with this box?  If you've been a good SBSer... we probably won't hear from you.  If you haven't been a good SBSer, well then, we'll keep the light on for ya.

Australia and New Zealand - if you want your SBS media, here's your phone numbers

Thanks to Dean Calvert and the Microsoft gang for tracking this down....

• For Australia the phone number to call for the SBS meida is 132058, after you dial the number, customers must select Option 3, followed by Option 4.
• For New Zealand, the 0800 800 004 number, customers may select Option 1 or Option 3.

Geographically challenged

If you are from Australia or New Zealand and want to order the SBS 2003 cdrom [remember you need to order one per each client/customer you have] your information on how to order is on the “For customers in Asia and Latin America” link.

Okay folks....correct me if I'm wrong... I've heard the term Asia Pacific...I know that many firms consider Australia in the Asian region, but I'm just always thought Australia is just... well... it's Australia.  But then again I'm geographically challenged and will call Ireland part of Great Britain.  It's not, right?  Or Scotland part of England.  Um...that's not right either is it? 

It's no wonder I have Microsoft's Time Zone in my system tray.  Everything that isn't located in California's Pacific zone..I tend to screw up time zone conversions and what not.  Sometimes us Yanks just don't realize how rude we can be by not being geographically in tune.  So if Australia is indeed Asia, then forgive me.  I'll still consider it that other contintent down there that looks like a Scotty dog until someone tells me I'm wrong and have been unintentionally rude once again.

The FRESNO version of SBS is obviously still alive

If you are like me and are digging out your product key to order your SBS 2003 sp1 cdroms, you will probably wonder...what the heck is that other SBS version on the order form drop down menu... What is “Windows Server 2003 for Small Business Server“?  What?  You don't recognize the FRESNO version of SBS?

That's the SBS “For Really Small NetwOrks”...get it?  It's a 15 user max, just the operating system, nothing else that no one in their right mind would want to buy, and usually doesn't, they just order the wrong one.  It's one cdrom ...not our 4 or 5 and if you have SBS with Sharepoint/Exchange/the whole shebang... you want the top two product versions.... Standard is without ISA and SQL, Premium is with them.  Remember that this is how you get your ISA 2004..kewlamundo!  The only want the product key code from the back of the disk one.

So if you are an SBSer...trust me... the FRESNO version isn't what you have

“These aren't the droids you are looking for”

Oh..wait..that's the movie...not the service pack....

“Move along”

P.S.  Fresno is where I live and it's known just enough to be made fun of. 

P.S.S.  The order form said “Please expect delivery of product within 3-10 days, depending on availability of product and ship to location.

If you have questions about your order you may call customer service Monday through Friday, between 8AM and 10PM ET, at (800-360-7561), toll free in the United States and Canada.“

Good to know!

x64 and ISA server and SecureNAT

Leave it to SBSers to be on the cutting edge...we already have one asking about getting an 64bit OS working behind SBS and ISA Server.  Well the good news is that you can using SecureNAT, the bad news is you can't using the ISA firewall client.  In a nutshell, make sure the default gateway is the SBS server.

Although SecureNAT clients do not require special software, you must configure their default gateway so that all traffic destined to the Internet is sent by way of ISA Server either directly or indirectly, through a router. SecureNAT clients be configured to use an ISA Server computer as their default gateway, or they can be configured to use a router (or chain of routers) whose default gateway is an ISA Server computer. You can configure clients either by using the DHCP service or manually.

P.S.  The world will be 64 bit in due time... so if our young Padawan from the newsgroup would just be a bit more patient...

Allocated memory alert ... one more time

Alert on DOMAIN at 5/13/2005 8:29:05 PM

A large amount of memory is committed to applications and processes.
Consistently high memory usage can cause performance problems.

To determine which processes and applications are using the most memory, use
Task Manager. Monitor the activity of these resources over a few days. If they
continue to use a high level of memory and are less critical processes or
services, try stopping and then restarting them.

You can disable this alert or change its threshold by using the Change Alert
Notifications task in the Server Management Monitoring and Reporting taskpad.

So when I installed ISA 2004, I now have my allocated memory alert being thrown off by the MSDE instance tied to ISA server 2004.

So... how do I know this?  Because my task manager told me so....and every night at exactly 8:30 p.m. I would get paged with a stupid allocated memory alert error [yeah I have critical alerts sent to my cell phone as alerts].  As you can see that Commit charge is running a bit “hot“ in my book, especially since before ISA 2004, it was certainly not running that much of memory.

That commit charge is running a bit hot again... so the first thing I do is look at what services are 'yanking' the memory again.

First we fire up task manager and we see that our friend, store.exe is our main memory 'sucker' and is normal, but that one right underneath ...we need to see what it is.  We previously adjusted the task manager view [click view] to edit to show the PID, now we need to fire up the task services to double check.

Okay, so what does tasklist /svc from a command prompt tell us?

Ah ha...it's our Firewall monitoring service ....see that MSSQL$MSFW?  That's our ISA server monitoring that indeed needs to be throttled.

If you've checked out the  instructions on the SBS 2003 sp1 document [the community one, not the official one], you'll know that the recommendation is to perform a command to throttle that instance.  So we open a command prompt and do the following:

Open a command prompt and type in the following instructions: 

• Osql –E –S %computername%\MSFW 
• sp_configure ‘show advanced options’,1
• reconfigure with override
• go

• sp_configure ‘max server memory’,NNNN (Where NNNN is the amount of ram in mb.  Recommended amount is 100 MB for SBS)
• reconfigure with override
• go

and end the command with

• exit

As you can see the commit charge has now gone way down.

And you can see that PID 1612 [our firewall monitoring msde instance] is no longer sucking that memory.

And I'm once again a happy camper... along with my SBS box.

Star Wars to Bill Gates to finding the balance

You know the story of Star Wars ....that Anakin was destined to bring 'balance to the force', and the phrase 'bring balance' is something that even Bill Gates is talking about.  As I'm blogging from the train, around me are folks on cell phones, laptops, dvd players playing and what not.

Just the same week that Bill Gates talks about "information overload", a friend sends a message that he's tuning out for a bit to bring a bit of balance back in his life.  You read the story of how email is like being on marijuana as far as attention spans and what not?

I think that's the mode we're in right now aren't we?  We have this 24x7 world that we've built and now we're asking ourselves, hmmmm.... maybe we haven't done such a good thing after all?  Maybe realizing that technology is just an aid to make our lives better, but not our lives should be something that we all think of.

Finding the balance.... just the right amount of technology without it being too much.  What do you do to find that spot?

Can't they have secure computers a long time ago?

Back from the Star Wars movie and it seems like that even a long time ago in a galaxy far away we still can't have secure systems.  At one point in time the security code for the secret Jedi transmission was broken for a certain reason.... one that I won't go into ...so as to not spoil the movie. 

I think it just goes to show that we're always going to have security issues to deal with, don't you think?

...and yes, it was very fun and tied up a lot of threads between the movies I grew up with and those of today.

Broadcasting from the 7:00 line for Star Wars

On the aircard broadcasting from the 7:00 p.m. line for the Star Wars Movie [yes it's only 4 p.m.] and us die hards are here in our chairs in front of the theater.  I'm not the only one with a Yoda doll in line.  So far no sightings of folks in costume....yet... but the night is young. 

I've got a shot of my talking Yoda up next to a Darth Vader doll that I'll upload later.

Okay so I am a bit insane...but I think everyone knew that.

"I want to see the code"

I was uploading some stuff to a website earlier today and the 10 year old son of my best friends says “oooh let me look at the code”.  You see I was using Front page and while I was happy as a clam to be using the GUI interface and posting the webpage like that, he wanted to see the html code that the program built.

“Oh I've coded a page like that” he said in a bit of a 'oh I've done that before' kind of voice.

Can you imagine when he's an adult?  Already at the dinner table tonight we were talking about computer security and what not.  Wonder if he'll take security for granted. 

Already he saw that I was using Thunderbird for my junky email box and asked “Do you know about Firefox?“

Should be interesting to see what the future holds for him.

So which processor should I get?

Went to Fry's tonight.. you know..the geek version of Disneyland ...and was looking to upgrade my poor home workstation that's getting a bit ancient.  So looking at the processors there we were looking at AMD versus Intel and it was sort of a toss up between the two.  I'm thinking I might want to make sure the board supports 64 as well as 32, and possibly look into the DEP protection stuff.  Fortunately, I have a fellow geek that is really into hardware [has a tivo, media center edition, and about 5 computers here] so we were motherboard/chipset comparing at Frys.  

He has the ability to view media content from any device on the network here at home.  Kinda kewl.

Just a heads up ...blogging will be a bit light as tomorrow evening is the Star Wars movie get together.

SeanDaniel.com on Channel 9!!!

SeanDaniel.com, Mr. SBS Mobility to the world, is on Microsoft's Channel 9:

Hmmm... wonder if I can get a media file autographed the next time we see him at SMBnation?  Mr. Daniel?  Can we have your autograph please?

The business process of your client

I'll probably insult every SBS consultant around...but here goes.... I don't think you are doing enough for your client. 

Hear me out..... every day I walk into businesses.... I walk into my OWN business and the processes we use for our daily business processes are so inefficient it's not funny.  And yet, if you want to take your client to the SBS "and" stage of the business relationship..... SBS and CRM... or SBS and Great Plains or SBS and Small Business Accounting...., you don't need to understand technology and tcp/ip stuff.... you need to understand how their business processes 'stuff'. 

How does the document flow work?  Why do you handle documents like that?  Why are you typically using some Excel spreadsheet to kludge information from your existing programs?  And why is it that the people hired to handle the paperwork tend to do things "just because we've done it this way' and no one stops to ask....'gee is there a way to make it better?'

You come in ...you sell SBS to a customer and neither they, nor you, honestly take the time to fully inform the client of all that they can do with their SBS box.  Since the box works so well, it's just back there chugging away and for most bosses... SBS isn't the server in the other room... it's the Internet ...or it's Outlook. 

But start to look at SBS "and" and the piicture changes..... you have to do lots more investigation and analysis of business flow... and efficiencies.  It's about 'where is the best place to capture data' to get it into the pipeline efficiently, effectively, and does the data you've collected... is it of relevance?  If you aren't going to use data...why capture it?

I was listening to a Gartner Group audio and they made the point to not jump on technology just for technologies sake... it needed to solve a business need.  Take RFID... it fits the best they said when the items tracked were scattered and random.  If the items you needed to tracked was more organized... bar codes actually were a better solution. 

The moral of this story is...don't just throw technology at a problem if you haven't taken the time to understand what the problem is in the first place?  Are you listening to your client's pain?  Are you identifiying definicies in business processes that need fixing.  If you are just throwing technology at your client, it may not be the right thing for them.

Typed on a bus  on my way to LA for the Star Wars movie with friends on my tablet pc using the Cingular air card so if there are typos......

The difference between vanilla ice cream and rocky road

I like ice cream.  Ice cream without nuts.  My favorite is homemade vanilla ice cream.  A smidge of orange flavoring and it's clean, crisp taste doesn't even need any topping at all.

I hate Rocky Road icecream.  Nuts... ugh... hate them even in cookies.  Don't mind them all by themselves, but not in cakes or desserts.

And that's the explanation for all the 'look out fors' that are talked about in the "how to install SBS 2003 sp1" document on the www.smallbizserver.net site. 

For someone who's got a clean, crisp, homemade vanilla SBS 2003, you'll do just fine and never see any of the issues discussed on that page.  For OEM folks, I would argue your main issues should be two things... turn off antivirus and watch the space on your c: drive.

For someone who's customized the heck out of their SBS 2003, set up new instances, removed folders, not let the wizard install, watch out for those icky nuts in the ice cream.  I try to eat around the nuts when I'm stuck with Rocky Road ice cream.

So, don't get me wrong, you should still plan for this service pack, have a backup, shut off antivirus [and unplug the internet], watch your c: drive space, the issues discussed on that page are extremes.  It's not homemade vanilla with orange liquor that's for sure. 

Just a reminder... READ... I MEAN READ

The release notes  and install notes for the SBS 2003 sp1 is hitting the download site, which must mean that the service pack is about ready to be declared “done”.  Take this time to READ THEM.

And yes, there it is...

http://www.microsoft.com/windowsserver2003/sbs/downloads/sp1/default.mspx

and especially read this BUT REMEMBER... ths document is primarily geared towards folks that have customized SBS boxes...if you have done little to no customizations, the only things you need to worry about is enough hardrive space [2 gigs or more] and shutting off antivirus... if you are 'normal' SBS and not one of wackos, you should be just fine....

In case you need a little assistance for tomorrow

The gang forwarded this to me.  For those seeing the Star Wars movie it might help you out tomorrow.

I'm thinking about packing my talking Yoda and taking him with me to Big Newport theater.

um....really I'm harmless....well....most of the time anyway.....

Microsoft security advisory for TCP/IP

This alert is to notify you of the release of Microsoft Security
Advisory (899480).

Microsoft is aware of a new vulnerability report affecting TCP/IP, a
network component of Microsoft Windows.

Microsoft is not aware of any attacks attempting to use the reported
vulnerability and have no reports of customer impact at this time.

Changes made during the development of Windows XP Service Pack 2,
Windows Server 2003 Service Pack 1, and the MS05-019 security update
eliminated this vulnerability.
If you have installed any of these updates, these updates already help
protect you from this vulnerability and no additional action is
required.

Because this vulnerability does not reproduce on systems that are fully
updated, no additional security update is required; therefore, it would
not be appropriate to update the previously released security bulletin.

This Microsoft Security Advisory is located at this location:
http://www.microsoft.com/technet/security/advisory/899480.mspx
Microsoft Security Advisories are located at this location:
http://www.microsoft.com/technet/security/advisory/default.mspx
If you have any questions regarding this alert please contact your
Technical Account Manager or Application Development Consultant.

Thank you,
Microsoft PSS Security Team

Bottom line..if you have Window Updated... no worries.

Matching T Shirts? -check- Watched IV? -check- Tickets? -check-

Unlike Dana who informed me he's going to Star Wars tonight at midnight, NO I'm not going until this weekend.  We have this ritual that we go down and visit close friends in Los Angeles so on Saturday night, I'll be at the Big Newport Theater watching Star Wars.  Yes we have the matching Tshirts packed, the tickets already bought, and last night watched [what used to be Star Wars I to me], Star Wars IV.

If you haven't figured out already, I'm a big fan and equate the SBS platform to Yoda... don't underestimate SBS.  We may be little, but you can't judge us by our size, as Yoda would say. 

As I was watching Star Wars IV[I] last night and it was a bit confusing I must say... when Obiwan is 'saying your father was killed by a young pupil of mine'... you want to say... George?  Sir?  Did you forget what Ben said?  Ben lied to Luke about his Father?  I mean ...what gives?

And DON'T ANYONE SPOIL IT FOR ME!

In case you happen to be in Los Angeles this weekend.... I'll be wearing a shirt like that below...and yes, I'm forcing a group of well...sort of grown up folks to wear matching shirts...

We may be AWEsome but we don't use AWE

On the SQL server sp4 page it lists a warning about patching if you have AWE:

Warning: Microsoft has found an issue with the final build of SP4 that impacts customers who run SQL Server with Address Windowing Extensions (AWE) support enabled. This issue only impacts computers with more than two gigabytes (2 GB) of memory where AWE has been explicitly enabled. If you have this configuration, you should not install SP4. Microsoft is currently working on the problem and will issue an update soon.

Now I know SBS is AWEsome, but I don't know about having AWE.

Well the good news is we don't have it, as it's only in SQL 2000 Enterprise.

Can't be at TechEd? Got an Internet connection?

Kewlamundo!!!!  While I can't be at TechEd in Orlando this year, I do have the ability to see some of the sessions right from my own computer!

Let's see there's Dr. Jesper Johansson and the Security Configuration Wizard...there's Steve Riley on Security Policies.....there's Mark Russinovich on Malware.... there's Corey Hynes on WSUS [still Shavlik is wayyyyyyyyyyyyyyyyyy easier] ... oh be still my beating heart!!!

Aaron Margosis on tricks to running Windows with least privilege!!!

I've died and gone to heaven.  The rest of the TechEd Simulcasts are here but ... as you can tell... I'm kind of partial to the security based ones.

Handy Andy - SBS Web chat at 4:00 p.m. PST

Today at 4:00pm pst 7:00pm est is the SBS Chat at www.mcpmag.com/chats

The worst thing about blogs are

IF YOU ARE LOOKING FOR THE TREND PATCH TO FIX THE SCAN MAIL, I CAN'T SEND IT TO YOU BUT IT'S RIGHT HERE:

http://kb.trendmicro.com/solutions/search/main/search/SolutionDetail.asp?SolutionID=23065

I've send an email directly to Kevin to let him know it's available...but the easiest thing to do would be to come into the newsgroups or yahoogroups and ask the question live.  The blog is like a diary.

Hope that helps Kevin!

P.S. the worst thing about Trend's tech support is they are closed after 5 and on the weekends.  Really annoying.  I don't understand why patches like that can't be more easily available to partners that need it.

Security Configuration Wizard is cool...but...

Amy reminds us that the SCW is really cool, but SBS is pretty tweaked as it is all by itself, so you really don't want to run it on your system.

What you CAN do to harden your system is to KILL OFF ANY REMAINING WINDOWS 98 YOU MAY HAVE ON THE FACE OF THE PLANET.

.... okay now that I've gotten that out of my system...just a reminder too that as of June 30, you'll need to be on Windows 2000 sp4.  So if you have any vendors that won't support SP4.... you might want to have a nice heart to heart with them....and ...oh... consider a new vendor maybe?

Feng Shui? Fwengmon? Say what?

Tristan talks about a new tool we SBSers with Premium had better get used to ... I just know I'm going to end up calling it Feng Shui rather than FWEngMon which means it's the Firewall Kernel Mode tool.  It looks like our old friend netstat -ano isn't going to cut it anymore and we'll need to use this to augment when we need to look at events on the server.

Read his post.... “Rather than bind a listener directly when a publishing rule is created, ISA 2004 creates a creation object in FWENG, and it lies in wait for traffic meeting the creation object criteria to arrive before pouncing on them and forwarding them to the published server”

Hmmm.....Pouncing, huh?

...maybe that's the logo for ISA server... I suddenly get this image of Calvin and Hobbes.... Well Hobbes mostly.

Cool.

Sprechen Sie Deutsches?

Wenn Sie eine Menge deutsche email heute erhalten haben, nicht sicher, wenn sie am Sober.Q liegt, das varient ist, oder nicht aber geben Sie acht.  Vor einige Plätze blockieren Reißverschlußakten [ mich habe einer langen Zeit ]

Which means....[well hopefully it means courtesy of Google translations]

If you've been getting a lot of German emails today, not sure if it's due to the Sober.Q varient or not but be careful.  Some places are blocking zip files [I have a long time ago]

Incidents.org is reporting this along with fellow Internet-ers.  Remember that SBS has the ability to natively block attachments EVEN WITHOUT your antivirus.  Remember if you don't need the file..block it.  And yes, it does appear to be due to the Sober.Q varient.

And hey Sean?  Another RSS feed for Viruses from Kaspersky!

Restricting Remote Web Workplace

Want a little extra security for Remote Web Workplace?  From the mailbag today comes the question ”Can you please advise whether there is any way of blocking access to certain SBS 2003 Users for RWW?“ and the answer is... sure... what do you want to block?

First off, there are tweaks you can do to block certain options inside Remote Web Workplace... don't want to offer to map drives?  Chad has the information to adjust that off.

You are probably looking for this tweak that you can block who has access to RWW.

Finally, want to totally remove the links [which I wouldn't recommend...but...

For administrator:
1. Open Registry Editor.
2. Navigate to
HKLM\Software\Microsoft\SmallB­usinessServer\RemoteUserPortal­\AdminLinks.
3. In the right pane:
Set ServerTS=0 to prevent Access Server Desktops
Set ClientTS=0 to prevent Access Client Desktops

For users:
1. Open Registry Editor.
2. Navigate to
HKLM\Software\Microsoft\SmallB­usinessServer\RemoteUserPortal­\KWLinks.
3. In the right pane:
Set TS=0 to prevent Access my computer at work
Set AppTS=0 to prevent Access my company's application-sharing server

[Note] If you run CEICW again after configure the registry, the original
settings will be restored. Then, you must configure the settings again.

SBS on the front lines....

The question typically comes up in SBSland ...or those just entering it....

“What if the server goes down?  How do we deal with that?”

Easy.  You deal with it.

First off, understand that the majority of my issues on downtime with my server have been hardware based.  Switch failed. Nic in the server failed.  I had one drive in a raid 5 fail on me once, but I deal with it and the down time is minimal.  I've built in things like having all Windows XP machines so they'll log into the profile whether the server is up or not [the workstations use cached credential to log into the domain].  I can count on one hand the number of times my server has gone down and I've been able to easily keep going and plan around it.

If you don't have a server now, but a peer to peer with a DSL connection...how do you deal with your downtime issues now?  I mean you do have your data is one place... a 'mothership' peer machine right?  You said you have a shared file server now.... what if it goes down?  As far as Internet access... again, it's been extremely rare that I have outages.  As far as 'downtime' I plan for security patches on Friday nights [I don't let the server autopatch], and it hasn't been an issue.

For email if POP connector is used, it's left on your ISP's servers, if MX, you can get companies like tzo.com to do a backup mail record.

Because I am a paranoid wacko I do tend to stick a cheap router between me and my RRAS firewall at home and my ISA server at the office an 'only' forward those ports [443/4125 for example] to the network.  This just makes me feel better.  ISA could handle this all by itself...but... I'm just flat out paranoid and like it this way.

A great resource for network setups can be found at Smallbizserver.net and is a great guide for setting you up right.

So to Michael in Chicago, IL... check out techsoup.org and to answer your question... SBS works... I'm proof positive... running behind one here at home... and all the time at the office.  Hasn't skipped a beat yet.

Shavlik made me vaklempt

Got an email saying that Shavlik updated their XML for patches on Friday and buried in the updates are.... sniff..sniff... SBS ones are included now...  I just pinged Shavlik to update from the version 4 to version 5... kewlamundo!

Shavlik Technologies has released updated XML files for Shavlik HFNetChkPro 5.

XML data version = 1.1.2.440  Last modified on 5/13/2005

This update includes the following changes:

Added 13 new non security patches to the WUScan XML file.  These patches can be scanned and deployed using the WUScan template in Shavlik HFNetChkPro 5 and Shavlik NetChk Patch.  Alternatively, you may create a custom scan template and choose 'Non-security Patches' from the PatchTypes tab.

Added the following:

MSWU-004

MSWU-005

MSWU-006

MSWU-008

MSWU-009

MSWU-010

MSWU-011

MSWU-012

MSWU-013

MSWU-014

MSWU-015

MSWU-016

MSWU-017

(there is no MSWU-007 at this time)

Details of all 16 MSWU patches listed below:

MSWU-001 892313

Updates for Windows Media Player 9 Series and for Windows Media Player 10

Applies to: WMP9 and WMP10

In certain situations, certain types of Windows Media Digital Rights Management (WMDRM)-protected content may cause Windows Media Player to redirect a user to a Web page to acquire a license without prior warning. This redirect may occur even if a user has cleared the Acquire licenses automatically for protected content check box on the Privacy tab of the Options dialog box.

MSWU-002 842773

BITS 2.0 and WinHTTP 5.1

Applies to: Win2K, XP, WS03, SBS03

An update package that includes BITS 2.0 and WinHTTP 5.1 is now available for Microsoft Windows Server 2003, for Microsoft Windows XP, and for Microsoft Windows 2000. This package updates BITS to version 2.0 and updates WinHTTP 5.1. These updates help guarantee an optimal download experience when you use future versions of the Automatic Update service, of Microsoft Windows Update, and of other programs that rely on BITS to transfer files by using idle network bandwidth.

MSWU-003 893803

Windows Installer 3.1

Applies to: Win2K, XP, WS03, SBS03

(Microsoft has removed this patch from their download center.  When Microsoft has updated this patch, we will update our XML files to include this file for download.

MSWU-004 884020

Update for Windows XP Service Pack 2 (KB884020)

Applies to: XP SP2

On a computer that is running Microsoft Windows XP with Service Pack 2 (SP2), programs that connect to IP addresses that are in the loopback address range may not work as you expect. For example, you may receive an error message that says that you cannot establish a connection. This problem occurs if the program connects to a loopback address other than 127.0.0.1. Windows XP Service Pack 2 (SP2) prevents connections to all IP addresses that are in the loopback address range except for 127.0.0.1.

MSWU-005 886185

Critical Update for Windows Firewall 'My Network (subnet) only' scoping in Windows XP Service Pack 2

Applies to: XP SP2

After you set up Windows Firewall in Microsoft Windows XP Service Pack 2 (SP2), you may discover that anyone on the Internet can access resources on your computer when you use a dial-up connection to connect to the Internet. For example, after creating an exception in Windows Firewall for File and Printer Sharing, you may discover that anyone can access shared files and printers.

MSWU-006

Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element update for Windows XP Service Pack 2

Applies to: XP SP2

The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) Update for computers that are running Microsoft Windows XP with Service Pack 2 (SP2) is available. This update enhances the Windows XP wireless client software with support for the new Wi-Fi Alliance certification for wireless security. The update also makes it easier to connect to secure public spaces that are equipped with wireless Internet access. These locations are otherwise known as Wi-Fi hotspots.

MSWU-008 887222

RPC Filter Update for Windows Server 2003 Service Pack 1

Applies to: ISA 2000 SP2 (will install on both Win2K and WS03 ISA SP2 systems)

Windows Server 2003 Service Pack 1 makes significant changes to the Remote Procedure Call (RPC) service with the addition of registry keys, including the ability to enable users to modify the behavior of all RPC interfaces on the system, and eliminate remote anonymous access to RPC interfaces on the system (with some exceptions). New RPC features are not supported by ISA Server’s RPC filter and such RPC traffic fails through ISA Server. This update fixes these RPC issues in ISA Server 2000.

MSWU-009 887742

You receive the Stop error "Stop 0x05" in Windows XP Service Pack 2

Applies to: XP SP2

A computer that is running Microsoft Windows XP Service Pack 2 (SP2) unexpectedly stops with the error message 'Stop 0x05 (INVALID_PROCESS_ATTACH_ATTEMPT) '.

MSWU-010 826942

Update for Microsoft Windows XP: KB826942

Applies to: XP SP1

This update provides support for Wireless Protected Access, a new standards-based wireless security solution developed by the Wi-Fi Alliance. WPA is intended to replace the existing Wired Equivalent Privacy (WEP) standard, offering much more robust methods of encryption and authentication and resulting in a new level of protection for customers taking advantage of the wireless features of Windows XP.

MSWU-011 885222

Update for Windows XP (KB885222)

Applies to: XP SP2

After you install Windows XP Service Pack 2, some 1394 devices (such as digital cameras that use S400 speed) may not perform as expected. Install this update to help prevent this issue.

MSWU-012 872769

Update for Windows Small Business Server 2003: KB 872769

Applies to: SBS03

By default, the Windows Firewall, that Windows XP Service Pack 2 (SP2) includes, is disabled by a Group Policy setting in all Windows Small Business Server 2003 networks. To enable the Windows Firewall on computers running Windows XP SP2, install this QFE on the computer running Windows Small Business Server 2003.

(this patch cannot be uninstalled)

MSWU-013 832880

Critical Update for Windows Small Business Server 2003 (KB832880)

Applies to: SBS03

This critical update corrects the issue 'Installation of intranet component and browsing to http://companyweb fail in Windows Small Business Server 2003' (KB 832880). Installations and upgrades performed after November 24, 2003 may be affected by this issue.

MSWU-014 835734

Update for Windows Small Business Server 2003: KB 835734

Applies to: SBS03

There is a problem with how the POP3 connector processes certain messages downloaded from a POP3 server. This problem could result in the POP3 connector accidentally re-sending certain messages to recipients who are not part of the SBS server e-mail domain. This may happen only in the cases where the POP3 connector is used to download mail from an external POP account. Customers using Exchange to host their mail internally will not experience this problem. This update resolves this issue. All SBS customers are encouraged to install this update.

MSWU-015 833992

Hotfix for Windows Small Business Server 2003: KB 833992

Applies to: SBS03

This download address a particular way mail downloads can fail when using the POP3 connector in Small Business Server 2003. This issue causes the process IMBDOWNL.EXE to be hung with the CPU utilization at 25, 50 or 100%. A warning with event ID 1067 will be recorded by the POP3 server in the event log when this error occurs.

MSWU-016 842933

String Truncation Error Message When Editing GPOs: KB842933

Applies to: Win2K, XP, WS03, SBS03

When you try to modify or to view Group Policy objects (GPOs) on a computer that is running Microsoft Windows Server 2003, Microsoft Windows XP Professional with Service Pack 1 (SP1), or Microsoft Windows 2000, you may receive an error message that is similar to the following: The following entry in the [strings] section is too long and has been truncated. Some text may be displayed after this error message, and this text varies in different scenarios. Additionally, if you click OK in the error message window, a similar error message may be repeated. Each error message that is repeated has different text that is displayed after the error message.

MSWU-017 831664

Windows Small Business Server 2003: KB 831664

Applies to: SBS03

When you configure a backup by using the Server Management console in Microsoft Windows Small Business Server (SBS) 2003, the backup operation may be unsuccessful, and you may receive the following error message in the backup log when the backup starts: The requested media failed to mount. The operation was aborted. The backup destination may also be set to "miniQIC" instead of to the actual tape drive, and you may not be able to change this selection.

- The Shavlik XML Team

Okay ...let's have at it.... how do you partition?

Since I know the last blog post will probably bring up this question ....let's have at it.

How do YOU partition your servers?  As you can see from my blog post, I do indeed have one for the OS [and it's a pretty healthy sized one since I leave room for Shavlik to lay down patches, then one for Exchange and lastly one for data.

I would say typically for the OS we're seeing recommendations of 10 to 12 gigs [I think I did 20 because I'm paranoid] and then after that it gets a bit blurry...some people have different 'recipes' for partions.

So ...what's yours?

Learn something new every day

I was messin' around with my computer at the office and realized that the Virtual memory on it was at a maximum range of 4096.  Huh? I have 4 gigs of physical RAM [uh yeah... I overbuy] and shouldn't the virtual page file be automagically 1.5 times the physical ram?  Well I didn't realize that when you are on the Windows 2003 standard operating system of 4 gigs, you are limited to 4096 per partition.  Well silly me didn't realize that because of that I only had a page file max on 4096.  Needless to say I went into start, control panel, system, advanced, performance, setting, advanced again, and just review what the system set up as a paging file and make sure yours is within the recommended range that is suggested.  This is also a strong argument for partitions because I easily set up another page file on my other partition.  Since 4096 is max on one partition, I had to fit the remainder on another.

See that recommended of 5374 and how I only have 4096?

I now have another virtual page file on another partition and meet the recommendation that my system was trying to tell me. 

I was poking around and finding background information and found Bruce Sanderson's article which pointed to the comparison between 32 bit and 64 bit.  Wow... on the 64bit platform 16 terabytes of virtual memory can be accessed versus my puny 4 gigs.  No wonder Eric loves 64 bit.

The password is......

True Story.

Private school recently implemented/installed new computers and gave them passwords for security so only those authorized Teachers could get into the computers.  In the Auditorium/Cafeteria there is a computer attached to a projector and one of the Teachers needed to get into the system and said to the Principal, “hey I need to get into this system”

There in the filled Auditorium/Cafeteria with children in the room... the Principal loudly said across the room for all to hear....

“The password is .....”

And now everyone in the room knew the password.

So simple really... it's something that should be private.  And yet so quickly it's lost it's value.  Once it's known by all, it's auditability, it's accountability, all of it's value is gone.

Passwords are a foundation of our Computer security and yet just today...when I asked someone to think of a password for an online research site, he hemmed and hawed and couldn't think of a solid password.  You know we keep saying that our Software vendors need to learn secure coding techniques...maybe WE need to go to “password” classes.

Eric's blog the other day had a story about passwords and security and how little it was valued.

Passwords 101.  In my mind we can't teach it soon enough...to all of us out here.

Top 25...do you agree?

CNN came out with a listing of top 25 technology innovations....they are:

    TOP INNOVATIONS
1. The Internet
2. Cell phone
3. Personal computers
4. Fiber optics
5. E-mail
6. Commercialized GPS
7. Portable computers
8. Memory storage discs
9. Consumer level digital camera
10. Radio frequency ID tags
11. MEMS
12. DNA fingerprinting
13. Air bags
14. ATM
15. Advanced batteries
16. Hybrid car
17. OLEDs
18. Display panels
19. HDTV
20. Space shuttle
21. Nanotechnology
22. Flash memory
23. Voice mail
24. Modern hearing aids
25. Short Range, High Frequency Radio

pssst...what the heck is MEMS aka microelectromechanical system at number 11?

You know you do a little too much beta testing when.....

You know you are one wacko beta tester when...

1. Every computer and server you have at home practically permanently has “For Testing purposes only. Build blah blah” burned into the screen in the bottom corner
2. You keep old beta cdroms marked “confidential only” as souvenirs.....ah... beta 2...now that was a fun event... remember patching SQL server after slammer?  They had to give us step by step instructions on that one..you remember?  What memories that was
3. RTM is a let down to you... what?  We don't get to have more changes?  You guys have to release it?  Dang!
4. You know exactly where you were when products launched....in San Francisco with Grey for Windows Server 2003 and stuck at the office when SBS 2003 launched... and I'm still a bit miffed at the guys in New Orleans....the only time the guys would hit me on instant messaging was for about 2 seconds either on their way to the bathroom..don't know what was up with that..... or on their way between events.  I did however get a phone message on my cell phone.... there's nothing like Duran Duran's 'Hungry Like the Wolf' via voice mail.
5. The Betaplace web site is practically your home page.
6. You are getting real good at 'standing up boxes' as it's called 'in the biz'.
7. You can tell when people at Microsoft have migrated domains from their email headers .... this one I have to admit really showcases I really need a life.

To all of those at Microsoft who 'dogfood' this stuff and 'shake it out' before we get it ...thanks.

Law # 4.... only let in ....what you trust

Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more

Boy did I know about this one in many ways... in SBS land where we had IIS 5 we got nailed by Code Red/Nimda because we didn't keep our systems up to date on patches.  We had 'bad code' uploaded to our web sites because we didn't patch.  Obviously IIS6.0 has been solid as a rock. 

Then I personally saw it on my www.sbslinks.com site because it was a shared site and bad code meant to hijack web browsers was put on my externally hosted web site.  Boy did I feel weird about that. 

On SBS 2003 we actually recommend that you don't host a public web site on your server and instead just leave it for authenticated access like Remote Web Workplace.  Why?  Because you want to limit what visitors can do and only allow people you trust on that box.  It's not that you can't do it per se...just that with external web hosting so cheap...why not reduce risk?

That brings up another concept that I need to bubble up that was discussed in the newsgroup... the person wanted to limit the port 80/443 to only OWA so that folks from public kiosk-y computers could have access.  In this day and age of smart phones and relatively cheap laptops, you should NEVER let anyone log in from a device that you cannot trust.  To me there is no more untrusted device than a kiosk computer.

Think trust... and only let in...what you trust.

Geek web casts -- what more can a gal want?

Just received word that the ITshowcase has gone live!  This is really cool and really educational.

Click and view the web cast.. they are really cool!

Dr. Jesper Johansson and Steve Riley [who will be coming out with a book very soon] are both featured in this.

Unscientific survey underway - so how much email does your clients keep and for how long?

On a listserve I'm on, the comment came up that a firm was archiving about a gig of email a month using their spam gateway to do this and keeping it at hand for about 2 years and in archive storage for seven.  Man... a gig a month...that's a lot I thought...wonder how many employees in that firm.  So I asked the person who posted how they were archiving.

I was surprised when the answer came back...50 employees.

Wow.  I was expecting a whole lot more people throwing off a gig of email that needed to be stored a month... and that's a Small Business Server sized company even if they aren't using SBS.

Exchange is truly right now the 'drag' on our boxes.  16 gigs is a joke [sorry to the Exchange folks...but it is] and native archiving is better through something like a gateway spam program to get it out of that Exchange database.

I did read that in Exchange 12 [the next version] they are talking about natively encrypting all traffic to other Exchange servers which would be really cool. 

Speaking of email, it still seems to me that setting up secure email is too hard.  One of the reasons that people love their blackberries is that it's fast and easy to use.  Keep security simple and easy and people will use it.

So.... in your clients that you see.....what kind of email storage are they doing?  How long are they planning to keep the email?  Do they have regulations they are following to keep the email?  My guess is that small businesses are going to surprise software companies by their email needs in the coming years.  We probably need to archive and keep much more than they think we do.

What a diff a day makes.... 05-019 will be re-released in June

Well just yesterday I was saying Microsoft released a patch of a security patch and today they announce that they will re-release 05-019 entirely.

This Alert is to notify you of revisions that have been made to
Microsoft Security Bulletin MS05-019.

Specifically, the bulletin has been revised to advise customers that we
plan to re-release the MS05-019 security update in June, 2005.

Until the re-release of this security update is available, customers
experiencing the symptoms described in Microsoft Knowledge Base Article
898060 should follow the documented instructions to address this issue. 

If you are not experiencing this network connectivity issue we recommend
that you install the currently available security update to help protect
against the vulnerabilities described in this security bulletin.

As a reminder, the Knowledge Base Article can be found here:
http://support.microsoft.com/kb/898060

Microsoft Security Bulletin MS05-019 can be found here:
http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx

The Master Knowledge Base Article for MS05-019 references the KB
article. The Master Knowledge Base Article for MS05-019 is located here:
http://support.microsoft.com/kb/893066

If you have any questions regarding this alert please contact your
Technical Account Manager or Application Development Consultant.

Thank you,
Microsoft PSS Security Team

New update to 898060 [tcp/ip and vpn issues anyone?]

This Alert is to notify you of the availability of an updated hotfix for
Microsoft Knowledge Base article 898060 and provide information around this
updated hotfix.

The alert is also to provide you with information and answers to a
number of questions that have been raised since the publication of the Knowledge Base
article on 23 April 2005.

As a reminder, the Knowledge Base Article can be found here:

http://support.microsoft.com/kb/898060

The Master Knowledge Base Article for MS05-019 references this article. The
Master Knowledge Base Article for MS05-019 is located here:

http://support.microsoft.com/kb/893066

1. Why was 898060 re-released?

As of 6 May 2005, as part of the ongoing code maintenance and working with
customers, versions of the 898060 hotfix have been released for Windows
2000, Windows XP and Windows Server 2003.

These updated hotfixes were updated to address very limited situations
where the original hotfix may not have successfully resolved all issues. These
updated hotfixes contain changes to address only those circumstance.

In addition, the updated hotfix for Windows Server 2003 SP1 also contains a
change to address an issue experienced only when running Internet Security
Systems' (ISS) products.


2. I deployed the earlier versions of the hotfix, and I am no longer
experiencing symptoms detailed in 898060, do I need to deploy the updated
versions?

No. Customers who have deployed the hotfix already and are no longer
experiencing the symptoms detailed in 898060 need not take any action
and do not need to deploy the new versions.

However, customers who have deployed the Windows Server 2003 SP1 version of
the hotfix available prior to 6 May 2005 and are no longer experiencing the
symptoms detailed in 898060 BUT are experiencing issues with ISS' products
should test and deploy the updated version of the hotfix.


3. I deployed the earlier versions of the hotfix, and I am STILL
experiencing symptoms detailed in 898060, do I need to deploy the updated
version?

Yes. Customers who have deployed the versions of the hotfixes made
available PRIOR to 6 May 2005 and are STILL experiencing the symptoms detailed in
898060 should test and deploy the latest versions of the hotfix.

4. I haven't deployed any version of the hotfix, and I am experiencing
symptoms detailed in 898060, what should I do?

Customers who experience the issue outlined in 898060 and have not deployed
the hotfixs should deploy the latest versions of the hotfixes.

5. How can I identify if I have the latest version of 898060?
Microsoft Knowledge base article 898060 is being updated to reflect the
file version information for the latest versions of the hotfixes.


6. Why was 898060 released?
Microsoft Knowledge Base Article 898060 was released to address issues
encountered in a very specific and limited situation where disruptions in
network connectivity may be experienced after the installation of either
security update MS05-019 or Microsoft Windows Server 2003 Service Pack 1
(SP1).


7. When would these issues likely be encountered?
These issues would arise primarily in WAN and LAN configurations and
scenarios where routers and data-link level protocols that have different
Maximum Transmission Units (MTUs) are used across the network.


8. What were the issues encountered?
When these issues would arise, customers would report any one or more of
the following:

- Inability to connect to terminal servers or to file share access.

- Failure of domain controller replication across WAN links.

- Microsoft Exchange servers cannot connect to domain controllers.


9. What causes these issues?
These issues occur because the code incorrectly increments the number of
host routes on the computer when it modifies the MTU size of a host route.

The maximum number of host routes is controlled by the Registry Value in
MaxIcmpHostRoutes and the default number of host routes is 1,000.

Because the code incorrectly increments the number of host, the number of
host routes eventually reaches the maximum value. After the maximum
value is reached, the ICMP packets are ignored creating the symptoms associated with
this issue.

10. What is Microsoft's recommendation on whether I should apply 898060?
Microsoft's official recommendation is that you should apply 898060 only if
you encounter these issues. This recommendation is detailed in the KB
article 898060.


11. Is there any way for me to proactively tell if I'll need 898060?

This specific issue will manifest only in networking conditions are true,
specifically, if different MTU's are set in the environment. Because of
this, the only way to know proactively if you might encounter this issue is
to determine if you use different MTU's in your environment or not.


12. It sounds like when I would need 898060 I wouldn't have network
connectivity. If that's the case, I won't be able to deploy the hotfix
898060. Should I just go ahead and deploy it proactively?
While we test hotfixes as thoroughly as possible, by their nature they are
not subject to the same testing as a security update, like MS05-019.
Because of this, it is possible for a hotfix to have issues that have not
yet been identified and thus hotfixes have a greater inherent stability
risk than a broadly released update.

Microsoft's standard recommendation for hotfixes is that you only apply the
hotfix when the problem it was developed to address is encountered. This is
because in this circumstance, the risk of the potential for problems
related to the hotfix is clearly outweighed by the immediate risk of the issue
encountered.

While Microsoft does not recommend applying hotfixes proactively when the
issue it was designed to address is not present, customers should perform
their own risk assessment based on their specific circumstances to
determine the most appropriate course of action for them.

For some customers, the risk of possible problems related to the hotfix may
be outweighed by the risk of the occurrence of those problems the hotfix
was designed to address. These customers may determine that the most
appropriate course of action is to deploy the hotfix proactively.


13. Can I just deploy 898060 and not deploy MS05-019?

No, when deploying the hotfix Microsoft recommends that you first deploy
MS05-019 and then the hotfix.


14. Can I use SUS to deploy 898060?

No. Because hotfixes are not distributed via Windows Update, it cannot be
deployed using SUS.


15. Can I use SMS to deploy 898060?

Yes, you can use SMS to deploy 898060. However, you will have to manually
build the deployment package for this. Because this is not detected by any
security update scanning engine, you cannot use any of the automated
deployment tools with this update.


16. Can I use MBSA to detect that will need 898060?

No. MBSA can detect systems that require MS05-019 but cannot detect systems
that require 898060.



17. Can MBSA tell me when the hotfix has been applied?

Once the hotfix 898060 has been applied, when MBSA is run, it will raise a
warning that a file version was found to be greater than expected.



18. Can I use qfecheck (KB 282784) to confirm that 898060 has been
installed?

Yes, you can use qfecheck to confirm that 898060 has been installed.



19. How is Microsoft making 898060 (including the re-released versions)
available to customers?

Currently, the hotfix is available as a private hotfix. Customers can
obtain this by contacting Microsoft Product Support Services. The call to obtain
the hotfix is no-charge.



20. Will Microsoft re-release MS05-019?

Currently, there are no plans at this time to re-release MS05-019. However,
Microsoft is constantly evaluating the situation based on customer request,
feedback and experiences.


Thank you,

Microsoft PSS Security Team

Those new Security Advisories

Security Advisories Updated or Released Today
==============================================

* Security Advisory (892313)

  - Title:    Default Setting in Windows Media Player
              Digital Rights Management Could Allow a User
              to Open a Web Page Without Requesting
              Permission

  - Web site: http://go.microsoft.com/fwlink/?LinkId=47490

* Security Advisory (842851)

  - Title:    Clarification of the tar pit feature provided for
              Exchange Server 2003 in Windows Server 2003 Service
              Pack 1

  - Web site: http://go.microsoft.com/fwlink/?LinkId=47491

<SBSized info ...remember this “tarpit“ is SBS approved already and will be included in SBS 2003 sp1>

Support:
========
Technical support resources can be found at:
http://go.microsoft.com/fwlink/?LinkId=21131

International customers can get support from their local Microsoft
subsidiaries. Phone numbers for international support can be found
at: http://support.microsoft.com/common/international.aspx

Additional Resources:
=====================
* Microsoft has created a free monthly e-mail newsletter containing
  valuable information to help you protect your network. This
  newsletter provides practical security tips, topical security
  guidance, useful resources and links, pointers to helpful
  community resources, and a forum for you to provide feedback
  and ask security-related questions.
  You can sign up for the newsletter at:

  http://www.microsoft.com/technet/security/secnews/default.mspx

* Microsoft has created a free e-mail notification service that
  serves as a supplement to the Security Notification Service
  (this e-mail). It provides timely notification of any minor
  changes or revisions to previously released Microsoft Security
  Bulletins. This service provides notifications that are
  written for IT professionals and contain technical information
  about the security advisories and security bulletins.
  Visit http://www.microsoft.com to subscribe to this service:

  - Click on Subscribe at the top of the page.
  - This will direct you via Passport to the Subscription center.
  - Under Newsletter Subscriptions you can sign up for the
    "Microsoft Security Notification Service: Comprehensive Version".

* Protect your PC: Microsoft has provided information on how you
  can help protect your PC at the following locations:

  http://www.microsoft.com/security/protect/

  If you receive an e-mail that claims to be distributing a
  Microsoft security update, it is a hoax that may be distributing a
  virus. Microsoft does not distribute security updates through
  e-mail. You can learn more about Microsoft's software distribution
  policies here:
 
http://www.microsoft.com/technet/security/topics/policy/swdist.mspx

I got Security Alerts! Do you?

Today as my IM window popped up saying I got a Microsoft security alert, I got one on my cell phone as well.

Cool!  Huh!  I can now be immediately paranoid!  You can sign up for these here!  All of the ways you can get informed are listed on this page.

Today's Security Bulletin - only Windows 2000

Today's Security bulletin only affects Windows 2000 machines and is fixing the previously unpatched vulnerability that was disclosed by Greymagic.

Since I'm reading Japanese security bulletins from now on, let's again revisit the page and see if we get a better view of the issue from there:

So?  What do you think?  Does that make it clearer?

Bulletin Summary:

http://www.microsoft.com/technet/security/Bulletin/ms05-may.mspx

Important Bulletins:

Vulnerability in Web View Could Allow Remote Code Execution (894320)
http://www.microsoft.com/technet/security/Bulletin/ms05-024.mspx

New York, Boston and Washington DC Are you Ready for the dynamic duo?

Anne Stanton and Jeff Middleton, that dynamic duo is at it again, May 17-19th, 2005.  Each of these events will be at the local Microsoft offices and in support of local user groups in each area.  Make sure you are there a bit earlier to catch Jeff and Anne before each event as they love to meet and mingle!

Learn about migration strategies, technical plans, business opportunities with SBS and much much more.

• May 17th - Boston
• 6:30 p.m. at the New England SBS User Group

• May 19th - Washington DC
• 6:00 p.m. at the Washington DC SBS User group

[sorry guys I did a typo the first time NYC is the 18th and DC is the 19th]

I'm in search of a "Secure Me Now" button, got one?

So many times, especially with our small offices we look for a checklist, a secure me now button, and quite frankly just isn't such a cookie cutter thing you can do these days.

What you really should be doing instead is identifying what the 'really bad thing' that could happen in a network and designing protection around that.....but ..it can't be the worst really bad thing now can it?  It has to be a reasonable bad thing.

What's the first thing you need to do?  Sit down with your client and identify what needs to be protected.....typically in heathcare it's patient information.  In California it's identity information.  Now start to think of ways to reasonably protect that information.  Many times, it's just not with technology, it's with people as well.

Much of the steps with HIPAA are policy, ensuring that you are compliant with the people side of the equation.

So think about it.... are you looking for a “secure me now button“ or truly thinking about the best ways to protect stuff that needs protection.

Sometimes a checklist won't give you the big picture.  Stand back.  Where's your risks?

P.S. if you are looking for a “secure me now button“, you might take a look at some of the resources here.  There isn't a button there, but there is a lot of interesting links nonetheless.

Words that a network admin would like to see banned

Most of the time I'm a patient person, and then there are those days when a few words sprinkled here and there just kinda annoy me.....

“It always takes ten minutes to open my Outlook.“

I'll get a stop watch.. I'll bet you

• It's not ten minutes
• It's not always

“My machine always does that“

Again, let me get a program that watches every keystroke and I'll bet you

• It's not always

“My machine is extremely slow“

Why is it that the people with the fastest machines in the office, always think there's is the slowest?  What's up with that?

• No, it's not always

There are times when issues are caused by computers and technology and tcp/ip packets and ...well whatever... and then there are those times when... let's just say it's not always caused by computers, shall we?

• No, it is indeed not always caused by computers

Just have to share this

A bit of a really off topic post tonight... we celebrated Mother's day with my Dad's favorite food, homemade ice cream.  [Yeah ... Mom's day and we're making Dad's favorite... don't quite know how that one worked out myself]

Here's the ingredients

• 6 eggs [we use egg beaters these days]
• 2 cans sweetened condensed milk
• 2 cans evaporated milk
• [if you want it really rich add heavy whipping cream]
• A tablespoon [or more] of the really good vanilla from Williams Sonoma
• Optional - scrapings from vanilla beans or bean paste
• A teaspoon of Orange flavoring [or TripleSec or Grand Marnier liquor if you are into that sort of thing]
• top off the ice cream canister with whole milk

Have rock salt and ice and we are wimps and use an electric ice cream maker.  About 30 minutes later, homemade ice cream.

For you guys downunder just going into Autumn.... maybe you can get one last homemade ice cream weekend end before the end of the season?

As long as the battery holds out, I'm good to go

Testing a new toy at the office that I think we're going to ... okay.. I'm going to use the most and the rest of the gang is going to borrow it when they need it.  It's a Cingular wireless PCMCIA card that allows any laptop that gets cell phone connectivity to be able to get Internet Access.  And, of course if you have Internet, you have access back to the office.  It's not quite as peppy as the 100 speed at the office, but it ain't bad, and it certainly solves my problem of trying to get high speed to folks that live in areas that don't get high speed [personally if it were me, I'd move, but my co-workers don't see it that way for some reason].

As long as you stay where there is good cell phone coverage, you are good to go. And I'm so high maintenance of a female that 'roughing it' to me is staying in a hotel that the room service closes down at midnight. 

The "paranoid" backup

One thing I should make crystal clear about my last blog post is that “SystemState” backups as well as data and Exchange backups are automagically done with the SBS backup wizard.  I only do that extra system state and burn it to a cdrom right before I do something like a service pack.

As a normal part of the SBSbackup routine, that system state backup is automagical.  The only reason why I do a special system state backup is because I'm paranoid, worry wart, throw salt over my shoulder, part Jewish Mother [even though I'm not Jewish, nor a mother], wacko who just feels better knowing that I've made extra sure that I have everything I need 'just in case'.

For the rest of you mere mortals, the SBSbackup routine will be just fine on a regular basis.  Just remember, at any time, you too can be just as paranoid wacko as I am and just manually run that system state...just in case.

Excuse me... I gotta go find a salt shaker.... I need to throw some more salt over my shoulder.....I'll be right back....

So what's a SystemState backup anyway?

One of the steps that is a “must do” before applying something big like a service pack is to have a good backup of your server AND all data and one of the major parts of that is a “SystemState backup”.  But like...what is a systemstate backup anyway? 

The 'gunk' backed up with just the system state is:

The system state components on a domain controller include the following:

>System startup (boot) files. These files are required for Windows Server 2003 to start.

>System registry

>Class registration database of component services. The Component Object Model (COM) is a binary standard for writing component software in a distributed systems environment.

>System volume (SYSVOL). SYSVOL provides a default location for files that must be shared for common access throughout a domain. The SYSVOL folder on a domain controller contains the following:

• Net Logon shared folders. These folders usually host user logon scripts and policy settings for network clients that are running pre–Windows 2000 operating systems.
• User logon scripts for Active Directory–enabled clients
• System policies
• Group Policy settings
• File system junctions
• File Replication service (FRS) staging directories and files that are required to be available and synchronized between domain controllers
• Active Directory, including the following:
• The Active Directory database (Ntds.dit)
• The checkpoint file (Edb.chk)
• The transaction logs, each 10 megabytes (MB) in size (Edb*.log)
• Reserved transaction logs (Res1.log and Res2.log)

Don't get me wrong, you want to have a full backup, but normally when I do big service packs, I get extra paranoid and right before I'm ready to install I go into NTbackup [even though because I have two servers I use Ultrabac to backup my system] and do a special systemstate backup and stick it on a drive somewhere off the server and even burn it into a cdrom for extra paranoia....[by the way have I said I'm paranoid before?]

So here's how to do 'just' a system state backup.

1.  Go into the backup program

2.  Now find the backup tab and just click the “system state backup”

3.  I usually kick this 'special backup' to a place that I can get to it from a workstation so I can then burn it into a cdrom

4.  Hit backup button on the right ....

And voila.....

Backup Status
Operation: Backup
Active backup destination: File
Media name: "SystemState.bkf created 5/8/2005 at 12:39 PM"

Volume shadow copy creation: Attempt 1.
Backup (via shadow copy) of "System State"
Backup set #1 on media #1
Backup description: "Set created 5/8/2005 at 12:39 PM"
Media name: "SystemState.bkf created 5/8/2005 at 12:39 PM"

Backup Type: Copy

Backup started on 5/8/2005 at 12:40 PM.
Backup completed on 5/8/2005 at 12:42 PM.
Directories: 300
Files: 2858
Bytes: 609,582,796
Time:  2 minutes and  4 seconds

Extra paranoia just before you get ready to apply a service pack.

README really means Read this...and SQL SP hits the streets

Marina [one of the Magical M&M's from Smallbizserver.net has a favorite saying “READ!” and it's really true that we don't spend the time to READ.  The ReadMe file that's on every install cd [and especially service packs] is meant to be just that... a file that you should ...well..... you know.....READ.

This is extremely true as we get ready for the SBS 2003 service pack.  Just saw on the Download page that SQL server 2000 sp4 just got released today and even though it says it is supported on SBS 2003 [which it is] you still want to wait for OUR service pack. 

Download details: Microsoft SQL Server 2000 Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?familyid=8e2dfc8d-c20e-4446-99a9-b7f0213f8bc5&displaylang=en

While it can be run, it is supported, it's not blonde and “automagical“.  So wait for our own SBS service pack where it will be way way way more automagical.

But don't forget ...when we do get our SBS 2003 service pack...don't forget to READ...don't just stick the cdrom in and start installing... take it to your workstations where a printer is attached, print out the readme, click to check for an updated version, and...well.... READ IT.

Wanna do something cool with Internet Explorer?

<update - for a properly aligned version of that IE settings shown below check out Steve Friedl's page>

One of the things you can do with Internet Explorer that's really cool is control stuff.  You know...stuff.  Active X stuff.  So let's get a few foundations so you know what I'm talking about.  Start first by reading this KB article on how to manage add-ons.  Do you get the idea that you can deny bad stuff and then allow good stuff?

So how do you know what is the “good stuff”?  Nick put together a list in a kb and fellow MVP Neo has put together a list of some of them here as an ADM [see below]

I'll do some screen shots this weekend to show you how this all works.  It's pretty cool!

;  Internet Explorer Administrator Approved Security Settings

CLASS USER

CATEGORY "Custom Settings"
CATEGORY "Internet Explorer"
CATEGORY "Administrator Approved Controls"

  KEYNAME "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls"

 POLICY "Microsoft Corporation"

          PART "ActiveX Plugin Control" CHECKBOX
            VALUENAME "{06DD38D3-D187-11CF-A80D-00C04FD74AD8}"
  VALUEON  NUMERIC 0
  VALUEOFF NUMERIC 1
          END PART

          PART "Certificate Enrollment Control" CHECKBOX
            VALUENAME "{127698e4-e730-4e5c-a2b1-21490a70c8a1}"
  VALUEON  NUMERIC 0
  VALUEOFF NUMERIC 1
          END PART

          PART "DHTML Safe Edit Control" CHECKBOX
            VALUENAME "{2D360201-FFF5-11d1-8D03-00A0C959BC0A}"
              VALUEON NUMERIC 0
              VALUEOFF NUMERIC 1

          ACTIONLISTON
              VALUENAME "{8D91090E-B955-11D1-ADC5-006008A5848C}" VALUE NUMERIC 0
          END ACTIONLISTON

          ACTIONLISTOFF
              VALUENAME "{8D91090E-B955-11D1-ADC5-006008A5848C}" VALUE NUMERIC 1
          END ACTIONLISTOFF

          END PART

          PART "DLC Control (File Transfer Manager)" CHECKBOX
            VALUENAME "{82774781-8F4E-11D1-AB1C-0000F8773BF0}"
  VALUEON  NUMERIC 0
  VALUEOFF NUMERIC 1
          END PART

          PART "Microsoft Office Control" CHECKBOX
            VALUENAME "{4453D895-F2A1-4A38-A285-1EF9BD3F6D5D}"
  VALUEON  NUMERIC 0
  VALUEOFF NUMERIC 1
          END PART

          PART "MSDN TreeView Control" CHECKBOX
            VALUENAME "{59CC0C20-679B-11D2-88BD-0800361A1803}"
  VALUEON  NUMERIC 0
  VALUEOFF NUMERIC 1
          END PART

          PART "Remote Data Service" CHECKBOX
            VALUENAME "{BD96C556-65A3-11D0-983A-00C04FC29E33}"
              VALUEON NUMERIC 0
              VALUEOFF NUMERIC 1

          ACTIONLISTON
              VALUENAME "{BD96C556-65A3-11D0-983A-00C04FC29E36}" VALUE NUMERIC 0
          END ACTIONLISTON

          ACTIONLISTOFF
              VALUENAME "{BD96C556-65A3-11D0-983A-00C04FC29E36}" VALUE NUMERIC 1
          END ACTIONLISTOFF

          END PART

          PART "Remote Desktop Web Control" CHECKBOX
            VALUENAME "{7584c670-2274-4efb-b00b-d6aaba6d3850}"
              VALUEON NUMERIC 0
              VALUEOFF NUMERIC 1

          ACTIONLISTON
              VALUENAME "{9059f30f-4eb1-4bd2-9fdc-36f43a218f4a}" VALUE NUMERIC 0
          END ACTIONLISTON

          ACTIONLISTOFF
              VALUENAME "{9059f30f-4eb1-4bd2-9fdc-36f43a218f4a}" VALUE NUMERIC 1
          END ACTIONLISTOFF

          END PART

          PART "Scripting Dictionary" CHECKBOX
            VALUENAME "{EE09B103-97E0-11CF-978F-00A02463E06F}"
  VALUEON  NUMERIC 0
  VALUEOFF NUMERIC 1
          END PART

          PART "Tabular Data Control" CHECKBOX
            VALUENAME "{333C7BC4-460F-11D0-BC04-0080C7055A83}"
  VALUEON  NUMERIC 0
  VALUEOFF NUMERIC 1
          END PART

          PART "XML Support Libraries" CHECKBOX
            VALUENAME "{550dda30-0541-11d2-9ca9-0060b0ec3d39}"
              VALUEON NUMERIC 0
              VALUEOFF NUMERIC 1

          ACTIONLISTON
              VALUENAME "{2933BF90-7B36-11d2-B20E-00C04F983E60}" VALUE NUMERIC 0
              VALUENAME "{ED8C108E-4349-11D2-91A4-00C04F7969E8}" VALUE NUMERIC 0
              VALUENAME "{CFC399AF-D876-11d0-9C10-00C04FC99C8E}" VALUE NUMERIC 0
              VALUENAME "{F6D90F16-9C73-11D3-B32E-00C04F990BB4}" VALUE NUMERIC 0
              VALUENAME "{F6D90F11-9C73-11D3-B32E-00C04F990BB4}" VALUE NUMERIC 0
          END ACTIONLISTON

          ACTIONLISTOFF
              VALUENAME "{2933BF90-7B36-11d2-B20E-00C04F983E60}" VALUE NUMERIC 1
              VALUENAME "{ED8C108E-4349-11D2-91A4-00C04F7969E8}" VALUE NUMERIC 1
              VALUENAME "{CFC399AF-D876-11d0-9C10-00C04FC99C8E}" VALUE NUMERIC 1
              VALUENAME "{F6D90F16-9C73-11D3-B32E-00C04F990BB4}" VALUE NUMERIC 1
              VALUENAME "{F6D90F11-9C73-11D3-B32E-00C04F990BB4}" VALUE NUMERIC 1
          END ACTIONLISTOFF

          END PART

          PART "Windows and Office Update Controls" CHECKBOX
            VALUENAME "{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}"
              VALUEON NUMERIC 0
              VALUEOFF NUMERIC 1

          ACTIONLISTON
              VALUENAME "{9F1C11AA-197B-4942-BA54-47A8489BB47F}" VALUE NUMERIC 0
              VALUENAME "{6414512B-B978-451D-A0D8-FCFDF33E833C}" VALUE NUMERIC 0
          END ACTIONLISTON

          ACTIONLISTOFF
              VALUENAME "{9F1C11AA-197B-4942-BA54-47A8489BB47F}" VALUE NUMERIC 1
              VALUENAME "{6414512B-B978-451D-A0D8-FCFDF33E833C}" VALUE NUMERIC 1
          END ACTIONLISTOFF

          END PART

   PART "Windows Genuine Advantage Control" CHECKBOX
    VALUENAME "{17492023-C23A-453E-A040-C7C580BBF700}"
      VALUEON  NUMERIC 0
      VALUEOFF NUMERIC 1
  END PART

END CATEGORY
END CATEGORY
END CATEGORY

Security patch [no plural] next week

Thwunk!

THWUNK! 

Geeze I hate that sound.  It's the sound that the subwolfer makes when the power goes back on in the house.  Everytime the power goes back on in the house I practically jump three feet.

I came home tonight and tried to open up the garage door and nothing happened.  Then I realized it was because we had no power.  While at the office I have UPS's on each workstation and servers, I don't at home [and wouldn't to power such things would I?].  I had earlier attempted to remote from the office to the home system to get a couple of files and was surprised that the Remote Web Workplace wasn't working.  While I have a dynamic IP address, I have tzo.com which has an automatic 'bit' in my Linksys router to broadcast the tzo.com domain name out so I can remotely log in.

Well obviously with no power... it was a bit hard to remote into the server.  No wonder I couldn't remote in.

Today I was at a client's and they lost the power and they lost the spreadsheet they were working on.  One battery backup would have saved that project.  Think about it.  They aren't that expensive and yet when you are in the middle of something and haven't saved it, it will pay for itself in one power outage.

Think about it before you get THWUNK'd!

The buzz on nothing new

I hate to be a “me too” but two of the guys in Australia who went to the Asian MVP summit came back and said a presentation on Rootkits scared them.  And while Rootkits [which is software that is no different than trojans or backdoors but typically silently hides on your system] is something bad there's comments from folks [including a few MS'ers I know] that this isn't really anything new and it's something the on the ball admin could see happening.  Like Harlan says..they still have to get ON your system. And how do they do that?  You click [admin rights] or you don't patch [unpatched vulns].

The on the ball admin watching his traffic logs and firewall logs should spot this activity.  Now mind you, we probably don't do this in SBSland like we should, but the point is, this isn't 'more bad' than the next 'bad thing', it's just another 'bad thing'.  What we need to take away from this is better protection so that the 'bad thing' won't get on there in the first place.  And that's where LUA... aka least privilege user account ... comes into play.

I was pinged the other day asking about the impact on software vendors and least user privilege in Longhorn and here's the annoying .... really annoying... thing I constantly jump up and down about here on the blog.  This LUA isn't anything new either.  We COULD do it now if our stupid vendors would just code so they get the “Made for XP logo”. 

But here's the kicker....they don't... they don't have to... because we don't care.  When you go to Office Depot to buy software are you even thinking about it's security features when you flip the empty box over?  Of course you aren't.  You want it to pay your payroll, or recap your sales, or widget your widgets.  You could care less about whether it runs in the least amount of privileges to therefore keep you safe.

Tonight I went to a NT user group meeting in Fresno where a patch/inventory/software deployment vendor and the funny thing is while their software was very interesting, it was basically a GUI interface over WMI scripting and what not.  I mean it was cool, but at the same time I was thinking...hey... we can do that with what we have...it's really not that new... it's just we don't know we can do it. 

Anyway, I'll still harp that I think the emphasis we have is still too much on patching and hardening servers and not enough on protecting workstations.  I honestly don't think I've met a non-wacko SBSer who has deployed the XP sp2 firewall inside their network...yet here I am down here with it running just fine.

Dear people at MarketingPromote.com

Thank you for your 2,334 2,435 emails you have sent over the last couple of weeks regarding your direct mailing service, offshore web hosting, or whatever else you are trying to get me to use.  You are sending these 2,435 2,522 emails to my poor @pacbell account that I leave unfiltered to truly see what stuff is coming in out there.

It was funny because the other day when I was dealing with Trend, one of the guys at the office said “Oh yes, it's definitely much worse, I'm getting viruses in my mailbox all the time”.... and for a moment I scrunched up my eyebrow and said “you are getting viruses in your email”?  What he meant was that he was getting spam in his email and my combo of Trend's emanager and Outlook spam filter was obviously losing the battle again.  He equated viruses and spam together and did not see the distinction between them.

A recent survey said we're just taking it more for granted now.

So what are you using for Spam?

Exchange IMF?  Something else?

Oh and thank you MarketingPromote... I really needed 2,632 offers from you... I don't think I got the first 2,631 of them.

Laptops anyone?

We started a discussion about Laptops and SBS and just today I got pinged about how best to handle laptops on and off the network... so here are a few ideas

SBS 2003 Standard -- with the RRAS firewall it allows anonymous connections out so you really don't need to do anything special.  Attach a workstation to the network and they just go out with no issues and no need to add the ISA client on the workstation.

SBS 2003 Premium with ISA 2000 with 'allowing all protocols' - we need to first determine how you have your network setup.  If you are not a parnoid wacko like I am, all you need to do is install ISA in what I refer to as 'all/all/all'.... all protocols, all clients, everything out the door.  The laptops will not need the ISA client and they can pick up the IP from the server via DHCP with no issues.  The disadvantage of this is that you lose the ability to control internet connectivity and what not as everyone goes out the door... so if you want to allow laptops to be flexible, but still keep your restrictions for desktops... keep reading...

SBS 2003 Premium with a more restricted ISA 2000 - Chad brought this up the other day... he first puts a DHCP reserve and ensures that the laptops are 'always' at a certain low IP address range.  Then he sets a special rule in ISA to allow these specific workstations with specific IP addresses to go out via the 'all/all/all' range.  He unchecked the 'allow unauthenticated' [which in fairness opens up a bit more annonymous access and in theory could allow backdoors and trojans out the door, but these days with all the malware and what not we already have is probably not that bad these days ... okay .... joking ..joking]  Then you build rule sets, along the same lines and the workarounds for Windows Update.  So the beauty of this setup is so that you can have the ISA client on your desktops and then leave it off for the laptops.

Many of the gang set up a laptop to have a workgroup name that matches the domain name to make it easier.

Another alternative is to try out netswitcher.

So what about you?  What tricks do you have for taking laptops on and off the network?  My personal tablet PC purposely stays totally off the network and if I need to connect to highspeed, I have my Wireless WAP that is totally outside my SBS network to make it easier... plus this allows me to have the tablet as a tech support resource just in case I need when working on the network.

CRM and XP sp2?

Sometimes just a reboot at the right time is what you need

So I'm installing another server at home [rebuilding the blue glowing baby server that went to smbnation and back and I had installed 'Standard' this weekend and was kicking it up to Premium tonight to get ready to move over to this one from the poor beta-ed, WSUS'd, overgrown desktop “server' that I have here at home and I had checked to make sure the cdroms I had with the standard were post Sharepoint cdroms and the Companyweb worked with Standard.  When I upgraded to Premium I upgraded to Sharepoint and when to launch Companyweb and got

Law # 3, if I have it, it's MINE

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

The business of trust

I was at a client's today and ...well.. let's just say that one Quickbooks password cracking later, one quick crash course in bookkeeping later and they are a bit up and running, more so than they were at 9:00 a.m. this morning when they couldn't get into the bookkeeping program.

It reminded me of the conversations going on in the SBS community about growing out the business to allow someone you don't know to handle your financial 'stuff'.  What typically happens in small businesses is that the business owner, a relative or someone they trust does the bill paying, bookkeeping and reconcilation.  But here's the problem.  In the proper system you should have separation of duties.  In a typical small business... you don't.  None at all.  So what are some issues small  business owners should be concerned about when they let someone else do the bookkeeping?

If you answer “yes” to any of these, you may have issues in segregation of duties:

1. Is the person who handles your cash also responsible for recording the cash?
2. Does the person who pays or orders inventory also receive the materials?
3. Are two or fewer people responsible for the accounting function?
4. Is only one person responsible for reviewing financial statements each month?
5. Is your review of financial journals sporadic?

If you answer “no” to any of these, you may have issues with Bank Reconciliation:

1. Do you review canceled checks and endorsements on a monthly basis?
2. Do you compare payroll checks with your current employee records?
3. Do you question funds transferred between bank accounts?
4. Do you track the number of credit card bills you sign per month?
5. Are bank reconciliations performed on a timely basis?
6. Is someone responsible for reviewing the reconciliations each month?
7. Do you verify reconciled items?

If you answer “yes” to any of these, you may have issues with documentation:

1. Do you ever sign blank checks?
2. Do you ever sign checks without original supporting documentation?
3. Do you ever sign checks without canceling supporting documentation?
4. Have funds ever been transferred between accounts without review or verification?
5. Do you ever sign checks for new business vendors without knowing or verifying their name and association with your company?

If you answer “yes” to any of these you may have issues with employees:

1. Are any of your employees extremely possessive of their work records and reluctant to share their tasks?
2. Are any of your employees apprehensive about vacations and time off, while always being the first in the office and the last out?
3. Have you noticed a substantial change of lifestyle in any of your employees?
4. Do any of your employees have a possible substance abuse problem?
5. Are any of your employees living beyond their means?
6. Have you ever hired an employee before checking references?
7. Do you permit your accounting personnel to work longer than a year without taking a vacation?
8. Do you have any accounting staff or key personnel who have not been secured with a fidelity bond?

If you answer “no” to any of these you may have a problem with assets:

1. Are blank check stocks and signature stamps safely secured?
2. Do you restrictively endorse all checks when received?
3. Do you deposit cash and checks daily?
4. Do you maintain a list of office furniture, equipment, and company vehicles?

Oh, and did you notice I said I easily used a password cracking program to get into that Quickbooks?  The password protection provided by the program is easily overcome within mere seconds of using Elcomsoft or any other number of password cracking programs.  If Elcomsoft's program can't crack it because the password is too long, it merely asks you if it's okay to 'remove it' instead.

While this certainly a case of the Computer Security Law # 3 [coming up in the next blog post], you should still be aware that it is EXTREMELY trivial to open up a password protected Quickbooks file.

Another patch for the patch

So I'm installing the Insight Manager update tonight and I go back in to check the hardware and rats.... the page doesn't resolve up and says I need a new System Management home page.  Well off I go to HP and find there is a new update as of April 25, 2005 for the HP System Management Homepage for Windows, version 2.0.2.106.  And as I'm installing this, since I only manage the one HP server [the other one is not an HP machine] I could set up the logging in for that monitoring in a certain way, but it was pretty obvious that you could use this to manage many different machines.

But now all it well, it's monitoring the processor and nics all again as it was.  Just another patch for another patch in the day of patching.

Dear Mr. Allchin and Mr. Dell:

“There’s a lot of small businesses today who buy the wrong products,” said Goldberg.

Dear Jim Allchin and Michael Dell:

Can you do me a huge favor?  First off... Mr. Allchin?  Mr. Windows to the rest of us... can you make it real clear in the next version of Windows called Longhorn is good for doing what duty?  Down here in SBSland we're getting a bit tired of having to convince the small business owner that they bought the wrong operating system?  While one would think that it would be really clear that XP Home should only be used at home, it's amazing how many consultants come into the SBS community asking how to connect a XP Home to a SBS domain. 

Conversely, Mr. Dell, it drives me crazy how on the web, in the brochures I get from your company how many times in the category of “Small Business” you showcase XP Home machines and only in teeny tiny writing do you recommend XP Pro.  Take a look at this link to your “featured deals” on the web.  The first desktop on the left is only offered in XP Home, yet the web site is clearly marked “Small Business”.  You say at the top “Dell recommends Microsoft^® Windows^®  XP Professional“, but you don't say “why“ XP Pro is recommended.

You've got a good overview of a SBS network, but where's the page on what operating system needs to be attached to a true server? 

I see there's a big push to make networking better for home and business users, but please don't make the same mistake in the XP platform.  Don't make two versions, or make one that is 'cut down'.  Either that, or make it a lot more clearer than it is now because obviously the name “Home” just doesn't give enough information to buyers to buy the right operating system.  One would think that the name “Home” would be enough, but obviously it isn't.  Price speaks louder.  Not to mention the fact that it's near impossible to buy a XP Pro machine in a retail computer store that caters to offices. 

Gentlemen, make it easier for the small business owner connecting to a small business server to buy the right operating system.

So do your clients just trust you?

I was a bit surprised the other day in the newsgroup when someone asked about the upcoming SBS 2003 sp1 because they had to 'sell' their bosses on the service pack.  Whoa.  I guess I'm wacko because applying a service pack doesn't have to be sold to me at all, it's just something that's done.  Now I do decide “when” to do it, but for me, you don't have to 'sell me' on whether it should be done or not, it's just done.

I can understand if you wait because your line of business applications don't support it yet, but if you have a customer that doesn't see the value in service packs, think of the things in this one that Javier pointed out on his blog.