Hold on ... SUS isn't dead yet, was If you aren't WSUSing maybe you'd better

From Bink today comes the word that SUS 1.0 is going to be turned off soon, so if you are running SUS... this US Holiday weekend is probably a good time to start testing out WSUS.  Step by step instructions on migrating from SUS to WSUS are here and given that we never READ [including myself] use this weekend to start reading.

And bookmark this KB article to keep you alerted as to what comes down on WSUS/AU, etc.

In fact, patching will be the topic I discuss at the SMB Technology Network.  To be specific WSUS, Shavlik and Patching in general.

Then in September at SMB nation it will be on Security and Hardening with Dana.

Hope to see you in both places!

Update --- okay I should have read more than the headline...

http://www.microsoft.com/windowsserversystem/updateservices/evaluation/faqs.mspx

in the WSUS and SUS section:

Q. How long will Software Update Services (SUS) be supported by
Microsoft?
 
A. SUS will be supported through June 6, 2006. The documentation for SUS
will remain available on the web here.

Q. How long will SUS continue to receive new content from Windows
Update?
 
A. SUS will no longer receive new update content after June 6, 2006.

Q. Will I still be able to download SUS?
 
A. No. SUS will no longer be available after June 30, 2005.

Error 0x80072EE2

I was checking the Microsoft update here at the office and when I went to MU I kept getting Error 0x80072EE2.  Hmmmmm....so I googled and found:  You receive an "Error 0x80072EE2" or an "Error 0x80072EFD" error message if you try to use the Microsoft Windows Update Web site, the solution for which is in KB 836941: Making the MU site a trusted zone in IE fixed the issue and I can now use Microsoft Update [and for that matter auto updates was apparently broken as well and just now started working again after I put the link into the Trusted Zone.]

Check and make sure that check box indicating it's a trusted site is in place.

News at 11

Red hats, purple shirts and a belonging

The first five I met in the plane over from Fresno, the next glob was in the line for a cab, the next view was in the window of a shop at the Bellagio hotel, and even now, sitting as I typically do, on the airport floor next to the power plug in, they are here...what are they?  The ladies in the red hats and wearing purple.

And to these ladies over the age of 50 that decide to 'brand themselves' as someone who wants to live their life a certain way also remind me of the SBS Community.  We don't wear red hats, but we bond and share info.

Here at a CPA Tech Conference, Anne Stanton [who amazes me with the amount of business cards she accumulates] found two firms from Alabama that specialize in SBS. She tells the soon to be community members about all thatt they are missing out on.  Sometimes we work in a silo and don't realize that 'we're normal' and that 'we belong'.  Sometimes you need a Red Hat kind of belonging.  

Sept 9 - 11th, SMBNation is our SBS equivalent of the “Red Hat” Conference.  If you haven't booked by now, it''s not too late.  

Have it be your “red hat event”  

V6 Windows/Microsoft Update and SBS

Just a heads up to everyone.... the Windows Update/Microsoft Update that may be offering up to your servers right now that will have the v6 in it's address, it is offering up to you the Windows 2003 sp1...that is NOT SBS 2003 sp1. It is merely the first part of what you need for a fully complete service pack.

Remember that SBS 2003 sp1 is

• Windows 2003 sp1
• Sharepoint sp1
• Exchange sp1
• XP sp2
• and finally..the SBS specific parts of the patches

You can't get ISA server or SQL server sp4 any other way than ordering the cdrom.

So if you've downloaded and installed it...just go to the SBS page and finish the SP installation

Who am I?

In the Indentiy Management presentation by Roger Grimes at Tech 2005 and he's talking about

• Identification - who I am
• Authentication - prove it
• Authorization - can I access that object?
• Accountability - who did what?

So many times in SBSland we don't take the time to worry about the last two.  We don't set specific permissions to files, parts etc.  Yesterday I was asked by a CPA on the best way to allow a client to have access to their own financial reporting and nothing else and it's a matter of permissions isn't it?

Do we take the time to set permissions appropriately to shared files..heck no, we open up the whole thing.

And accountability?  Do we make sure that everyone logs in individually so that you can track who does what?

...so we're packing up....

Last day of the AICPA Tech Conf in Vegas...

And of course, the LAST thing I'm putting in the suitcase is the DLink wireless access point.  We're using the TV checkout system.

Things we didn't do.

• Sleep
• Anne didn't audio blog
• I didn't go to the pool
• Anne didn't go to the hot tub
• Convince Mark Minasi that SBS isn't evil just because it doesn't natively have a secondary domain controller

Things we did do

• Didn't sleep
• Talked with good friends
• Made sure we introduced people that we knew....that we wanted to make sure knew each other [Alan Brill from Kroll on track...meet Roger Grimes]

And with that... I'll packing up the wireless... I'll be on the Cellular air card next for the next round...

Dual Skill sets

In the AICPA Tech 2005 presentation with Roger Grimes [fellow MVP] and he's talking about Open Source.  And one of the points he makes is that Migration is hard. from any platform to another platform..AND he's making the point that in most firms you will have both Windows and Linux based operating systems and thus you'll need to people with both skill sets in your firm.

Update rollup for Windows 2000 sp4 released today [SBS 2000]

* Security Advisory (891861) 

  - Title:    Release of Update Rollup 1 for Windows 2000 Service
Pack 4 (SP4)
  - Web site: http://go.microsoft.com/fwlink/?LinkId=49772

Support:
========
Technical support resources can be found at:
http://go.microsoft.com/fwlink/?LinkId=21131

I ranted ..oh yeah I gave a talk

Gave a presentation today with Clint Krintner from the Center for Internet Security on Security benchmarks and we drove it home that we ....the users...the buyers... the consumers have the power.  We have the ability to ask...to make the vendors do a better job in Security.  The topic was on security benchmarks and how we can raise the bar.

Disable unneeded services.  Ensure you are fully patched.  Ensure you enforce password policies [passphases]

I'll have blog a bit more  on this tomorrow... off to bed....

Rats... batteries

Rats... the digital camera is dead and so is the cell phone and the power cords to charge them are all the way back in the hotel room all they way back on the other side of the Casino in the Spa Tower.

Batteries.... if you don't have power.... you don't compute.... you don't ....well you just don't.

Well I have two batteries [a backup] for the laptop...but don't have for the cell phone....oh well... if you need me... don't call me... email or IM me.

That's the one thing we need to work on ....batteries....juice.. power...

Technology is a force of change

Blogging to you live from Vegas from the AICPA Tech2005 Conference and it's the 25th anniversary. One person has been part of that history the entire time ...Rick Richardson.  There will be some special events to celebrate this and Mark Minasi is sitting at the table getting ready to speak.

Some sound bites....Technology is a core service and competentcy of the profession.....The future of our profession relies on Business Technology.

I've noticed that in Computer Security conferences ...some of the concepts being discussed are foundational accountability concepts. 

The hotel itself has 'egress filtering' on the hotel... you must show your hotel key to enter in the small hallway that gets you to the hotel rooms.  Kinda of a human firewall mechanism if you will and ingress and egress filtering for sure....

The knock at the door

Update - read Dana's view of the knock on the door

From the mailbag today comes the question...what do you do if you see traces of someone banging on your accounts?

Now here comes the controversy...some say they like account lockout as it shows when you are getting nailed...some like Steve Riley and Dr. Jesper Johansson in their book on Protecting your Windows network say that if you have the proper passwords...[great passwords are akin to great strong locks on your doors].... you can let them bang on those doors all you want because you are snug behind those locks.

So what should you do when you see the door rattling?

Ask yourself if your locks [i.e. your passwords] are good enough.  If they are...roll over and go back to. bed... because it would take them eons of time to break down the door if the lock is good enough.  If, however, you have your doubts... then you need to replace your current lock [password] with a better lock [passphrase].

P.S.  In SBSLand we DO know when folks are knocking on the door because of our monitoring email.  Anytime there is a login failure we see it in the emails.  I personally want my ISA server logs more 'in my face' and heck..even RSSable.

So we're a bit high maintainance females

You would think Anne and I would fight over the TV station or where to eat or which sink which one of us is going to use in the hotel room..but no..we fight over the high speed access.  Thus this time in my geek travels I brought with me a tiny [and I do mean tiny] Dlink Wireless AP that broadcasts the room's connection.

So for those folks on the 17th floor of the Spa Tower at the Bellagio...no the hotel doesn't exactly offer wireless connectivity... you just have two geeky gals that hate sharing one wired connection so we made it easier to connect both of our laptops.

And yes, it's reallllyyyyy tiny.

Conferences and face time

A great conference is great because of the face time... show me a conference ....and I'll show you a bond.. a level of communication that occurs.  Show me a really really great conference and I'll show you one with people who have communicated for a while in a virtual setting and thus the conference itself is just to solidfy what's already there.

While I'm totally pleased that TechEd has placed it's presentations online, there's still a level of communication that just cannot be captured in “Death by audio and powerpoint”.  I'm in Las Vegas at the Bellagio and having a AICPA Tech conference with my geeky CPA friends.  And while I'm making sure I'm buying the MP3 to listen to it back home, I know that the talks with my fellow geeks over Mountain Dew will many times be just as valuable to me as the presentations themselves.   

My only complaint [that has privacy issues as well] is when they give us the brochure for the attendees, that we don't get an opt-in to share emails addresses.  As it is I'll be advertising the community listserve on the web site of the conference. 

Hand out business cards.....join/start a listserve... keep that virtual face time going.... and that conference will give back ten fold.

For you SBSers...don't miss the summer mini Harry-fest in Los Angeles and remember the SBS lovefest of www.smbnation.com this fall.

Alice and Bob brings us rule number 7 of the laws of Security

Law #7: Encrypted data is only as secure as the decryption key

Things that are annoying about computers

Had to remove a computer drive to do a forensic analysis on it and it's always annoying how the teeny tiny screws that hold the hardrive drop inside the case.  And then of course you have a heck of a time getting them back out.  Even though Dell machines are a bit cheesy the are nicer in that you mount the drive on these plastic drive rails and it's that that you stick into the computer.  I could tell that even the original manufacturer of the system cheated... they only put one screw on the far side of the unit [you know the side that you are normally going 'through the case' to get at?]

Now it's off to put the drive back in the unit and make sure it's working to go back.  Meanwhile I have a forensically sound bit by bit backup of the drive that I can scan for what I need for the investigation.  [I'm using Encase and not Norton Ghost or anything like that as it automatically makes hash values and what not of the data to prove that the image to the original is the same data.]

Packing list

Las Vegas packing

• Pocket CDrs that have CISecurity.org information burned in [the presentation topic is benchmarking...more on this later]
• Presentation on USB thumb drive/laptop and CDrs
• Laptop
• Remote presentation thingy [...ooh need to go find that]
• Digital camera
• Smart media chip reader
• power cords
• Cingular aircard
• Speaking schedule
• Moderating duties schedule
• Front page 2003 in case of last minute changes to web site
• ooh... business cards [see I'm going to forget something]
• batteries for camera
• spare battery/charger for computer

Oh yeah... clothes and makeup...guess that would be good to remember...huh?

To /3GB or not to /3GB that is the question

I don't.

Some do.

Most say they see no difference. 

SBS engineers have said don't do it.

A KB says no....but there are enough vague ones out there that say ...yes do it...

What am I talking about?

The /3GB switch.  I have 4 gigs of RAM and have never messed with that setting.  I have folks that have messed with it and see no impact.

So... start the debate.... do you?  Don't you?  Do you see a difference?  And note the two sections of the KB below... I'd say that's a “don't do it“.... wouldn't you?

If you are having memory issues...check out the blog links on allocated memory alerts.

*Note* For Exchange Server computers which are at the same time Active 
Directory Domain Controllers or Global Catalog servers we do also not 
recommend setting the /3GB switch in boot.ini. We recommend having 
dedicated Active Directory Domain Controllers or Global Catalog servers.

http://support.microsoft.com/?kbid=815372

 
Note You do not have to use the /3GB switch on Microsoft Windows Small
Business Server 2003-based computers. We do not recommend that you use
the /3GB switch parameter in the Boot.ini file for Exchange Server
computers that are also Active Directory domain controllers or global
catalog servers. 
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;823440

Don't get blogs and RSS? You should!

I have an 'addictive' personality.... I'll admit it.....I'm addicted to Dew... I'm passionate about SBS... and blogging.. well.... I think it's obvious that I'm wacko about that too.  At first when I started this blog I was like...what the heck am I going to talk about ... and it started off with just tech notes and my external web based filing cabinet.  And most days it's just that.....like put a phrase in that inurl Google box like...Thanks Les - that's my post on how to clean up Exchange..... Allocated Memory.... that's all the info on my memory alerts issues... it's also sometimes my vent and rant location...but I've also tried to capture things that I'm seeing in the SBS newsgroups and communities as well.... the collective [okay... so Borg] experiences of all of us filtered through the blog.

Along the way there are folks that get blogs and those that don't...and most that don't get blogs aren't using newsaggregators for viewing them... they are googling and hitting the XML format and don't understand what they've hit.

But it's more than just that isn't it?  There's a person, a voice... a conversation that begins... it's not just one person, the interaction with readers and those who contact via the contact page [that is now working again I might add] means that there is a dialog.

If you don't see what the possibility is of RSS... watch this....do you see the possibilities?  And some of this isn't needing the Longhorn under the hood to do.

Starting tomorrow I'll be blogging from Vegas as I'm on my way to the AICPA Tech Conference.... hmmmm....wonder if I can find something orange to wear to showcase “I get” RSS.

For those of you who don't.... start opening up that mind to the possibilities....

I guess I'm a spammer again

Dear SBC Yahoo, I wish you would do someting about your mail servers... on a regular basis these days I'm told that my emails end up in junk mail folder.. and I jokingly say “it's because of pacbell.net as it got bought out by Yahoo.  And tonight someone that I was emailing with...suddenly I can't email them anymore... why? 

Because of 'spamcop.net'.  And do I ... as a mere user of SBC Yahoo have any ability whatsoever to delist myself?  Nope.  I'm just an end user who has no rights.... Microsoft is announcing to help reduce spam they are manditorily adding Sender ID records... and who does it hurt the most?  Yup .. small to medium firms.  That's us.

And what's my alternatives?  Not much that I can see... I'm not the adminstrator of SBC so there's not much I can do.

68.142.229.96 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 17 hours.

• System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

If you are the administrator of smtp109.sbc.mail.re2.yahoo.com. and you are sure it will not be the subject of any more reports of spam, you may cause the system to be delisted without waiting for us to review the issue.

You may only do this once per IP! So please be sure that the problem is really and truly resolved. If you delist your system and we get more spam reports about it, you will not be allowed to expedite delisting again. Delisting normally occurs 24 hours after spam reports have ceased.

You must be able to receive mail at one of the addresses below. Until you have received and confirmed your request, it will not take effect.

Looking for potential administrative email addresses for 68.142.229.96:

216.145.48.35 is an mx ( 1 ) for smtp109.sbc.mail.re2.yahoo.com
cannot find an mx for sbc.mail.re2.yahoo.com
cannot find an mx for mail.re2.yahoo.com
216.145.48.35 is an mx ( 1 ) for re2.yahoo.com
64.156.215.6 is an mx ( 1 ) for yahoo.com
postmaster@yahoo.com redirects to yahoo@admin.spamcop.net
hostmaster@yahoo.com refuses SpamCop reports

Piracy in Software

What do you get when you purchase software?  Think about it... it's instructions, it's a cdrom..but what really 'is' it?  Is it a manufactured item?  Not exactly is it?  It's someone's brain cells in a silver cdrom isn't it?  Think about it.  It's someone's ideas, thoughts, goals, brain power, it's all of that isn't it.  And all we do is “license” it.  We don't own it.

So I just don't get it sometimes when people ask about buying software from somewhere and the price of that software is just way way way too underpriced to be legit.  A couple of instances occurred recently when someone asked about software being sold on Ebay [red flag number one] and the Ebay seller said that the transaction involved “evaluation software” and you would then get a registry program to tweak it to be a full software.  

Say...whaaaattt?

The only way you can get full software from an eval is BUY full retail versions and install it over the top of the eval.  You don't lose anything other than the time bomb.  There is no such thing as a tweak program.  Next is the bogus issue of selling OEM software with something as stupid as a mouse.  I'm sorry...but OEM Server software means you HAVE a server..not just a mouse... to go with it.  And then there are sites that offer 'downloadable“ SBS software.  Excuse me?  We don't even download the Premium version of SBS service packs and have to order those by cdrom.

Software licenses have a price tag...this isn't the normal marketplace...this is the price that has been set for this software.  So that if you see someone selling a SBS Standard at a beginning Ebay auction price of US $40...that isn't a value that has been set by marketplace factors ..... not unless you call selling not for resale product, or selling pirated versions marketplace factors.

As a result of all this bootleg stuff...we all pay.

Just keep that in mind will you...the next time someone asks if a cheap software is a good deal, remind them that they are stealing from all of us.

Just remember.... we all pay for piracy in the long run.

Are you aware of these Security resources?

Are you aware of the following resouces from Microsoft Security?

MSRC blog  Microsoft Security Response Center Blog

Security bulletins on IM

Security advisories

Security advisory sign up - [included in comprehensive edition which also includes advance notification and updates to bulletin email]

Advance patch notification

Security bulletins on RSS 

Security newsletter

You are now....

The mission... should you decide to accept it ... is to beat up your vendors

We have a mission for you.  It's hard, it's not going to be easy...but you and I need to do it.

We need to push our vendors to support LUA.  Microsoft already gets it and has started a push...but we...the consumers...the buyers... we need to push our vendors.  We need to let them know that their dependency on administrative rights open up our applications to malware, to insecurity, to identity theft.  Show me an accounting application...show me an Accountant recommnending software, and we typically have no idea that our software is forcing our desktops to be the weak link in our networks.

Mary Jo Foley reports ....Microsoft is on a mission to spread the word that customers don't have to wait until Longhorn to lock down their systems using least-privileged user account (LUA), or minimum rights, principles.

Accept the challenge...push your vendors. 

How to fix an application that isn't working after 05-026

Microsoft Security bulletin 05-026 broke our “help” file that is inside the CCH Tax preparation program...you go to help...and there's nothing there....but there's an easy fix that is listed in this KB:

http://support.microsoft.com/default.aspx?scid=kb;en-us;896054

• Click on Start
• Run
• Regedit
• Find HKEY_LOCAL_MACHINE
• Find the subfolder of SOFTWARE
• Find the subfolder of Microsoft
• Find the subfolder of HTMLHelp
• File the subfolder of 1.x
• Now click on that 1.x folder and right mouse click
• Now click on 'new' and then on 'key' and add a new key
• Type in ItssRestrictions
• Hit enter
• Click on the subfolder of ItssRestrictions
• Right mouse click, click on 'new' and then on 'dword'
• In the “New value“ box, type in MaxAllowedZone
• Hit Enter
• Click on that “MaxAllowedZone“ and right mouse click
• Click on “Modify“
• Change the value data from 0 to 1
• Click OK
• Close the Registry

Try CCH tax software again.  Your help files should now work as expected.

When you get done the left side should look like this

The right side should look like

P.S.  This KB article is actually referred to from a “caveat” link at the top of the Security bulletin that points to known issues.  Always review the “Known issue” for the issues that have already been found and fixed.

Still having issues with backup and monitoring after SP1 and the KB doesn't work?

Lrob pings that he's still having issues with backup and monitoring..... However, that particular fix does not work for me. And I am about to take a gun to this unit. This did happen after a service pack update and also broke the MSDE icon that sits in the system tray. Before the service pack it had the green arrow and would list the server and associated database. Now, no arrow, no database listing. It has been this way for a while and does not seem to be affecting the server operation except the backup and monitoring pages. I have looked everywhere and have tried different things. Is there anything else related to this that you know of?

If you've tried that KB, that's all I have... if it worked before the service pack...then call product support services and get help on this.  Don't let the threat of the price tag scare you.... once the issue is identified as being caused by a security patch or service pack, the issue is normally a free call.

Also the icon can be removed and it's merely a leftover from a SQL patch.

The best advice I can give is to call.  For those that are supporting customers on SBS... sign up for the Microsoft partner program as they have Business down support offerings.

If you are supporting customers on SBS and are not a Microsoft partner...can you come a little bit closer to the monitor?

Closer?

<wack upside the head>

Why aren't you?

This is your business and why aren't you getting all the tools and resources you can to best support your customers?

The "Wow" factor Stepto style

”Stepto” is a member of the Microsoft Security Response Center and in his personal blog talks about his use of technology. You remember ...our “WOW” factor?

Read his post.

Now think of all the technologies he talks about that we can already do in SBSland.

Kewl, huh?!

Pst...try this for the link.

Something to think about when you use your Windows 98 machine

When you or your clients use that Windows 98 machine..just think of this...

Windows 98...what was job one for that operating system?  Being a GUI platform for programs.

Was it a feature of that operating system to be a tool for the Internet?  I'd argue not.

Was it a feature that operating system to have security included?

Nope.

Think about that one the next time your client says 98 is 'good enough'.

Good enough for what?

Alice and Bob revisited

Revisiting the Alice and Bob encryption story with an update.  Someone was asking if they send out an encrypted message and only 1/2 of the people on the mailing lists have digital certificates and the other half you don't, the email will be encrypted to only half of the recipients?  Nope.  Doesn't work that way at all.  Only those folks that you HAVE a public key already in your certificate store will be able to be sent an encrypted message.  Your email client will 'barf' on the ones that you don't have a certificate for.  Your email client has a hidden location where it's stored all these public certificates it's picked up by folks merely emailing their digital certificate to you.

You MUST have their public key...that's the key element in this... let me repeat that...YOU MUST have their key before you can SEND THEM the encrypted message.  So to start this Encryption tango, Bob must send Alice his public key in the form of merely a digitally signed email.  Once Alice has a digitally signed email from Bob, she can now encrypt the email.  Read the comment here.

As far as PGP being easier.... now ... I could be wrong [this hasn't been the first time] but PGP mail encrypts the attachments as far as I know.  It's not encrypting the message transmission that I understand.  In discussing the situation with my fellow MVP, we discussed that right now I actually encrypt attachments, via PDF or other means, but I'm not actually encrypting the email message because 99 times out of 100, I don't have the other person's public key, they HAVE no public key, and when I'd automagically add my digital certificate to all of my outgoing emails so that the “Bob's” of this world already HAD my public key, 99 times out of 100 I'd get a phone call saying “What is this attachment to your email, I can't open it?  Do you have a virus?”

Needless to say I stopped automagically attaching it to my outgoing emails.  You 'can' get Bob's public key from visiting public key repositories on the web.  You can even get them from Web Sites.  Take for example the Public Key for the Microsoft Security Response Center.  Once you add 'their' key to your email certificate repository you can now send THEM encrypted email [assuming you already have a security certificate of course].

See how this works?  Once you get 'theirs' you can now encrypt something to THEM but not before.

Right now I encrypt attachments, and if I'm sending files that I want to protect that are large, I'll use www.hypersend.com  But right now, Alice just ain't ready for Bob to be encrypting.

Now I could go into how folks recommend that you have a key signing party... but that's another Alice and Bob story for another day.....

P.S.  I said “buy” a certificate, but you 'can' get free email only certificates as well.

SBS KB articles of interest

Credentials that are provided to ISA Server are sent in an unprotected form:
http://support.microsoft.com/?kbid=899807
ISA Server 2000 Web site visitors may be directed to unexpected content: [only SBS 2003 pre sp1 without ISA 2004]
http://support.microsoft.com/?kbid=901117
The shutdown process takes longer than expected to finish on a Windows Small Business Server 2003-based computer:
http://support.microsoft.com/?kbid=887539

Looking for Macintosh Advice?

Looking for all those really good Mac postings?  Look no farther than Eriq Neale [and look for him in Seattle in September at SMBnation]

• Lessons Learned: Connecting a Macintosh to SBS 2003 Server via SMB:
• Lessons Learned: Connecting a Macintosh to SBS using AppleTalk:
• Lessons Learned: Fixing the ".local" Problem in Mac OS X 10.3:
• Lessons Learned: How To Disable SMB Signing in SBS 2003:
  

Alice and Bob want to send secure emails.... oh and can they not be forwarded too?

A fellow MVP sent me an digitally signed email and asked if the email was encrypted.... but you see it wasn't.  Why not?  Because he didn't have 'my' digital certificate in his cert store.  You see when Alice want to send an encrypted email to Bob she must make sure that before she can encrypt the email between her and Bob that she has HIS digital certificate. It's not enough to have a Verisign email digital certificate, the person on the other end of the email transaction must have the certificiate as well.

So step number one for Alice is to purchase a digital certificate.  Step two is for Alice to send a digitally signed email to the person that you intend to encrypt email to [aka Bob].  Step three is to have Bob also buy a digital certificate and send a digitally signed email to Alice.  Once Alice and Bob have swapped these public keys, they can now send encrypted email to one another that can't be read in transit.  [it also won't show in your preview pane because it's encrypted]

Okay so now the email can't be forwarded on to anyone else right?  Uh...wrong.  To restrict forwarding, editing and what not, you'd need digital rights management [another server] to add to your network.  Even then, the last time I checked the license for the ability to do DRM outside the organization was pretty pricey.

....so...what do you think... yeah... like my fellow MVP said...not easy at all huh?

Encryption should be a lot more of a one button secure me now kind of process....and it's not.  Add to this the issue that I personally have with about 3 computers having my email, and you have to make sure my digital certificate is exported and moved to other computers.

Oh.... and encrypted instant messenger.... haven't thought of that one have you?  Those IM's you do are over the clear unless you encrypt it.  Here's one here for MSN if you'd like to try it out.

Blocking Spyware from the get go

A fellow SBSer who had a client workstation hit with Coolwebsearch reminded me of a way to prevent some of these things before they wiggle their way into your network.

A blocking hosts file that stops Malware.

What you say?  The hosts file?  Yup that thing we used to edit in Windows 98 can also be used to help prevent bad things from entering.

One excellent resource is on this page.  Merely replace your host file with this file and bad things will resolve to a blank page of 127.0.0.1

A bit of a sample of it is shown below:

#start of lines added by WinHelp2002
# [Misc Add-ons][A - Z]
127.0.0.1  acestats.com
127.0.0.1  www.acestats.com
127.0.0.1  www.activesearch.com #[Adware.ActiveSearch]
127.0.0.1  actualnames.com #[Parasite.ActualNames][Spyware.ActualNames]

Blocking Windows 2003 sp1 from your systems

Got a lot of servers [or a lot of SBS servers] that you want to block Windows 2003 sp 1 from [so your clients/customers won't automatically click and install it until YOU are ready?]

Click here for tools to block the deployment of Windows 2003 sp1 on automatic update on July 26, 2005 until March 30, 2006.

“While recognizing the security benefits of Windows Server 2003 Service Pack 1 (SP1), some organizations have requested the ability to temporarily disable the automatic delivery of this update through Automatic Updates (AU) and Windows Update (WU).”

Before anyone asks... I 'think' us SBSers will be blocked from AU offering up Windows 2003 sp1....but I think I'll go check...I'll let you know....

MS Security advisory: Browser Windows Without Indications of Their Origins may be Used in Phishing Attempts

********************************************************************
Title: Microsoft Security Advisory Notification
Issued: June 21, 2005
********************************************************************

Security Advisory Updated or Released Today
==============================================

* Security Advisory (902333)
 - Title: Browser Windows Without Indications of Their Origins may be Used in Phishing Attempts

 - Web site: http://go.microsoft.com/fwlink/?LinkId=49437

Support:
========
Technical support resources can be found at:
http://go.microsoft.com/fwlink/?LinkId=21131

International customers can get support from their local Microsoft
subsidiaries. Phone numbers for international support can be found
at: http://support.microsoft.com/common/international.aspx

Additional Resources:
=====================
* Microsoft has created a free monthly e-mail newsletter containing
 valuable information to help you protect your network. This
 newsletter provides practical security tips, topical security
 guidance, useful resources and links, pointers to helpful
 community resources, and a forum for you to provide feedback
 and ask security-related questions.
 You can sign up for the newsletter at:

 http://www.microsoft.com/technet/security/secnews/default.mspx

* Microsoft has created a free e-mail notification service that
 serves as a supplement to the Security Notification Service
 (this e-mail). The Microsoft Security Notification Service:  Comprehensive Version.

It provides timely notification of any  minor changes or revisions to previously released Microsoft  Security Bulletins and Security Advisories. This new service provides notifications that are written for IT professionals and  contain technical information about the revisions to security  bulletins. To register visit the following Web site:

 http://www.microsoft.com/technet/security/bulletin/notify.mspx

* Protect your PC: Microsoft has provided information on how you
 can help protect your PC at the following locations:

 http://www.microsoft.com/security/protect/

 If you receive an e-mail that claims to be distributing a
 Microsoft security update, it is a hoax that may be distributing a
 virus. Microsoft does not distribute security updates through
 e-mail. You can learn more about Microsoft's software distribution
 policies here:
 
http://www.microsoft.com/technet/security/topics/policy/swdist.mspx

Backup and Monitoring not working after SBS sp1?

I've seen this a couple of times so I thought I'd repost it again

After SBS 2003 sp1 you can't get to the backup and monitoring snap in.... you can fix it here:

842693 You receive a "HTTP 400 - Bad Request" error message when you try to
use the Monitoring and Reporting snap-in or the Backup snap-in on a Windows
Small Business Server 2003-based computer
http://support.microsoft.com/?­id=842693

What ports do I need?

From the mailbag today comes the question...what ports do I need?

And the question was asked if all these ports are needed to be forwarded from a hardware firewall to the nic of the server:

When things screw up...reinstalling is not the answer

Today I had an issue with a SQL application...one that I was banging my head on for hours.  And I called in support in the form of a very talented MVP who fixed me up in less than 2 minutes.  2 minutes.

Today in the newsgroup I see, once again, folks that get into a bit of a bind and then think that the way to get them back in business is to do a clean install of the server.

Folks ... a server is not a workstation that you blindly flatten and start over again.  Those workstations hanging off of that server will totally freak that you've changed the 'glue' they once used to stick themselves in the network. 

If you get stuck or in a bind.. don't flatten, don't bang your head, don't reintall... CALL.  It's worth every penny to call Product support services to get their help.

Don't forget...call when you get stuck.

NEWSFLASH: Elvis spotted near the Gulf Coast of Florida

Well the headline got your attention didn't it?  

Okay so it's not Elvis ...

but rather Jeff Middleton's SwingMigration Tour that is on the road again.

You near the Gulf Coast June 23 ?

Jeff Middleton SBS-MVP is presenting on Swing Migration to the Gulf Coast
SMB Partners Group. It's a new group in the area, and they are looking to
invite anyone interested to join with the group.  Come support a local
community and meet some folks from the worldwide community!

To Register:
http://www.clicktoattend.com/?id=103062

Jeff will be providing a presentation on how to migrate SBS or Windows
domains with the extremely popular approach of Swing Migration:

o        This unique technical solution can redefine your SMB business and
server support model, even put an end to the "business shutdown" or "the
long-weekend server upgrade" approach to Windows Server and SBS upgrades.
o        Directly shifting any Windows domain from NT4/SBS 4.x through
Win200x over to SBS/Windows 200x become possible, even BackOffice 2000 to
SBS 2003 while maintaining the original Active Directory. Swing Migration
delivers a clean installed Windows OS platform, (with or without hardware
replacement), retains the same server-name, same domain. Keep the same
Exchange Information Store if you like.
o        No user profile impact, ADMT is not required, no SID changes, no
UNC namespace break, just a transparent server upgrade that includes the
confidence of not impacting the workstations. This documented process keeps
a customer's domain in production, allows a full server replacement for
complicated Exchange based organizations on a single domain controller such
as SBS operating as a file server as well. Your technician can work offsite,
offline, open-timeline and with nothing to undo if unexpected issues arise.


In addition, Jeff is providing as a door prize a donated item worth $2500.

That ought to keep folks guessing!

I HATE SQL SERVER!

Okay so maybe hate is a harsh word, but how about severely dislike instead?  We moved over the blogs to a more private SQL server and in the process had to reattach some things.  My SQL server knowledge is about a -5 on a scale of 1 to 10 so if you were wondering why the blogs were offline so long it's because I had no clue in how to fix it and Google wasn't the most informative tool for someone who has no clue of the right question to ask.  Thanks to fellow MVP Brian Desmond who got things fixed up in less than 2 minutes [a severely humbling experience I might add]. 

It's been a long time since I felt in that 'helpless I have no clue' state.  Right now that's the problem I have with both SQL server and Sharepoint.  They are a bit outside my comfort level.  I use Sharepoint but I don't feel like I know it.  Of course there are times that I'm not sure I truly know Exchange either, but at least enough to set up smarthost entries and what not.

Okay any SQL gurus out there?  So what SQL books would you steer a SQL newbie to?  It seems like SQL is the future [or something like it] for data file storage and I don't feel confortable with it at all right now.

Do you trust your software?

You heard me... do you trust your software?  The very software that is supposed to protect you....how secure is it?  We've seen firewall software get targeted, antivirus software need fixing for security issues, honestly, how well do we know if the very software we buy to protect us it secure in and of itself? 

I got pointed to a Business Week article that also reminded me of a Churchill Club mp3 that talked about how virus writers are now sensing whether they are in a virtual machine or a physical machine and thus will react to the environment differently.  Thus you investigate using a virtual sandbox, but in the real physical machine world, it's a totally different beast.

Steve Riley may say that the Admins of the world are getting it.... but are the bad guys getting it a little too much too?

I'll keep plugging along...and you keep being paranoid and we'll both keep an eye on the blogs out here shall we?

TechNet blogs and FSecure are two of my fav's.

Web pages a little...well sluggish?

I was asked about a new SBS install where the web pages seemed a bit ...well sluggish...and here's some of the thoughts I'd have for troubleshooting.

• How's your DNS -- it seems like DNS is a bit confusing to folks but in general what we do in SBSland is look to the server....the server looks to itself..... and then when the Connect to Internet wizard is run, then and only then do you worry about “DNS“ settings from your ISP.  This is totally different than a peer to peer or workgroup setting where you are putting those ISP's DNS entries they gave you all over the place.  On the NIC card of my workstation, it's primary DNS is being picked up from the server automagically with DHCP [which we prefer on the SBS box and not on the router] and is the internal IP address of the server.  Then on the server, the primary DNS entries is again, the internal IP address of the server.  This is why we'll ask you to post the ipconfig/all many times in the newsgroup...we're checking that setting.  Check here for an example of how the network should be set up.
• How's your NIC drivers.  Many times speed issues can be caused by older NIC drivers.  Go out to the manufacturer's web site and find the newer driver.
• Last but not least ...check those EDNS entries ... and you may want to disable that.

I make a joke of this...but as always in computers... it will be the last thing you try.

Dell OEM SBS and SP1

Two things I'll still trying to track down answers for but thought I'd post them up here in case you are seeing anything regarding Dell OEM version.  If you are seeing this... drop me a note at sbradcpa - at - pacbell.net or put comments on this post.

Light [unconfirmed] reports are that WSUS is having issues on installing on Dell OEM versions of SBS 2003 due to the IWAM user account still showing the old server that Dell slipstream installed it from.... if you are seeing this...ping.

No information yet posted on the Dell SP1 site that is specific to SBS 2003 that I can see. While the Open Manage version 4.4 is now out, Gavin reports that the regprep isn't working still, and Dell recommends that prior to Windows 2003 sp1 [and we install sp1 as part of our SBS 2003 sp1] so if I had a Dell OEM, I'd be calling Dell and getting the straight story or waiting until there is something official posted on the site.

Remember installing SP1 is not a race to see who is first...you want your customer to come out of the SP experience feeling like you did your homework and didn't treat them like a beta tester.

As soon as we hear better info [or if you hear it let me know] we'll post it.

Drugs, Gambling, Loans and other such scum of the earth

For everything that is good...there is bad...a yin and a yang.  I have this blog here and today I was noticing in the feedback section [back in the admin section that I see] a bunch of spam posts that are being stuck on old blog posts.  And it reminded me of the PubSub feed that I have to look for blog posts for Small Business Server.  There's one problem with that PubSub feed...it shows the 'underbelly' of our Internet culture.

For every good blog post I find about SBS, I'll find 10 more that are not blogs at all but advertising for something else.

Obviously these sites have to be working otherwise someone wouldn't be taking the time and energy to script/post them.  Many of them are the free blog sites.  But here's what I guess I have a problem with... what reasonable person would follow these links?  If they use questionable business tactics, do you think they would be a reputable business to deal with?

Software buying is the same way.  If the price of the software is soooooo good.  It's too good.  It's probably not legal.  If if sounds too good to be true, it more often than not IS too good to be true.

We all pay the price for this stuff.  If some folks don't pay their fair share for software, the law abiding folks end up paying more. If people say 'oh don't worry... insurance will cover it”, we end up paying for it in higher insurance fees.  If someone says, “oh go ahead and just take the merchandise, the store makes tons of money”, we end up paying for it in higher prices for goods. 

We all ending paying for this in the long run.  Take 'free downloads' for example.  BitTorrent just went over to the dark side with the amount of malware they now have in their downloads.  So when your buddy says “oh go download it, it's for free” just remember what your Mom told you.....Nothing in life is for free and everything comes with a price... in this case Malware that you didn't want but that you clicked 'yes' because you thought you were getting good stuff.

I think we need a lot more end user education...don't you?

How about rerunning that monitoring?

From the newsgroup tonight comes this post:

Getting this error after SP1,  how can I stop it from reporting this?  TIA

      Microsoft ISA Server Control 14079 6/17/2005 5:46 AM 5 *

            Due to an unexpected error, the service fwsrv stopped responding to all requests. Stop the service or the corresponding process if it does not respond, and then start it again. Check the Windows event Viewer for related error messages.

And it hits me tonight...this is our lovely 14079 error that we saw during the beta and Kevin found that if he redid his SBS monitoring wizard to 'rekick' the SBS Monitoring, he didn't see this event anymore.

Another one you might see are messages about “Allocated memory alerts”.   I swear I'm going to turn into a twitching emotional wreck dealing with allocated memory alerts on my box... I don't like them one bit and I have absolutely zero tolerance when I get one.  Got another one last night after I turned on caching in ISA so I throttled the caching a bit.  Of course it would help if I didn't have the performance alerts being sent to email, to IM 'and' to cell phone via text messenging...so I only have myself to blame when they drive me crazy.

After you apply Service pack 1 if you get an Allocated Memory alert and the error message is specifically about Store.exe, then make sure you rerun the SBS monitoring wizard as this will 'kick' the store alert to be quiet.  Hmmm wonder if we should just rerun that monitoring wizard for good measure after the application of SP1 just to be on the safe side?  It's pretty easy to run it and it appears to not only work on that 14079 issue but it definitely works on the Store.exe issue.

Something you might want to think about doing anyway.  The connect to Internet wizard is automagically rerun.  Maybe we should run that monitoring wizard too just as a good measure.

Rule of patching - don't panic

When you reboot your server and forgot that you have the USB based harddrive turned on and the server is set to 'boot from usb' .... word of advice...don't panic when after patching your server it sits there looking at you ...and at the usb harddrive....looking for a functional operating system.

Keep in mind that in many of the newer servers can boot from USB...so any usb harddrive...usb thumb drive...usb... well just usb anything may cause you to have a moment of life flashing in front of your eyes until you realize what you have done.

Turn off the harddrive or the boot from usb functionality, reboot your server, log back in, review the event logs that all is well.  

In general, a good sign of a good patch experience are

• Services all starting up [no 'at least one service failed to start notification is always a good sign']
• Event viewer looking as normal as SBS can look [we normally trip on our toes a bit but this is normal]
• Normal connectivity, email, etc.

So...don't forget...don't panic.

It's Friday Night and it's PATCH NIGHT!!

That's right boys and girls!  It's the Friday after Patch Tuesday and you know what that means?  It's Patch Night!

Let's see if we are ready to go....

• We've tested the patches already on the home server and everything was fine.
• We've rolled them out on a few machines here in the office just to make sure everything was okay
• We've reviewed the 'traffic' from both the Patch Management listserve and the WSUS listserves for any issues [to sign up for either Patch listserve see the Patch Management.org page]
• We've reviewed the Newsgroups for dead bodies [this is my nickname for when we come into the newsgroup and see a server/workstation having issues]
• We know that any issue with a Security patch is a FREE CALL to Microsoft Product support
• We have a good backup [several in fact]

Now since this is a heavy patch month if we want to be really paranoid we can reboot the server to ensure everything is fully functional [but I rebooted it on Wednesday night because I was messin' around with installing so I'm in good shape there, but if you are paranoid [who me?] I can reboot it before I patch.

Hey...with my Shavlik, I'm even patching for Adobe patches!....You do know about the security issues with Adobe don't you?

You should!  Remember that any software can [and quite possibly does] have security issues. 

We're moving the foundations a bit...bear with us

If you've been trying to email me via the contact form..sorry ...we're in the process of moving the blog over to a more semi-dedicated server and the web part is on the new site and the blog database is still kinda under the old SQL server location...so if you wanted to contact me directly the email addy is sbradcpa - at- pacbell.net

Hopefully the stuff will be all in place for phase 2...which is the upgrade to Community Blog from the current .Text [and I'm already looking for new skins for the CS blog]...yeah... leave it to me to be more concerned about the skin and decorating but...you know us gals...

So bear with me... we're not moving the domain name or anything...just expanding ...making it a bit more dependable [being on a shared SQL server meant if someone had a leaky app or was messin' with the server...the blogs went down too]

I did find one thing..finally found the place to change the master RSS feed name so the label of your RSS feed now says Microsoft MVP Community... About time I guess :-)

The "Customer" view of SBS

Over and over again when I talk to fellow SBS owners [you know the ones that pay your bills to install SBS] they complain that they'd like to know better how to share calendars, how to use Sharepoint, how to better utililize what they have and currently they can not find any book that helps them with the 'customer' view of SBS.  Some of this info is actually inside the help files.

You know...the help files inside of software?  There's a really good one inside the Remote Web Workplace.  Have you shown your clients/customers of SBS where this help file is?  You haven't?

Open up RWW and it's the last icon at the bottom...open it up...poke around.... it might help you to help your clients/customers understand and use what they have a bit better.   In the meantime, ask your clients.... have you truly shown them, given them information on how they and really USE SBS?

Using e-mail

Microsoft® Windows® Small Business Server 2003 includes an e-mail system, which you can use to send e-mail both inside and outside of your company.

Your e-mail is stored on the server, which means that you do not have to be connected to the Internet to exchange e-mail with co-workers. Another benefit is that when sending e-mail to other people in your company, you can use their name as the e-mail address instead of the standard Internet e-mail address (someone@example.com).

Your mailbox

Your mailbox is a set of folders that stores your e-mail messages and other items, such as calendar information, contacts, and task lists. You can create personal folders (called PSTs) on your computer, which are similar to the folders stored on the server.

By default, your mailbox on the server can store up to 200 megabytes (MB) of data--large enough for several thousand e-mail messages. However, your mailbox also stores calendar informaton, task lists, and attachments to e-mail, which can quickly use up space. You receive a notice if your mailbox reaches 175 MB.

Accessing e-mail

You have two ways to read and send e-mail: using Microsoft Office Outlook®  2003 or a Web-based version of Outlook called Outlook Web Access. You can access your mailbox in the office, at home, or while traveling by opening Outlook Web Access in Microsoft Internet Explorer.

Computer viruses sent in e-mail

Computer viruses can be sent as attachments to e-mail messages. Usually these attachments come in the form of programs (.exe files) or scripts (.vbs or .js files).

Viruses typically do the following:

Replicate themselves. Viruses attempt to move from one computer to another. Some virus programs are written to send themselves to everyone in your address book or contact list.

Do some level of harm, from displaying annoying messages to erasing data on your hard disk.

Do not open e-mail attachments from persons you do not know. You should also be wary of opening attachments that you receive unexpectedly from people you do know, especially program or script attachments. Because viruses can sometimes send themselves in e-mail, you may receive an e-mail with a virus attached from a person who does not yet know that he or she has a computer virus.

E-mail size and attachments

E-mail attachments that are 2 to 10 MB or larger, such as lengthy documents, photographs, songs, movie clips, and picture files, can quickly use up disk space. If you receive large attachments, consider saving the attached file to your hard disk and deleting the e-mail message. You can also store the entire message in a Microsoft Outlook personal folder file on your hard disk.

  Important

Save attachments only from people you trust and only when these attachments are expected. If you receive an attachment from a person you do not know, or a message with a suspicious subject line, delete the message without opening the attachment.

If you are sending an e-mail message to someone who is not on your computer network, note that:

Many e-mail systems place restrictions on the size of incoming e-mail messages; sometimes they must be as small as 1 MB.

If your company connects to the Internet over a dial-up connection, large e-mail messages and attachments can take a long time to send.

The 'gator' that wasn't

So I kicked on reporting on ISA 2004 [for those on premium the new reports are really cool] but nearly had a heart attack when one of the Internet browser reports said one of my top browsers was “Gator”.  Gator?  That scum of the earth? Lower of the low?  How did that get in my network?

Well... you see... I kinda did it to myself.  You see I called the folder where my RSS feeds loads into .. my Newsgator that sits inside my Outlook and every hour or so pulls in RSS feed from blogs and web sites.... I called it... you guess it... “Gator“.

Uh huh... I did it to myself.  It wasn't the spyware gator... but rather all my RSS feeds that sit inside my Outlook.  There are some days I am just a smidge more blonde than others....

One thing to keep in mind when you set up the logging:

Q.	Why is the link in my daily e-mail report broken? The report location is correct, but the link does not work.
A.	This is a known limitation. To work around this issue and get the link working, publish the report to a path that does not contain spaces. The report name should not contain spaces either, because the folder name is determined by the report name.

"I don't need the whistles and bells"

At a client's today, and a consultant came in with a laptop.  A Windows 2000 laptop.  Reminded me of two recent blog posts...one by Mary Jo Foley about how Windows 2000 is still used in about 1/2 of the business desktops, and another by Dana on how 2000 was the greatest security failure.  In my own CPA geek listserves, I still have folks saying that they are running Windows 98 and I say to them, 98?  You know how I hate 98s... I have no event viewer to help you, no database of events, nothin... and yet some in my gang says “they don't need all the whistles and bells”

Guess you don't need security?  Firewall? 

I like to listen to geek stuff on the drive and I was listening to Gartner's Talking Technology on CDrom and an interesting topic was on the future of IT Pros.  They made the point that you couldn't just be good at tech, but also communication, project management.  That it wasn't enough to have the training, you had to combine it with a broader base.  [Course I do have to disclose that I lost a great deal of respect for the presenter when she said that 'you can send someone to get trained on Oracle or NT”....and I thought to myself... gawd I HOPE you aren't sending someone to get trained in NT at this point in time when the operating system isn't supported anymore, it actually lowers the security in your network, I hope you aren't ensuring that folks in your firm get BETTER at installing it]

Do you understand how much easier it is that I only patch one kind of server operating system and one kind of workstation?  I only patch one kind of Office suite?  I only have to watch issues with the latest operating systems?  That I know that Microsoft can be counted on to ensure that their security patches work fine on their flagship products and thus while I've already done the test roll out at home, I can roll them out, especially the Internet Explorer patch to the desktops pretty quickly.

Sorry but I want the whistles and bells.  I want the integration with Office and Sharepoint...the security....the firewall that turns my workstations into part of the security fabric of my network [which reminds me I need to do a follow up post on my 'gator' issue which wasn't really gator at all]

I need whistles and bells. Especially security ones.

P.S.  Remember the view of where this post is coming from...the owner of the business who saves time not having to patch and defend umpteen operating systems and applications.  I am the business owner here who realized the value in making 'my' life easier.  Your customer needs to see the light as well.  It's actually costing him or her money in keeping around old platforms that are harder to fix, protect and defend.

BCM now using a MSDE database to share info and integration with Small Business Accounting

Business Contact Manager Update for Outlook 2003

Business Contact Manager Update for Microsoft Office Outlook 2003 provides the latest updates to Outlook 2003 with Business Contact Manager. It is available only to licensed users of Microsoft Office Small Business Edition 2003 and Microsoft Office Professional Edition 2003.

Outlook 2003 with Business Contact Manager Update includes the following new and improved functionality:

• Share your customer information and sales opportunities
• Synchronize customer information with your Microsoft Windows Mobile-based Pocket PC (available as a separate download for select languages)
• Use with Microsoft Windows Small Business Server 2003, Microsoft Exchange Server 2003, and hosted Exchange Server 2003
• Integration with Microsoft Office Small Business Accounting 2006*

More details on Fred Pullen's blog!!

Catch Anne Stanton's webcast on CRM!

Register HERE

Oh MY GAWD, they can download anything to "insert usb device here"

You know when paranoia starts coming into SBSland that it's becoming mainstream.  A few days ago in the newsgroup somone asked how to block USB devices so that people wouldn't download massive amounts of data. 

While you can set policies to deny the use of USB devices like.....how to disable the use of USB storage devices and how to make them read only and other third party solutions, the reality is there are many many ways that folks can get data out of your network that you need to be worried about.

Show me a small firm and we probably have lousy internal controls on just about anything.  We probobly don't permission and ACL our directories worth a darn to start with, but just brainstorm just a bit to see if we can think of how to get data out of a firm in addition to using USB drives.

• You can email it.  [Attachments you know]
• You can upload it to a ftp or web site.
• You can put it on an IPod
• You can xerox it
• You can use your camera phone and take picture of it
• You can burn it to cdrom
• You can put it on a memory stick from a camera
• You can stick it in your boots and walk out the door with it

So just think about your data will you?  There are more ways than you think to remove it from your firm.

Missed the webcast on SBS 2003 sp1?

All is not lost, remember all Microsoft TS2, MSDN, TechNet webcasts are recorded for later viewing:

Special Friday edition of the TS2 “Wednesdays on the Web“ - The Ins and Outs of SBS Service Pack 1 can be found at this link

Patches today

 June 14, 2005
Today Microsoft released the following Security Bulletin(s).

Note: www.microsoft.com/technet/security and www.microsoft.com/security
are authoritative in all matters concerning Microsoft Security
Bulletins! ANY e-mail, web board or newsgroup posting (including this
one) should be verified by visiting these sites for official
information. Microsoft never sends security or other updates as
attachments. These updates must be downloaded from the microsoft.com
download center or Windows Update. See the individual bulletins for
details.

Because some malicious messages attempt to masquerade as official
Microsoft security notices, it is recommended that you physically type
the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summary:

http://www.microsoft.com/technet/security/Bulletin/ms05-Jun.mspx

Critical Bulletins:

Cumulative Security Update for Internet Explorer (883939)
http://www.microsoft.com/technet/security/Bulletin/ms05-025.mspx 

Vulnerability in HTML Help Could Allow Remote Code Execution (896358)
http://www.microsoft.com/technet/security/Bulletin/ms05-026.mspx 

Vulnerability in Server Message Block Could Allow Remote Code Execution
(896422)
http://www.microsoft.com/technet/security/Bulletin/ms05-027.mspx

Important Bulletins:

Vulnerability in Web Client Service Could Allow Remote Code Execution
(896426)
http://www.microsoft.com/technet/security/Bulletin/ms05-028.mspx 

Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow
Cross-Site Scripting Attacks (895179)
http://www.microsoft.com/technet/security/Bulletin/ms05-029.mspx

Cumulative Security Update in Outlook Express (897715)
http://www.microsoft.com/technet/security/Bulletin/ms05-018.mspx

Cumulative Security Update in Outlook Express (897715)
http://www.microsoft.com/technet/security/Bulletin/ms05-030.mspx

Vulnerability in Step-by-Step Interactive Training Could Allow Remote
Code Execution (898458)
http://www.microsoft.com/technet/security/Bulletin/ms05-031.mspx

Moderate Bulletins:

Vulnerability in Microsoft Agent Could Allow Spoofing (890046)
http://www.microsoft.com/technet/security/Bulletin/ms05-032.mspx 

Vulnerability in Telnet Client Could Allow Information Disclosure
(896428)
http://www.microsoft.com/technet/security/Bulletin/ms05-033.mspx 

Cumulative Security Update for ISA Server 2000 (899753)
http://www.microsoft.com/technet/security/Bulletin/ms05-034.mspx 

Re-Released Bulletins:

SQL Server Installation Process May Leave Passwords on System (Q263968)
http://www.microsoft.com/technet/security/Bulletin/ms02-032.mspx 

ASP.NET Path Validation Vulnerability (887219)
http://www.microsoft.com/technet/security/Bulletin/ms05-004.mspx  

Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066):
http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx?pf=true

This represents our regularly scheduled monthly bulletin release (second
Tuesday of each month). Please note that Microsoft may release bulletins
out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation
after reading the above listed bulletin you should contact Product
Support Services in the United States at 1-866-PCSafety
(1-866-727-2338). International customers should contact their local
subsidiary.

[whoops had 05-029 and the rerelease was 05-019]

Tech Ed Security web casts now available for viewing

Malware

WSUS

Security configuration wizard [don't do on SBS but fun to watch anyway]

Security policies

and last but not least... least privilege

Click on the link, register and get the media file of the webcasts

It's not only Patch Tuesday... but CHAT TUESDAY with Handy Andy!

CHAT: SBS Live! Tuesday, June 14, 7 p.m. Eastern 

Got Small Business Server and want to get help administering it 
or help others to get the most out of it? Share you SBS stories 
with others this Tuesday, June 14 at 7 pm; Microsoft MVP and SBS 
expert Andy Goodman will be there as master of ceremonies: 

http://mcpmag.com/chats/ 

To join, to learn how to join a chat, to read the rules of conduct, 
or to obtain a transcript of a past chat, go to 
http://MCPmag.com/chats. If you're using a chat program, such as 
Microsoft Chat 2.0 or mIRC, you can join by going to the 
#MCPmag.com room on the chat.mcpmag.com server. 

Odds and ends with ISA server 2004 on SBS

Having any odd issues with accessing SSL sites with ISA 2004?

If you are... try this....

Open up the ISA Server management console 
Click on Configuration
Then on General
Then on Define Connection Limits
Then on Connection Limit
Then on Limit the number of connection 
Then on Connection limit per client (TCP and non-TCP)

And try changing that number there.  Try 100, or even the 160 that I seemingly ended up with because my ISA install kinda barfed because Trend kept the IISAdmin stuck on [this is why the premium install steps recommend disabling antivirus].  I sort of lost my customized rules sets in the process, but I guess gained a bit more connection limits per clients.

Next... if you have a member server/TS server running Outlook 2003..keep reading..

If you have a member server running Terminal servers and Outlook 2003, don't forget that you need to install this fix [KB  897716] ON your SBS 2003 box to allow the Outlook on the TS box to pick up email.  If you don't... you wont' get any spam mail..but those Outlook clients on that TS box won't get their email either.

ISA 2004 sucking up a bit too much memory in SBS 2003?

Mariette just completed an how to article on how to limit the amount of RAM the MSDE instances use on your SBS 2003. I've done this on my office machine [along with throttling the SBSMonitoring instance] and it's running just fine.  Just remember if, upon investigation, the MSDE that is taking the memory is Sharepoint, don't stomp on the instance but monitor it and call support to help you set up a performance monitoring.

How to limit the amount of Ram ISA logging takes:
http://www.smallbizserver.net/Default.aspx?tabid=247

The All open rule with ISA 2004

Back on ISA 2000, we had a “all/all/all” rule that we'd throw open when we'd get stuck  [please keep in mind this is for diagnostics only]

But just in case..here's the 2004 version of all/all/all [from the Dr. Tom book, Configuring ISA Server 2004, page 516-517]

• In the ISA 2004 management console, expand the server name, click “Firewall Policy“
• In the “Firewall Policy“, click Tasks tab in the Task pane, on this Task pane, click “Create a New Access rule“
• On the “Welcome to the New Access Rule Wizard“ page enter “All Open“ in the “Access Rule name“ text box.  Click Next.
• On the “Rule Action“ page, select “Allow“, and click Next.
• On the “Protocols“ page, select “All outbound traffic“ from the “This rule applies to“ and click “Next“
• Click “Next“ on the “Protocols“ page
• On the “Access Rule Sources” page, click “Add“.
• In the “Add Network Entities“ dialog box, click the Networks folder.  Double click “Internal“, and click “Close“
• Click “Next“ on the “Access Rule Sources“ page
• On the “Access Rule Destination” page, click “Add“
• In the “Add Network Entities“ dialog box, click the “Networks“ folder, and double click “External“, click “Close“
• Click “Next“ on the “Access Rules Destinations” page.
• On the “User Sets“ page, accept the default entry, “All Users“ and click “Next“.
• On the “Completing the New Access Rule Wizard“ page, review the settings and click “Finish“

Get the idea you should just buy the book?

Once you build this rule you can enable it 'to throw open outbound' or disable it to ensure you are being a good internet citizen and doing outbound filtering.

Having trouble getting your mobile 'thing' talking to your server 'thing'?

Before I forget it, I'm stealing some comments from Amy [ISA/SBS blog you know] about getting mobile devices to connect:

Sean's post on the subject

Javier's post

and the Documentation on Mobility

Just remember you may have to disable the certs to get them to connect but read that documentation and blog stuff first... it might help.

What's your Tape Drive.... uh I mean hard drive.... rotation schedule?

I just started using Hard drives as backup media and while I will still plan on getting my Quad Sony fixed, let me just say that I'm not having to rush to get it fixed.

Reminds me that someone was asking what kind of rotation schedule I was planning and Chad was chatting about how they spec out 3 USB harddrives with 3 times the capacity of the server they are backing up.  This allows them to keep about 5 days of backups on one hardrive [as things will compress about 1.5 times] or about three weeks of data rotating on and off the system.  They normally keep the quarter end or year end via some other means [burn to DVD or other backup....which is what I think my Sony Quad will turn into...the spare old archive method], and when the files and Exchange grow enough they change the backups to 4 per week and get another drive to put in the rotation.

To be exact I'm getting 1.42 compression on the operating system drive, 1.73 compression on the Exchange, 1.78 compression on the member server data.  Keep that in mind when planning your backup strategy.  It needs to ensure that the drive rotation is just good enough to be the right amount when you need to restore data.

P.S.  Remember what I said.... you do the rotation that fits you.. for me I'm taking it off...but certainly I'm not running into the office and taking the backups that run Friday, Saturday and Sunday night offsite so I have to plan for three to be on that harddrive.

Right now I took home Thursday nights which was the first backup on the new system. 

As I said, set the number of drives and size according to what you want to rotate around.  I can use the same Ultrabac software to do both backup to tape and to drive [well when the stupid thing works...remember I just started backing up to drive because my tape drive failed and I need to get it fixed and need to send off the unit]  Given the choice between no tape backup and a harddrive backup.. I think you see why I did this.

Where's the other ones when not in use?  In a locked safe in the office behind the locked door of the server room.   Along with all my tapes and magazines that are suddenly useless to me because my tape drive is unusable right now.  The concern over the physical security of those drives is no different than the physical security of my tapes in those tape drive magazines.

How do you verify an archive backup?  No different than a live one... restore a file.  99.999% of the time we do not need even a quarter old data...but it's there...just in case.  Have I ever gone back to restore from a year old, or quarter old tape?  Nope.  Never needed to.  Do I test it so at least it reads the header off of it... used to...can't right now....remember my tape drive doesn't work right now...and getting a bunch of harddrives is a heck of a lot cheaper than a new Quad Sony, that's for sure.

Where should WSUS be installed?

From the newsgroup comes the question “Where should WSUS, the patch tool be installed?”

And it's perfectally fine and supported “on” the SBS 2003 server.  While it “can” be on a member server, it can't be on the desktop like my Shavlik HfnetchPro is.  [By the way ... I've lost my argument against Firefox on my desktops because Shavlik DOES now patch for Firefox], and I will still argue that Shavlik hands down is soooooooo much easier to set up, the fact is, bottom line, GET SOMETHING TO PATCH YOUR NETWORK WITH.

Yesterday I went to a friend's house and I put them on Microsoft Update and patched their unpatched Office XP.  Next Tuesday, not only will they get Windows patches, but any Office ones as well.

For us SBS boxes, even if you don't WSUS in your firm AT LEAST send your folks this link:  http://update.microsoft.com/microsoftupdate and have them do the opt in process.  Do it on your SBS servers.  At this time it will NOT download SBS 2003 sp1 [and especially not for premium folks as you need the cdroms], but at least it will be giving you more patches for that SBS box than we've had before.

At TechEd in Orlando, someone posted in the list of top ten ways to get your network in trouble, as presented by Dr. Jesper Johansson and Steve Riley that's in the back of their new book.  I'm stealing the list too:

Law # 6 -- What can a domain administrator do?

This question came up in the newsgroup of an owner that was concerned that if the computers were left on at night that someone could 'break into them' if they knew the administrator passwords and do nasty stuff.... and well... while the probability of some blue haired hacker wanting to break into a SBS box might be a bit lower than 100%, the reality is that knowing the Administrator password... the DOMAIN adminstrator password means you have quite a lot of power.

So what can you do with the domain administrator password on a system?

Well for one you can reset all the passwords for all the users so no one can get in.

You can delete folders, files, logs, ..... just about anything...and what a coincidence... we are now up to Law number 6 in the 10 laws of security...how fortunate that it just happens to fit today's post topic:

Law #6: A computer is only as secure as the administrator is trustworthy

So where will YOU be July 14th - 16th?

The SMB Technology Network® has opened registration for its Summer Conference 2005 to be held July 14-16, 2005 at Embassy Suites in Buena Park, CA. The goal of the event is to expose attendees to knowledge, products, and services that can either make them money or reduce their costs on Monday morning.

To register, go to http://www.clicktoattend.com/?id=103185.
We have a number of terrific speakers lined up, including

• Harry Brelsford, noted author on SBS and SMB Consulting, presenting his 4-hour workshop on "Building the SMB Franchise" (a $99 value).
• Susan Bradley, SBS-MVP
• Chad Gross, SBS-MVP

We will also have a number of sponsors presenting and exhibiting, including:

• Veritas
• SonicWALL
• Level Platforms
• AutoTask
• more to come...

ACCOMODATIONS
The Embassy Suites in Buena Park is located within walking distance of Knott's Berry Farm, Movieland Wax Museum, and Medieval Times. Disneyland is just a 15 minute drive. The hotel provides complimentary shuttle service to both Knotts Berry Farm and Disneyland. Embassy Suites is offering us their spacious, two room suites on a first-come, first-serve basis at a price of $129 per night. There are also many other hotels in the area, if you prefer to stay elsewhere. For reservations, call 1-800-EMBASSY and ask for the "SMB Tech" rate.

REGISTER TODAY!
The cost for this three-day event which includes admission to all events, including Harry Brelsford's 4-hour "Building the SMB Franchise" workshop on Thursday evening (valued at $99), presentations by Susan Bradley, Chad Gross and a host of SMB vendors, admission to the exhibitor area, complimentary breakfast and lunch on July 15th, as well as, breakfast on July 16th, is $179 for SMBTN members and $199 for non-members.

Members         $179
Non-members     $199

To register, go to http://www.clicktoattend.com/?id=103185.
You will be billed by PayPal within 48 hours of registration.
Regards,

Jim Locke
SMB Technology Network®

Truly consider this the 'warm up' for SMB nation.  We'll be presenting on several topics that will be later expanded at SMBnation in the fall.

You know you are a geek when....

You reach in your purse to show off your 1 gig usb thumb drive and compare it to the CompUSA salesman's drive [his was smaller but still a gig]

You tell him about the USB pen drive that is a Writing pen and he didn't know about it.

You can remember when 1 gig was a large harddrive in a brand new computer [and these days they have 400 gigs in CompUSA]

You remember when the operating system and Lotus 123 would fit on the same bootable floppy disk.

When you travel, you seemingly end up in cities that contain Frys electronic stores [what's up with that?]

You buy things at Frys Electronics stores and ship things back home when you buy too much.

You were extremely pleased when Instant Messenger raised the limit of IM buddies from a maximum of 150 because you were starting to have to look at folks and wonder if they were IM address worthy.

Your Amazon.com book purchasing list is populated with [as Brian put it] books by Security Freaks.

You just went to a clients today, and while there when they got DSL installed, you immediately jumped them over to Microsoft Update and explained how the little icon would show up next Tuesday.

You strike up conversations with fellow plane passengers about “Patch Tuesday”.

You don't listen to music on your MVP MP3 player, but rather Security presentations.

Yeah... I think I got it pretty bad....

Proud owner of several Porsches

I HATE TAPE DRIVES.

Now that I have that out of my system.... let me tell you why I hate them.

For one my Sony Quad tape drive decided to stop working over the last couple of days and the more days that went by that I was only able to backup to a physical hardrive on my network and not remove a copy of the data offsite [especially after the BBQ incident the other day] the more nervous Nellie I got.

You see for the last couple of days the tape drive would suck in the first tape in the quad but never fully load it up and get it ready to go.  I tried making sure the SCSI cable was tight, that the backup software was updated [it's ultrabac], that the scsi card software had the latest driver.  And then the annoying part of the Ultrabac is that it doesn't use a signed driver for the Ultrabac quad loader and can't use the Sony digitally signed driver ...and well.... I'd finally just HAD it with tape drives.

I'm still going to send it in to get it fixed as I think it's the heads or alignment or something, but during lunchtime I stopped by CompUSA [we don't have a Frys here] and bought a bunch of large LACIE harddrives.  At first I was not going to hang the USB2 off my domain controller and bought a USB2 card for the member server where my Terminal Server and Live Communication Server is loaded, but every time I went to install the USB2 card, the video on the member server wouldn't work.  I don't know about you, but while a headless server is okay, it's not my favorite way to start out a server install.  Now with the video being on board, and no switches on the USB2 card, it was a sign to try the LACIE on the server.

So with much trepidation, I plugged it in the back of my SBS 2003, crawling on my hands and knees with a flashlight to find the USB slots, getting my formerly dark outfit that I am wearing progressively grey with dust bunnies in the process.  I found the USB slot, shoved it in, closed my eyes, crossed my fingers and crawled back out to see what it was doing on the server.

It found the drive.  It gave it the letter G.

Sigh of relief.

So off we go to backup the server.

I think I might get used to this.  For one I can literally browse to that G: drive and see the ultrabac backup files there on the drive... tape drives you have to run the header report.  For two it's faster.  For three... well for three it was a heck of a lot cheaper to buy a bunch of LACIE drives than to buy a new tape backup unit that's for sure.

Apparently I'm now being backed up by a Porsche. 

P.S.  backup finished in 2 hours exactly... I think I might like this....

Who has your keys?

Yesterday we got new keys for the front door at the office.  And keys are like passwords, aren't they?  If you don't know who you've given the keys out to, you have no idea who has access.  The same is true for computers and routers and firewalls and ..well whatever.  If your software vendor must have an administrator account to work on your system, he's got the keys to your kingdom.

If you can't remember the password to your firewall, the kind people at Phonelit have provided a database of the default passwords of many hardware devices.  You may get lucky and your router still has the same password.  [You get the idea that you should quickly change the default password of your device if it IS on this list, don't you?]

For computers and other devices, remember the rule of physical security.  If we have access to it, we can reset it.

And while you can and should write down passwords to ensure you pick better, stronger ones.....just don't put them on a whiteboard in a room and then take a picture of them... probably not too good of an idea.....

Hmmm.... I don't think that's a BBQ....

So I'm driving home last night with the sunroof open and start smelling a really strong barbeque like smell.  Geeze... whatever they are BBQing with is pungent wood? As I keep on driving I notice that the BBQ smell isn't going away...in fact it's getting stronger...to the point where it's no longer a BBQ smell but more like a ...uh....oh...something has happened.

So I turn down a street to come home and realize that the left side of the street in front of me is filled with police and fire engines and the road is so smoky that we're all slowing down as it's almost a tule fog.  As I drive by the scene of the burning house [yes the occupants are just fine and got out safely as I heard on the news later that night], the thought flashes through my brain...what if that was MY house.  What would I grab first to save from the flames.  It was obvious that the house was going to be a total disaster as the house was totally engulfed in flames

Well first and foremost...after I'd grab my Sister and my Dog [and not necessarily in that order], what would you grab?

Computer?  Do you backup your home computers like you do your office? 

Do you have papers and documents that aren't in a lockbox but are still important in one spot?  Would you know who to call and what to do? Insurance policies? 

Family photos?  Nowdays many of our treasured irreplaceable family photos are on ...yup...harddrives.  Where's that backup? 

The CALCPA did a Disaster recovery planning document a bit back as well as put together a page with Disaster Recovery resources.

Review this list of items to best prevent fires and think about what you'd grab at your house.  How prepared are you?  We probably all should be a smidge more paranoid ...and not just about computer security.

P.S.  Bill makes a fab point in the comments... I'm worried about things...meanwhile I'm putting my life at risk.  Get the Dog and Sister outta there.  Forget the rest.

WSUS the really big news - revisited

Remember how Fred gave us the heads up about the REALLY BIG news on WSUS?

Here's the scoop.... if you remote into your client's server and approve the patches there, you do not need a Service Partner Agreement SPLA in place which can be had with a Hoster application and a Registered partner status.  If you want to HOST the patch console at your location, you'll need this SPLA agreement.

Either way, I would STRONGLY advise that you have a Maintainence Provider service contract in place before you offer this service.  It's extremely important that you understand that when you perform the patching YOU are accepting the EULAs on behalf of your client.  You are their agent.  Thus I would strongly recommend that you ensure that this “managed service' that you provide on patching, also includes the approrpriate legalese.

I'm not sure I would recommend taking on the duties of patch testing either.  Remember that Microsoft has a patch testing process and historically speaking Microsoft products work just fine with Microsoft patches.  When we have issues it's with the third party stuff.  So providing a 'patch testing' service to your clients may be a lot harder than you think.  There are licensing issues to think about....can you properly, legally, license a copy of the software to run in your test lab... for example... I can't give anyone else a copy of some of my line of business applications, they have to stay here inside the firm.  Then I would argue that you as the consultant cannot test like my users test programs for interaction and issues.

Patch testing doesn't take as long for me anymore, but I still manage the testing process.  Sometimes I look out for certain patches because I've had issues with particular files being patched in the past.  Sometimes I found out about issues from www.patchmanagement.org.  The bottom line, is that I feel if you want to offer a 'patch testing' service to your clients, just testing Office and Windows patch interaction in a virtual network is not, in my humble opinion, the smart way to test.  You are probably reinventing the wheel a bit there.  Test on out of life cycle products [or better yet...get RID of out of lifecycle products], but don't test on the 'flag ship' products, test the ones that are not the leading edge ones....or better yet...just make sure you have good backups/images and patch.  When you have a good backup... you can recover quite quickly should anything really bad happens..not that much does anyway these days.

The "Wow" Factor

Chatting with my fellow MVPs this week and there was a statement that just stuck out at me:

“Ever since I got my smartphone I find that having cool gadgets to show clients really pays by itself (the “wow” factor)“

Your small business clients are the from the “showme” capital of the Universe.  Now first off a gadget like this is indeed a business purchase so it will be deductible in your business.  In us beancounter country we'd tell you it's capitalizable and you can take Section 179 depreciation expense on the item.

But like Javier said, it's more than just a business asset, it's the WOW factor.  It's the 'this just works'.  If you notice I don't blog much on Smart phones because I don't have one...but SeanDaniel.com does and there will be a TON of mobility features in Exchange 2003 sp2 [along with the answer to the 16 gig Exchange store as we go to 75 gigs]

I know that when I was up at Microsoft last week, I could NOT have had quite the successful meeting that I did without me having my WOW and Microsoft folks having their WOW.  My WOW is a Acer Travelmate C110 Tablet PC with a Cingular cellular pcmcia card [which in fairness, I think Verizon may be faster, but it's still better than having NO internet access].  Their WOW was having...what else...smart phones.  So we were able to communicate and make last minute organizational plans/logistical changes and everything went like clockwork.

Furthermore, I think I single handledly sold a couple of Tablet PCs to those in attendance.  I love my travel baby because I can be typing and the guy in front of me on the plane can lean back and I don't suddenly think that the laptop screen will be broken into a million pieces.

So what “WOW” have you shown your client lately?

Security Patches next week

As part of the monthly security bulletin release cycle, Microsoft
provides advance notification to our customers on the number of new
security updates being released, the products affected, the aggregate
maximum severity and information about detection tools relevant to the
update. This is intended to help our customers plan for the deployment
of these security updates more effectively.

In addition, to help customers prioritize monthly security updates with
any non-security updates released on Microsoft Update, Windows Update,
Windows Server Update Services and Software Update Services on the same
day as the monthly security bulletins, we also provide:
 - Information about the release of updated versions of the Microsoft
Windows Malicious Software Removal Tool.
 - Information about the release of NON-SECURITY, High Priority updates
on Microsoft Update (MU), Windows Update (WU), Windows Server Update
Services (WSUS) and Software Update Services (SUS). Note that this
information will pertain ONLY to updates on Windows Update and only
about High Priority, non-security updates being released on the same day
as security updates. Information will NOT be provided about Non-security
updates released on other days.

On 14 June 2005 the Microsoft Security Response Center is planning to
release:

Security Updates

 - 7 Microsoft Security Bulletins affecting Microsoft Windows. The
greatest aggregate, maximum severity rating for these security updates
is Critical. Some of these updates will require a restart. 5 of these
updates will be detectable using the Microsoft Baseline Security
Analyzer (MBSA), 2 of these updates will be detectable using the
Enterprise Scanning Tool (EST).

 - 1 Microsoft Security Bulletin affecting Microsoft Windows and
Microsoft Services for UNIX. The greatest aggregate, maximum severity
rating for these security updates is Moderate. These updates may require
a restart. These updates will be detectable using the Microsoft Baseline
Security Analyzer (MBSA) and using the Enterprise Scanning Tool (EST).

 - 1 Microsoft Security Bulletin affecting Microsoft Exchange. The
greatest aggregate, maximum severity rating for this security update is
Important. This update will not require a restart. This update will be
detectable using the Microsoft Baseline Security Analyzer (MBSA) and
using the Enterprise Scanning Tool (EST).

 - 1 Microsoft Security Bulletin affecting Microsoft Internet Security
and Acceleration (ISA) Server and Small Business Server. The greatest
aggregate, maximum severity rating for these security updates is
Moderate. These updates may require a restart. This update will be
detectable using the Enterprise Scanning Tool (EST).

Microsoft Windows Malicious Software Removal Tool

 - Microsoft will release an updated version of the Microsoft Windows
Malicious Software Removal Tool on Windows Update, Microsoft Update,
Windows Server Update Services and the Download Center. 
Note that this tool will NOT be distributed using Software Update
Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS

 - Microsoft will NOT release any NON-SECURITY High-Priority Updates for
Windows on Microsoft Update (MU), Windows Update (WU), Windows Server
Update Services (WSUS) and Software Update Services (SUS).

Although we do not anticipate any changes, the number of bulletins,
products affected, restart information and severities are subject to
change until released. 

Microsoft will host a webcast next week to address customer questions on
these bulletins. For more information on this webcast please see below:
 - TechNet Webcast: Information about Microsoft's June Security
Bulletins (Level 100)   
 - Wednesday, June 15, 2005 11:00 AM (GMT-08:00) Pacific Time (US &
Canada) 
 -
At this time no additional information on these bulletins such as
details regarding severity or details regarding the vulnerability will
be made available until 14 June 2005.

Thank you,
Microsoft PSS Security Team

We interview Sam the SBS Server on getting ready for SBS 2003 sp1

Did we forget about Microsoft update?

In all the fun over WSUS, don't forget that another patch tool shipped this week... Microsoft Update

Instead of WUing ...you can now MU.

This was posted on the patchmanagement.org listserve:

Just go to http://update.microsoft.com/microsoftupdate and complete the
short opt-in process. You may need to update your client binaries, but
that doesn’t require any restart. Once you scan for updates, if you
haven’t installed the latest MSI 3.1 update or the latest BITS 2.0
update, you have to install those before you will be offered any other
updates.

If you want to go to the new V6 Windows Update site instead, the URL is
http://update.microsoft.com

Is WSUS supported on SBS 2003?

From the mailbag today comes the question....

Is WSUS supported on SBS 2003?  Was it tested by SBSers?

Heck yes.  We were specifically invited on the beta as a matter of fact.  Now keep in mind one issue that I personally had was that I had to add manual group entries on the clients to get it to 'wake up' and talk to the server and put in http://nameoftheserver:8530 to get the clients to 'check in' with the SBS/WSUS system.

But most definitely you can count on WSUS being SBS approved.

Are you an Admin? Should you be?

From the Administrator Accounts Security Planning Guide

If you regularly log on to your computer as an administrator to perform common application-based tasks, you make the computer vulnerable to malicious software and other security risks because malicious software will run with the same privileges you used to log on. If you visit an Internet site or open an e-mail attachment, you can damage the computer because malicious code could be deployed that will download and execute on your computer.

If you log on as an administrator of a local computer, malicious code can, among other things, reformat your hard disk drive, delete your files, and create a new user account that has administrative privileges. If you log on as a member of the Domain Admins group, Enterprise Admins group, or Schema Admins group in the

Active Directory® directory service, malicious code can create a new domain user account that has administrative access or put schema, configuration, or domain data at risk.

--------------------------------------------------------------------------------

Oh ..go ahead...say it... “But SBS loads up the workstations in administrator by default“. Yes it does.  And why does it do that?  Because 99.99% of my line of business applications will not work unless you either

     a.  run as local admin

     b.  Hack the registry to death

I made this point to the CPA meeting we had up at Microsoft, that to demand using restricted user rights wasn't Microsoft's problem, it's OURS.  It's our vendors that we need to push to do this right, especially for Longhorn coming.

As much as I love to rant about non-admin, I wasn't about to drag myself out of bed at 5:30 in the morning to watch the web cast by Aaron... I'll get the recording   In the meantime the TechEd Bloggers look like a few are finally 'getting it'

Now... go talk to your vendors... they are the ones who need to get it.

WSUS for the Var/Vap - the REALLY big news about WUS for Partners

Fred Pullen [yes, the TS2/SBSer Presenter Fred Pullen] has a blog entry about how the Var/Vap can provide WSUS services to their clientele:

Fred Pullen's Blog :: Partners & Patching & WSUS, Oh My!:
http://blog.fred.pullen.com/blog/_archives/2005/6/7/918069.html

VAPs/SPs must have a SPLA license in order to provide approval of content delivery using Windows Server Update Services, as this is using a component of Windows in a hosted environment.

Now what is clear from this is that if you plan to be the offficial WSUSer for your clientele, ensure you have a service agreement in place.  You are clicking on EULAs on behalf of your client so you'll need to ensure that first and foremost the “i's“ are dotted and the “t's“ are crossed to ensure that you aren't giving an Attorney somewhere a heart attack.  And honestly, you should have a service agreement in place anyway.  That's just good business practices.

Oh and if you aren't a Microsoft partner?  Not even a mere registered Microsoft partner?  The foundational level of the Microsoft partner program that is a free sign up?  Why ever not?  See the benefits of being in touch with the community does for you?

<Hang tight...we're getting a clarification on this as you may not need the SLA agreement if you remote into the client to approve patches as as opposed to where you 'host' the approval console...stay tuned... more news later.  It still appears that you need to be a registered partner, which, in my NOT so humble opinion is what any consultant that touches SBSers should be anyway>

SBS 2003 sp1 webcast this Friday

 *Special Friday Edition* of Wednesdays on the Web with TS2: The Ins and Outs of SBS Service Pack 1 presented by Ron Grattopp, June 10th at 2 p.m. Pacific time

http://www.msreadiness.com/wscart.asp?eid=2378

Get the latest information about Microsoft Windows Small Business Server 2003 Service Pack 1! We'll cover what's included as well as give suggestions for deployment. Don't miss this opportunity!

Pssst.. don't forget to click “check out” to register for the seminar

You would think a phone company could call or email or something? Having issues with PacBell DSL?

DSL went out at home and my sister did all the things she thought to do... unplug the DSL modem, unplug the Linksys router, but no go.

So I get home, log into the router and it says PPOE authentication failure.  Hmm... so I try resetting it and no go.  So I check to see if it's just a network issue and fortunately have a dial up backdoor account to Pacbell and get the tech support phone number.  And as I answer the voice activated menu, I get to the point where the nice lady says “There's a network tech note, please press pound if you'd like to bypass this message”

Ah ha.. must be network connectivity issues.

“As of June 2nd, if you are a Pacbell customer you now need to include @pacbell.net in your authentication information”

WHAT?  You have GOT to be kidding.

Went to the linksys... added the @pacbell.net to the PPoE log in screen.

Sure 'nuff.  That was it.

Okay Pacbell...exactly HOW would I know this?  Did you send me an email 4 days ago?  Call me?  Send me a note?  Smoke Signals?  Anything?  Where did you tell me this?  And thank goodness I have a modem still in my desktop as a backup to get the phone number to call you and find out this was it.

Bottom line if you have residential DSL from Pacbell, and assuming you can still read my blog, go fix your PPoE authentication and add “@pacbell.net“ to get your residential Pacbell DSL working.

Like Eriq has said before with his issue on Verizon... for telecommunications companies, they sure suck on communication.

Act now and get the cream of the TechEd Speakers to Consult on an SBS Install

If you act now, you could be one of 23 bidders to get the cream of the TechEd speakers to get an hour's consulting time.

Shall we stump the TechEd speakers with a SBS install question?  Make their grey matter stretch with a SBS network configuration?  I think an SBS consulting hour can give them a run for their money, don't you think?

Remember...it is for a good cause  :-)

eBay item 5587400881 (Ends Jun-16-05 08:00:00 PDT) - The Tech*Ed Charity Auction for Aceh Recovery at IDEP:
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=5587400881

How do I open up ports for....

Today I got pinged to ask how to open up ports in the firewall, to which I gave the SBSer practically the third degree.  Why?  Because you anytime a vendor tells you “I need this port open” you need to stop and begin to think about a risk analysis.

First off you need to ask.. 'which way do I need the traffic to connect?'  If you are the originator of the traffic and you need to go do/get something at another computer, you don't typically need to open up a thing.  In a SBS 2003 network with a pop connector in/SMTP outbound setup, you actually do not need neither port 110, nor port 25 open at all.  The Pop connector will start the outbound connection and pull in the email, and the SMTP server will forward out the email with no issues.  It only when you... Mr. SBS Server... need to have something from the outside come inside is when you need to open something up.

The case in point was a fellow Accountant who needed to use PCAnywhere to remote 'into' a client's system.  So when I gave him the third degree, I asked him “what ports do you need open”.  The minute he said 5631-5632 I just KNEW it was PcAnywhere. But since typcially an accountant would be attaching TO another computer, he didn't have to open anything.  5631-5632 needs to be open on the machine you want to control.

Assuming the box on the other side was a SBS network, [which I should stop this post right here and tell you if you are PcAnywhere-ing INTO a SBS network why in the world are you not using Remote Web Workplace and if it's your old fashioned accountant who is asking for PCAnywhere access, tell them they need to get into the technology of today and tell them how cool RWW is]

Now then...where was I... oh yes... IF you needed to open up the PCAnywhere ports on someone insane enough to have a network that does not include SBS 2003, you would first check to see what they had between you and that desktop you needed to control.  If there is a router inbetween you and the two nic SBS, you need to 'forward' the ports to the internal NIC of the SBS, and THEN forward 'those' ports to the IP address inside the network.  For Standard, you open up the Routing and Remote Access program and add your ports there.  For ISA...well let's just say I'm still learning ISA 2004..it's in there somewhere.  I'll ask Amy :-)

Remember ONLY open up those ports that you absolutely must for business purposes.  Keep anything else closed and go to www.grc.com and us the Shields up test what others see about your network.  If you have a router between you and your SBS box, what ports MUST be open OR forwarded to the SBS box at a bare minimum?

• If full SMTP email - port 25
• If Remote Web workplace - port 443 [SSL port]
• If Remote Web workplace - port 4125 [control port]
• If you want Sharepoint open externally - port 444

That's really the bare minimum ports that need to be forwarded from the router.  VPN access to the box needs gre 47 protocol [this is not a port -- normally a PPTP passthrough setting will set this], and 1723 port, and Terminal server access for the admin needs 3389, but techically speaking you don't need TS nor VPN open if you don't want to.

Just don't forget to run the Connect to Internet wizard on the server to open up what you need on the inside, and then do the necessary port forwarding on the outside.

Open Manage 4.4 is here

http://support.dell.com/support/downloads/format.aspx?releaseid=R101039

Professional Identity Theft

I got a call today from a mortgage company to confirm that I did the bookkeeping and tax return for a client.  Slight problem.  I didn't recognize the client.  Next problem, the woman from the mortgage company said the letterhead that was typed up had my full name on it.  You know...with my middle name that is only on legal documents and Board of Accountancy web sites.  Next, while it had the firm address, the letter was typed with merely my name on it, and did not have the firm I worked for.  Any letters that I write have my firm letterhead on it, and would not merely have my name, and definitely not my middle name up there like that.

Now after I've slightly stopped freaking out over this... I'm contacting the State Board as there is indeed enough info on that site and my firm's site for someone to pretend to be me.

Hmm.... think Al Gore ever envisioned the Internet to be used like this?

Read any good audit logs lately?

Once upon a time I downloaded the Microsoft Debugger tool and found how helpful the help file was inside of it with error codes.  I thought I had died and gone to heaven.  Today I have a similar moment of joy:  AUDIT LOGS DOCUMENTATION!

Yes, I'm probably ususual in that I'm actually thinking about opening up more ports on my server at home just so I can get really juicy audit log evidence.

In SBSland we typcially see automated attacks against port 25, called SMTP auth attacks.  And when we get pinged on it, we freak out.  We also freak out on the number of events in our log files because auditing is turned on, yet we NEED that auditing turned on.

Dana talks about something he's done to lock down his SBS box a bit tighter on his blog, meanwhile I want to open up more ports on my home machine just to get really good datapoints.  Yes I am slightly insane. 

http://www.microsoft.com/downloads/details.aspx?familyid=95a85136-f08f-4b20-942f-dc9ce56bcd1a&displaylang=en

This guide is designed to help organizations plan a security monitoring and attack detection system based on Windows Security Event logs. It highlights how to interpret the events and which events indicate the possibility that an attack is in progress.

Putting you guys on notice

If you are a blog reader you'll know that WSUS is finally out and for us SBSers, you should understand that this is step one, a big baby step on the way to perfect patch management system.  For us premium folks, it won't patch ISA Server, so we'll still need to watch for that [but honestly ISA hasn't needed too many specific patches]. 

What does this specifically mean to us? 

For one, when you come into the newsgroup saying “I've patched my server” I'll now ask you if you are using WSUS and “really” patched your server.

For two, I'd really like you to think about controlling when you patch and do an approval process and think about zoning your systems so that not everyone just automatically updates.  For example, I truly think it's not a good idea for servers, your critical business tool, to be downloading a patch and rebooting on Tuesday night. 

Samanatha Bee may joke about Patch Tuesday, but I call it Dead Body Wednesday as invariably there's one person who automatically updated their server and due to a misconfiguration, didn't go through the trip well.  WSUS is another tool in taking back the desktops and protecting them.  A huge tool for patching your servers smarter. 

On page 521 of the Dr.J/Riley book, there's a page called “How to get your Network Hacked in 10 easy steps” and number 1 is “Don't Patch Anything”.

Well guys, while I would still say this isn't my 'perfect' patch tool since it doesn't have the SBS specific patches like Shavlik does, nor does it appear to be able to install and download our SBS 2003 sp1 [mainly due to Exchange, as it's my understanding that patch can't be silently installed] it's a vast, vast, improvement over merely using Windows update.  I don't think it will help us to get to Service Pack 1 [nor would I want it to as our Service Pack is too big], but it will help us to patch after that.  It can be installed with or without the service pack installed and is not dependent on that being on your box if you are worried about that.

Gentlemen, start your downloading.

Samantha is right, the lines to the ladies room is very short

In the beginning of the Tech Ed keynote, Samantha Bee from the Daily Show talks about what we call the “bathroom line effect”

Us geek gals have no lines for the bathroom.  In fact, I've been in Tech Conferences before and I can attest that you could practically roll a bowling ball in the ladies room and you'd probably not hit too many gals in there.  Yet I know several Tech gals, that are the glue of their communities.

But to summarize, TechEd so far has announced:

• Exchange 2003 sp2 will provide 75 gigs of storage [raised from the 16 gigs we had]
• WSUS released [finally]
• Microsoft Update

Now at this time WSUS and MU doesn't patch ISA server 2004...but then again... ISA Server hasn't needed too many patches  :-)

Notice that all those things that are talked about in that customer experience video is what we SBSers already have under the box?  Exchange 2003, Sharepoint, ISA 2004, in fact with the new Active Sync, it's easier than ever to set that up.  I think Wayne is going to blog about that soon.

Sorry Amazon.com, it wasn't you after all

I'll be surfing out on Amazon.com and after I've stuck something in the shopping cart...like...oh .... Dr J's and Riley's new book..... I'll click the back button and I get a page not displayed.

Rats.  Stupid Amazon.com.  Does this to me all the time.  Really annoying.

Well I was out checking knowledge base articles and found this:

FIX: You receive a "Page cannot be displayed" error message in Internet Explorer when you browse back to a Web page that contains data that you previously submitted after you install Windows XP SP2:
http://support.microsoft.com/?kbid=890178

No WONDER I keep getting that issue.  It's NOT Amazon.com at all.  Remember this is a call for a hotfix, now why this isn't more available, I have no idea, but at least I can call for the free hotfix.

Update ...okay I'm confused.... if I get the hotfix it says I need to enable it by entering a reg key, but if I have cumulative update the steps do not have to be followed.  Have you seen these hotfixes that are like this that have 'reg key enablers'?  Outlook Express has a bunch of them too.

hmmm... I think I'll do the workaround.....

Patch News

Announced by Steve Ballmer at Tech-Ed today and now live on
www.microsoft.com:

Windows Software Update Services (WSUS). Final release of WSUS went live
today.
http://www.microsoft.com/wsus

Microsoft Update (MU): Microsoft Update replaces Windows Update. In
addition to Windows XP, MU now updates: Windows XP, Windows 2000 SP3,
Windows Server 2003, Office XP, Office 2003, SQL Server 2000 SP4 and
Exchange 2000.
http://update.microsoft.com

Try it out!!

Couldn't be at TechEd?  In a short time, hear Ballmer's keynote recorded!

[link updated]

You might want to rethink your partitions

As reported earlier, the 16 gig store limit in Exchange 2003 sp2 will now increase to 75 gigs [public/private].  So if you happen to be building a server today, at this very moment, you may want to rethink those partition sizes.

I did a really big OS partition so I wouldn't have to worry about cleaning up the log files, the service packs and security patches and what not.

So ... rethink those partitions and get ready for that 75 gig storage.

Exchange 2003 sp2 coming out this fall - we can now store more spam!

 http://www.microsoft.com/exchange/downloads/2003/sp2/faq.mspx

Based on feedback from customers like you and because of the evolution of e-mail usage, we are increasing the storage limit for Exchange Server 2003 Standard Edition with SP2 to 75 gigabyte (GB).

FINALLY!

It's not on the web yet, but the word from the WSUS Wiki is that WSUS 'rtm'd'

wsus - Status of WSUS Product:
http://www.wsuswiki.com/WSUSProjectStatus

It's about time folks.

Can't be at TechEd?

Can't be at TechEd, Microsoft's geek fest?  Order the DVDs for US$195 or watch the live webcasts.  Hmmm..... I'm not sure I'm willing to get up at 6 a.m. for Steve though.

Ordered!

Trend on SBS

We all used to follow the “Official Les is more guide to installing Trend on SBS” but we have a new guidebook we can use. 

Wayne Small put together a visual how to on his new web site that has the exact how to instructions.

If you haven't checked it out... you should!

Microwave Potatoes

Are we sane?

Listening to a security mp3 on the flight home and Eric Cole was talking about patching.  And he says the more critical the box is, the less services you want to run on it.  And yet, what do we do in SBSland, we put everything in one spot.  Is it no wonder that when we have a big service pack it’s like painting a big fat target on our boxes and wondering why some of us who have customized our boxes have had issues? 

If at all possible…break a system down into core functionality, he says.. and what do we do?  We put EVERYTHING on one spot.  When we patch, we risk it all.  We put all our cards on the table and roll the dice.  While we argue that there are single points of failure everywhere [case in point, the single point of failure on this laptop is the fact that it's dependent on the one battery], and while I would argue that for 99.99% of the time we are just fine, it's that one time that you are analyzing the risk of change.

Putting a patch on a system could de-stablize it.  And yet every month we risk de-stablization of the box, don't we with our patching?

Less services that are running, the less things you have to patch, says Eric.  Is is any wonder then, that the service pack we have is what it is?  Big.

I'm still not convinced that we are too much insane down here in SBSland, as I'm still willing to accept risk because the benefits of SBSland are still too great, as in our ease of wizards, our community and support we have.  But conversely, as in my fellow CPA was complaining about, he's being pushed by the line of business applications that he has that push him to have about 10 servers for about 25 employees. 

Maybe we're just a tad insane for putting what we do all on one box, and maybe we need to do more virtualization in the future, but I'd argue that our vendors are just as insane for pushing to have their own separate box. 

Maybe there's a happy medium out there?

Oh and Eric says.... Rebooting isn’t that bad… on the Unix platform if you don’t reboot soon after, and later there is an issue, you’ll never identify that patch you did with the issue.  Thus rebooting after a patch is a way to ensure you've identified a cause for any effect due to patching.

Something to think about anyway about that argument against rebooting.

Being agile

Being involved in events and traveling always reminds me of making sure that you keep a view of agility.  I'm once again cross legged sitting on the floor because the seats are full in the waiting area at the airport and I'm going standby on an earlier flight.

Being somewhat a bit involved in making sure the last two days went smoothly as my last official role as Chairman of the California Society of CPAs, technology committee meant that having a cellular access was key to keeping in touch with those who were helping to organize the event.  At the Microsoft campus, while there is wireless, in the area that I was in, it's tied to authentication.

Afterwards when we were chatting with my SBS pals, it was clear that everyone of them were hesitent in rolling out wireless because they wanted the infrastructure that Microsoft had deployed... but there's one problem...many of the vendors that supply that two factor authentication just don't sell in the SBS space.  Either they don't offer token cards in a small enough quantity or they think adding a $5,000 piece of equipment is the way to go.

We want security, but we want simplicity...oh an can you make it cheap?

Dear geek widow

Dear Mr. or Mrs. Geek widow:

Your significant other probably either printed this out, or handed you the computer so that you could read this blog.  Don't worry, it's really not important what a blog is.  What is important is your significant other wants to attend SMBnation Conference in Redmond, Washington September 9th through 11th.  If you act quickly you and your significant other can get a hotel room at the Marriott Richmond Town Center.  Now why is this a good thing?  Because while your geek spouse is at the Microsoft Conference Center getting overdosed on SBS love, you can walk around Redmond Town Center where there are shops, a mall, restaurant... enough stuff to keep you entertained while your significant other gets geeked out.  I'm up here right now as a matter of fact in the hotel room looking out the window on stores and restaurants.  We went to a great restaurant last night and in just walking around, it's enough of shopping and mall, and not to mention, downtown Seattle is a short drive or excursion away.

Don't worry, it's not catching, but look at it this way, for several days they'll be talking geek for three days with folks who actually don't mind listening to them, while you can be out shopping and having fun sighseeing. So take a look at where you'll be having fun, while your significant other is talking geek and getting it out of their system.  Well... at least until next year.

The best time for an upgrade

This morning underneath my door was a note that said “Today between 2 p.m. and 3 p.m. we're upgrading our phone system.  We apologize for any inconvience”.  So at first I'm thinking...gee...that's an odd time for an upgrade...but then it hit me... it's during the normal check out/check in time span.  A time that the Hotel guests would be less likely to be inconvienced.  So a time and a day that seems insane for upgrading for my business, is perfectly sane for another business.

The biggest concern I heard from the folks in my CPA group that do have SBS boxes is the concern about email as they go through this service pack.  They wanted to make sure the email wasn't harmed or hurt in any way.  But here's the thing, if you are running the NTbackup, you should already have backups of that Exchange data.

When you know you have a backup 'before' you apply a service pack, you don't worry so much about installing such things.  You know that you have a way to 'fall back'. 

So maybe... just maybe.... all of us who are really concerned about applying this service pack...maybe we need to ask ourselves, is it because we don't truly trust the backups we do?  Maybe it's because none of us [myself included] truly feel comfortable with all the nuances of restoration?  I know that of my SBS MVP gang, I would probably argue that Mr. Swing aka “Jeff” is the strongest and has the most varied experience with disaster recovery. 

To those of you thinking about installing this service pack, figure out the best time.  Do it when you have time to deal with things.  Test it first.  Read the release notes.  And above all else, make sure you have a good backup.

WSUS documents hitting the web

Overview of WSUS.

Getting started with WSUS on Windows Server 2003 

Getting started with WSUS on Windows 2000

Three things on the download site today of interest to us SBSers, the WSUS documents.  Hmmmm.. this sounds like it may be near done 'baking'.   The news reports have said June....and well ...this 'is' June and TechEd is next week.  I think the planets are aligning. 

I still would argue that WSUS is not as blonde as Shavlik, and certainly does not patch any of the third party stuff, so keep that in mind when you evaluate it, but at LEAST it sounds like it's close to being released.. remember that this was first announced back when SBS 2003 was released, so if it is out soon, it's fitting that it's near another milestone in SBSland, which is SBS 2003 sp1.

Software change management

When I'm using my standalone laptop that has the standalone Trend PcCillian is when I truly realize that on a daily basis I have a massive amount of 'software change management' on my PC that I do nothing to 'vet, test, or approve'.  Every month I test software patches in my office, I ensure that the software that I use is compatible with the patches and then approve them for deployment.  I manage their application.  Yet at the same time, I do nothing to test anything about software that has the ability to be automatically downloaded many times during the day to my system.  But it too is massive 'change' in my system.

Think about it...that 'stable' pc of yours gets software changed ...all....the....time.....and we think nothing of it.

Today, watch out for ..what truly is a stupid virus infection.  And what does it rely on?  Stupidity of us.  Hmmm.. gotta work on those service packs for humans again, don't we?

Knowing more, making it easier

Back in the hotel room before dinner, I was demonstrating the SBS I have at the office as well as my SBS at home.  ...Yes... I have two SBS boxes that I live with....and it was interesting that two comments came up that I've heard of before.

Exchange needs to be easier.

I want to know more of what I can do with what I have.

I still would argue with my fellow SBS MVPs that the process of calling the ISP, getting the MX records set up, even the wizard to set up email... the confusion over what do I call the box, local versus com, loses a lot of folks.  A couple of folks that have SBS admitted that they aren't fully utilizing it because they couldn't figure it out, nor could the non SBSized consultant they called in could figure it out.  Any Exchange 12 folks... or SBS folks out there?  Blonde that sucker down folks, because you are still losing folks on Exchange.

I then showed the folks that link inside remote web workplace for 'more help' that goes through the parts of SBS for the user view.  That has to be the best kept secret of SBS... is that internal help button.  I don't remember if they ever extracted that out and stuck it on a web site.. hey... maybe that's something I need to start blogging about as a reoccuring post topic.  I'll cut and paste parts of that help file and stick it on the blog and “Susanize” it.

Is it secure as VPN

In some presentations today and the question that invaribly comes up with SBS 2003 and in paticular Remote Web Workplace is “is it as secure as VPN”...to that we SBSers argue... Yes, and we'd argue that it's “MORE” secure using RWW versus VPN. 

Now why do I say that?

Because while it gives you enough connectivity as if you were at your desktop, it's not too much connectivity to put your network at major risk.  RWW does not put the same level of risky glue between that computer you are using to access the internal workstation with that VPN provides.  Historically speaking, think back to the Blaster/Slammer timeframe.

The VPN connection provides the full ability to infect the internal network if the external machine was infected with Blaster and Slammer like and then VPN'd back into the network.

Remote web workplace.. since we typically do not choose the option to map network drives, we argue ithat is therefore more secure than a VPN connection.

I'd argue that if you are not using network access protection [checking patch, antivirus level etc] with VPN quarantine these days, I'm not sure I would consider VPN absolutely positively the best way to connect to your office anymore.  It isn't always 'more secure'.

A little too much technology

So in the hotel room I get ready to go to bed last night and look at the clock radio to set the alarm.  There on the desk is this cdrom/clockradio/am/fm/ programmable thing that somewhere has an alarm set button somewhere. 

hmmm...ever notice how the alarm clocks in hotels don't have instructions, that they just assume you can tell from the myraid of buttons to know which one to push.   I wasn't much in the mood for googling the instructions off the web, nor was I in the mood of trying to debug it when I'd probably end up resetting the time and then not being able to figure out how to set it correctly before.

Fortunately for every bit of high technology there's a bit of low technology that has been left behind.

“Hello, yes I'd like a wake up call please, ....perfect.....thank you”.

Sometimes simple does indeed work the best doesn't it?

Looks like I have a bit of cleaning when I get back home

So I'm remoting into the server at home and looking at the ISA 2004 firewall reports and build a daily report.  {Keep in mind you Premium folks need to do likewise} and the first think I need to investigate why, even with the ISA firewall client loaded, it looks like all my workstations are securenat clients.  Oh well, deal with that one later after I find an interesting item...well two actually... In the top browsers used  to access web sites it tells me in an office full of Windows XP sp2, I have Gator [uh oh... I bet I know the workstation that has that...I've got a troublesome workstation....hmmm .... probably need to lock that sucker down better, I have problems there] and then MSIE 5

1	MSIE 6.0	20	27019	80.60 %
2	Gator	2	5159	15.40 %
3	Unknown	27	1053	3.10 %
4	Windows Update	13	156	0.50 %
5	MSIE 5.0	1	60	0.20 %
	All Others		61	0.20 %
	Total	32	33508	100.00 %

MSIE 5?  5?  Is that like Win9x?  What the heck is what looks like a 9x box on my system.  Either some device... and what the heck device is that?... is reporting a wacko 9X box signature or something?

Looks like I have some investigation to do when I get back home.  I don't have any 9x system on my network... I beat them to a pulp a long time ago.  hmmmmm....I'll keep you posted.

Write them down, memorize them, two factor them, just pick better ones will ya?

Law #5: Weak passwords trump strong security