E-Bitz - SBS MVP the Official Blog of the SBS "Diva"

What does and does not apply?

Going through the KB articles and blogs tonight (uh doesn't everyone read KB articles for fun?) and there was something that I noticed that I thought I should point out....

First off...while I consider this just taken for granted ..sometimes it's not .....as was pointed out on a recent blog post.  Many times people ask if "fill in the blank" is supported on SBS.  And we say with a "well of course it is you twit" kind of superior air in our voice as we in SBSland assure everyone that we can just install the same service packs and hotfixes as our big brother servers that are Standard OSs. Service packs for the parts of SBS, i.e. Windows Server, Exchange Server, Sharepoint, SQL server,  etc... etc.... are fully supported and just fine on SBS itself. 

Seeing a new batch of KB articles start to occur reminded me that we're going to have to couch our "you twits" in the future as there will be KBs coming out that don't pertain to us.

This one... http://support.microsoft.com/?kbid=911604 for example, will not, as the platform it's on is Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86) and that's not us.  But a KB that lists Microsoft Windows Server 2003, Standard Edition (32-bit x86) like  http://support.microsoft.com/?kbid=908911 will apply to us as that's what we still are under the hood.

Hmmm.... wonder if the "Fresno" (1)  version of Windows Server has any of it's own KB's?

(1) The Windows Server for Small Business, a 15 user base OS that is just our core OS that I refer to as the "Fresno" version....aka "For REally Small NetwOrks".... get it?

A beta release of IE 7 means....

Beta -- http://en.wikipedia.org/wiki/Development_stage#Beta When a beta becomes available to the general public it is often widely used by the technologically savvy and those familiar with previous versions as though it were the finished product

Translation? You as the IT pro can start playing with it.....do you install it in clients? Uh...no.

Spyware Sucks : Installation tips for IE7 Beta 2 Preview:
http://msmvps.com/blogs/spywaresucks/archive/2006/02/01/82205.aspx
Spyware Sucks : Heads up for SBS Sites using self-signed certificates:
http://msmvps.com/blogs/spywaresucks/archive/2006/01/31/82198.aspx
Spyware Sucks : IE7 Beta 2 has gone live:
http://msmvps.com/blogs/spywaresucks/archive/2006/01/31/82195.aspx

In case RWW doesn't want to play nice..make IE7 act like IE 6:

Problems with web sites - Internet Explorer 7:
http://www.ie-vista.com/sites.html

So?

Okay so why does this page http://blogs.technet.com/ link to this page.... http://blogs.msdn.com but that page http://blogs.msdn.com doesn't have a link back to that page http://blogs.technet.com/?

Just wonderin.....

Dear Live Communication Server people:

Dear LCS people....just saw this blog on the demise of Netmeeting in Vista and just wanted to remind you folks that I do love your Live Meeting server that allows me to have internal only messaging in my firm, allows me to track who's in the office and who's not and allows me to integrate it with Sharepoint.  But I gotta level with you guys that I'm one of the wacko ones that got Software Assurance and caught the product somewhat reasonably priced ...and I even re-SA'd it to hang on to it. 

Harold talks about the Exchange and LCS being under the same business group...but I just want to put in my two cents once again for a lightweight, no VOIP, no hosting of streaming media...just plain old 'chat' inside the office for quick messages. 

Most of us in small business are using our own duct taped together solutions for an internal IM...but if you guys just happen to want to have another product to roll out...and yes, sorry, it's got to be cheap... a nice low feature internal only IM would be nice if you have some time.

Know your marketplace?

Doing some research today on Small Businesses and some interesting links...

http://www.usatoday.com/money/smallbusiness/columnist/abrams/2004-05-06-success_x.htm

"The lesson? To greatly increase your chance of success, find out as much as you can BEFORE you open your doors. Talk to people who run their own businesses, especially businesses similar to yours, and get a realistic understanding of the time, financial, and emotional resources necessary. Keep your eyes open — not to the possibility of failure, but to the very real demands of running your own business."

Business Starts and Stops:
https://www.nfib.com/object/2752733.html

Small Business Problems and Priorities:
http://www.nfib.com/object/IO_16191.html

Lessons from Katrina.. http://www.nfib.com/object/IO_25515.html

Top 10 Reasons Why Small Businesses Fail | Starting a Business > Business Plans:
http://www.allbusiness.com/articles/startingbusiness/1440-25-1822.html

• Procrastination
• Ignoring the Competition (and I would argue it's not your fellow SBS consultant)
• Sloppy or ineffective marketing
• Ignoring customers' needs
• Incompetent employees
• Lack of versatility
• Poor location
• Cash flow problems
• A closed mind
• Inadequate planning

Just some links for thought.....

Feedback worth listening to

I was reading a post on the coding horror blog and the post about "good bugs versus bad bugs" reminded me of a company that seemingly takes feedback and does nothing with it.  No, I'm not talking about Microsoft here...but rather one of my LOB apps CCH. 

They do something in their tax program that just is inconceivable to me.  You see there are times that we need to fill in a form called a "Power of Attorney" where we can talk to the IRS (taxing agency) directly.  And there are specific identification numbers that we use.  Unique to each partner in the firm.  So when we migrated from Lacerte to CCH you can imagine our surprise that the "supposedly" less robust Lacerte, who all along has this master firm database ability to quickly and easily pop in a partner listing of unique info that was global to the program has been able to do this all along, but when we got to the CCH program, it cannot do this. 

It's a database program mind you.... in reality...and a basic database function....the ability for the program to remember unique data for each partner without having to individually place it in each taxpayer... it's now a "feature request" that we've put in for three years.

Now I cannot imagine that larger firms don't see this as a feature request.  I cannot imagine that larger firms don't have umpteen times in a day that they need to fill out a power of attorney form.  And the fact that this process is so manual, and that I have to keep a document separately to keep track of this information absolutely boggles my mind.

Why does it take a number of customers to wake up to a fact that they are missing out on something only because they haven't compared the features of a competing vendor to realize that neither vendor seemingly designing the software in a manner that optimizes what is the basic function of the program.  A database... a gathering of data.  Not a word document that has to be opened each time to enter in a data, database.  But an all encompassing program that keeps track of everything that the user of the program might need to do their job?

There are times I really wonder if any of the app developers are listening to the right people. 

Are they listening too much to the bleeding edgers?  Are they listening too much to the folks that have been using the same tax software since 1913 and they haven't changes their technology ways one iota?  (Okay so I'm exaggerating, but I kid you not, people do not change and migrate to new ways of techology well at all).  But truly, are they listening to the users of this software?  Sometimes I wonder.

My guess is that many of you reading this blog are not "users" of SBS but Var/Vaps.  And you are not the "users" of the software.  Oh sure you use the admin consoles and what not, and you still have to from various third party apps like Level Platforms or MOM and what not cobble together the "Var/Vap" console that you'd love to have (and that I swear I was at a AICPA Technology conference a few years ago and Bcentral was supposed to do something similar in the accounting space, but I digress) but in reality, you aren't the users of SBS.  

There are times that I don't think the vendors out there listen to you guys the "Admins" of SBS.  But the problem is and will always be the marketplace of SBS.  We're cheap down here, let's face it.

MyWife Malware

 This alert is to notify you of the release of Microsoft Security
Advisory (904420).

Microsoft wants to make customers aware of the Mywife mass mailing
malware variant named Win32/Mywife.E@mm. The mass mailing malware tries
to entice users through social engineering efforts into opening an
attached file in an e-mail message. If the recipient opens the file, the
malware sends itself to all the contacts that are contained in the
system's address book. The malware may also spread over writeable
network shares on systems that have blank administrator passwords.
Customers who are using the most recent and updated antivirus software
could be at a reduced risk of infection from the Win32/Mywife.E@mm
malware. Customers should verify this with their antivirus vendor.
Antivirus vendors have assigned different names to this malware but the
Common Malware Enumeration (CME) group has assigned it ID CME-24.

On systems that are infected by Win32/Mywife@E.mm, the malware is
intended to permanently corrupt a number of common document format files
on the third day of every month. February 3, 2006 is the first time this
malware is expected to permanently corrupt the content of specific
document format files.  The malware also modifies or deletes files and
registry keys associated with certain computer security-related
applications. This prevents these applications from running when Windows
starts. For more information, see the Microsoft Virus Encyclopedia
(http://www.microsoft.com/security/encyclopedia/details.aspx?Name=Win32/Mywife.E@mm).

As with all currently known variants of the Mywife malware, this variant
does not make use of a security vulnerability, but is dependant on the
user opening an infected file attachment. The malware also attempts to
scan the network looking for systems it can connect to and infect   It
does this in the context of the user. If it fails to connect to one of
these systems, it tries again by logging on with "Administrator" as the
user name together with a blank password.
Customers who believe that they are infected with the Mywife malware, or
who are not sure whether they are infected, should contact their
antivirus vendor.  Alternatively, Windows Live Safety Center Beta Web
site (http://safety.live.com) provides the ability to choose "Protection
Scan" to ensure that systems are free of infection. Additionally, the
Windows OneCare Live Beta (http://www.windowsonecare.com), which is
available for English language systems, provides detection for and
protection against the Mywife malware and its known variants.

For more information about the Mywife malware, to help determine whether
you have been infected by the malware, and for instructions on how to
repair your system if you have been infected, see the Microsoft Virus
Encyclopedia
(http://www.microsoft.com/security/encyclopedia/details.aspx?Name=Win32/Mywife.E@mm).

For Microsoft Virus Encyclopedia references, see the
"Overview" section. We continue to encourage customers to use caution
with unknown file attachments and to follow our Protect Your PC guidance
of enabling a firewall, getting software updates, and installing
antivirus software. Customers can learn more about these steps by
visiting the Protect Your PC Web site
(http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx).   
Suggested Actions:

*    Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known
malicious software. You should always run antivirus software on your
computer that is updated with the latest signature files to
automatically help protect you from infection. If you don't have
antivirus software installed, you can get it from one of several
companies. For more information, see
http://www.microsoft.com/athome/security/downloads/default.mspx

*    Use caution with unknown attachments
Use caution before opening unknown e-mail or IM attachments, even if you
know the sender. If you cannot confirm with the sender that a message is
valid and that an attachment is safe, delete the message immediately,
and run up-to-date antivirus software to check your computer for
viruses.

*    Use strong passwords
Strong passwords on all privileged user accounts, including the
Administrator account, will help block this malware's attempt to spread
through network shares. 
*    Remove unneeded network shares
Malware can often spread over network shares. Remove unneeded network
shares that are mapped to your computer. To remove network shares in Windows XP
o    On the Start menu, click My Computer.
o    On the Tools menu, click Disconnect Network Drives...
o    In the Disconnect Network Drives dialog box, click the drives to
disconnect and click OK.

*    Protect Your PC
We continue to encourage customers follow our Protect Your PC guidance
of enabling a firewall, getting software updates and installing
ant-virus software. Customers can learn more about these steps by
visiting Protect Your PC Web site (http://www.microsoft.com/protect).
For more information about staying safe on the Internet, customers can
visit the Microsoft Security Home Page
(http://www.microsoft.com/security).

More information can be found:
http://www.microsoft.com/technet/security/advisory/904420.mspx
Microsoft Security Advisories are located at this location:
http://www.microsoft.com/technet/security/advisory/default.mspx

If you have any questions regarding this alert please contact your
Technical Account Manager or Application Development Consultant.

Thank you,
Microsoft PSS Security Team

Hey did you see this on Brian's blog?

What do you get for the price of CPE but is more than CPE? 

An offer from K2 for software and CPE!

Forward this link to your CPAs that are your clients (and remind them to sign up for the MPAN program and get the action pack while you are at it)

....and if they just happen to install SBS.... well.....

A blog should not have email

The RSA Security Conference is coming up and if you remember last year's conference Bill Gates made two announcments.... one was that IE 7 was going to be released for Windows XP and the second was that Antispyware was to be free to individuals.  It will be interesting to see what keynotes there are this year.  Last year the major ones were webcast.  So I'm out on the site and they have a new "Security Exchange" that includes Blogs....well..let's just say it has "one" blog.  And here's the kicker that made me laugh.  When you go to the page where the blog content is, there isn't ...that I can see anyway... a RSS subscribe icon.  Instead there's a place to click to..... "Subscribe to receive emailed updates of new blog entries from Ira Winkler"

Uh... gang... there's this thing called RSS? You know it's where you have a RSS reader like Newsgator or RSS bandit and all your RSS feeds come to you...and they aren't jumbled in all with all that junk mail I already get?

It's bad enough that the Orange XML tag is "RSS" on some pages and "XML" on another...but can we have another standard?  A blog standard?  That it comes with a XML feed that can be sucked in?

Not emailed, thank you very much.

https://www.rsaconference.com/exchange/blog_view.aspx?id=3

The ugly truth about small businesses and POP

There's a group of small businesses that are small and paranoid.  Or paranoid and small.  But the point is they like two things.  Not having a server and they love POP accounts.  It's funny because the official stance of the SBS var/vap community is that POP is a four letter word.  POP mail is worse than a four letter word...it's like the worst swear word you can think of ever.....yet show me many a small business and the Var/vap will say that they cannot get the small business off of POP accounts. 

Either it's because they are not cautioning them on the security issues of a Port 110/POP connection that passes the username/password in clear text, or the thought they are dependent on the server (get a backup MX record) or it's not letting them know about Outlook over HTTP but the ugly truth is that there is still a lot of POP in SBSland.  For all it's lack of robustness, for all it's "it's a transition product to full SMTP", the ugly truth is that there's still a huge group of folks still transitioning and have been since SBS 4.0.

Then ...about being on a server.  There isn't a week that goes by that someone doesn't post in about a 'high availability' server idea for SBS.  But here's the thing... if you buy decent server hardware...this isn't an issue.  Vlad on the mssmallbiz listserve talks about how he sees some folks use a hosted SBS (as his firm www.ownwebnow.com does this)...start realizing the power of it and then switch to a real server as they realize they want to have more control.

There are firms that either get technology...or don't get it and need to be pushed a bit more.....

Poor man's DFS

Need a way to share files?  I know that SeanDaniel.com blogged about this before..it's a way to share folders between computers...and if this is the service/product I'm thinking of, someone is using this between a SBS box and a remote server.

www.foldershare.com is the company but like Sean says.... choose a good password will ya?

Apparently paper competes?

I was in Office Depot and it's like every paper stock sold there is now whiter or brigher...but whiter doesn't mean brighter... so make sure you have your terms right.  Apparently there is guildelines...or competitive grades of paper... and North American papers are different than European.  I mean I always knew that the American 8.5 x 11 wasn't quite the European A4 grade.

I guess, though technically the A4 size is the true international size and we're the ones who need to change our paper in the United States.  But then again, I distintly remember learning the metric system in school and they said we'd be driving kilometers by now....

...last I checked... we're still measuring stuff in miles....

Changing things is hard.  Just ask my office were we have to make sure that all our "old" white paper is saved and used for non important projects so we don't mess it up with the "new" white paper.

Who knew white doesn't match white any more?

Alabama... have you got something special coming your way or what?

Forget the Crimson Tide.  Forget the Football.  Forget...forget all manner of sports events.  They all pale in comparison to the event that is going to be in Alabama on the 31st.

The Alabama SMB User Group (ASMBUG) will hold its first meeting of 2006 on January 31^st in Birmingham.

Our guest speaker will be Jeff Middleton, SBS-MVP and CEO of SBSmigration.com.

Jeff’s visit to Birmingham marks the first of a series of in-person events that Jeff will undertake in 2006 to outline new services and offerings from SBSmigration.com relating to his Swing Migration method.

So even if you have seen or heard Jeff present before, you can expect plenty of brand-new content and information.

ASMBUG extends a special invitation to members from other user groups.

Light refreshments will be provided.

There is no cost to attend, but registration via the following “Click-To-Attend” link is required.

Registration site: http://www.clicktoattend.com/?id=106068 
Event Code: 106068

For more information about the event or ASMBUG, contact Chris Rue

To sign up for ASMBUG, please visit ASMBUG’s Yahoo group mailing list

I think it's going to be like the Maytag repair guy...pretty lonely...but..

Today on the WSUS console is a new category...and yeah... given the current need for patching this product (no patches for the 2004) and only one or two that I can think of off the top of my head for the 2000 platform...this is going to be a bit like the Maytag repair guy... a category that is pretty lonely.....

But nonetheless this is EXTREMELY cool that finally WSUS will patch ISA 2004.

Checked out Small Business + yet?

So I'm out on www.microsoft.com/smallbusiness and I signed up for the Small Business + that the Microsoft Monitor talks about....and well... I wanted to see if there's a real human being on the other side...

Welcome to the Microsoft Small Business Helpdesk Chat

Please start your conversation.

{Ice} Welcome Susan to the Small Business Online Concierge. How may I assist you? 

{Susan Bradley} Just checking if this is a human being or a computer system answering questions? 

{Ice} Human :-) 

{Ice} Susan, have a nice weekend. 

{Susan Bradley} I'm a SBS MVP [www.msmvps.com/bradley and was checking out the support offered for small businesses 

{Ice} How may I help you at this moment?

There really is a human there... now the Microsoft Monitor says that "very small businesses don't rely on resellers anyway" but I disagree...

Marci wrote into the public newsgroup a post about how she has a 10 person firm and the IT person that she uses was talking her out of SBS and into separate boxes for each part and not, at least not in my estimation and that of a bunch of rest of newsgroup posters, good recommendations about the options she has for fixing a server. 

Instead of bringing her a small business resolution to a problem, he's bringing a big business viewpoint.  I think we as small businesses do want to rely on someone, but there are times that it's downright shameful the lack of knowledge that some consultants bring to the small business marketplace.  As a person who themselves was once told by a VAR/VAP that they did not recommend SBS for me, that I would outgrow it, it's your job as a consultant to do your homework and recommend a good solution to a client.  It's not your job to constantly be blindly following the mantra of "oh best practices", when the small firm is better off even with the lack of so called best practices in the SBS platform.

Between the Small Business + and the Small Business Specialist.. I hope Marci has more options than she currently has.

Looking for some small business marketing blogs?

Small business marketing toolbox:
http://h20325.www2.hp.com/blogs/jantsch

Duct Tape Marketing Blog - Voted Best Small Business Marketing Blog:
http://www.ducttapemarketing.com/weblog.php

Duct Tape Marketing Blog Channel - powered by FeedBurner:
http://feeds.feedburner.com/DuctTapeMarketingBlogChannel

Dan Janal's PR Leads - A member of the Duct Tape Marketing Blog Channel:
http://pr.ducttapemarketing.com/

Don the Idea Guy - The Idea Department - A member of the Duct Tape Marketing Blog Channel:
http://innovation.ducttapemarketing.com/

Georgia Patrick - Customers Count - A member of the Duct Tape Marketing Blog Channel:
http://service.ducttapemarketing.com/

Jill Konrath - Selling To Big Companies - A member of the Duct Tape Marketing Blog Channel:
http://sales.ducttapemarketing.com/

Mark Beck - Internet Marketing Unleashed - A member of the Duct Tape Marketing Blog Channel:
http://internet.ducttapemarketing.com/

Troy White - Word Wealth - A member of the Duct Tape Marketing Blog Channel:
http://advertising.ducttapemarketing.com/

Zane Safrit - Business Life - A member of the Duct Tape Marketing Blog Channel:
http://life.ducttapemarketing.com/

Trend and the dog file

Trend and Compression issues

So in this corner is Trend...recommending that you uncheck "use compression" on the IIS web sites because otherwise the install will not go well.....

...but in this corner is Microsoft with their WSUS install info that "does" check "use compression"

1. Some clients have been impacted by a known issue in with Windows Server 2003 http.sys and IIS. In some cases, this transient issue will appear to prevent clients from checking in, because they receive invalid responses from the server after some attempts. It was previously believed to be an issue with IIS compression and there was a workaround suggested to disable compression, and then rename the %windir%\system32\inetsrv\suscomp.dll file and restart the IIS, and the Update Services service. Further Investigation shows the problem source to be a known condition with IIS and http.sys, which is not related to compression, and for which there is an available hotfix. It is not recommended to disable compression as this will not impact the problem source, and possibly increase network traffic & server load, while reducing the number of clients you can effectively serve. Further information about the issue and obtaining the hotfix can be found: http://support.microsoft.com/?id=898708 . This hotfix does require Service Pack 1 be installed to the Windows Server 2003

Yeah, one could argue that as SBSboxes we don't have THAT many clients to worry about...but it's still interesting to see the Vendors recommend two different things...

Trend.... v2 or v3?

Les Connor has always been our "Les is More" guy... and when he posts...this is not done lightly...

Folks, I've been using Trends's products on SBS since 4.5 - it's been a pretty good trip.

CSM v2 was(is) the icing - very very reliable antivirus and anti-spam capabilities - as close to zero maintenance as you can get or would want. There were a couple of things that could have been better integrated - but on the whole a really solid solution for SMB.

I don't take this recommendation lightly - I've worked hard to try and make V3 work - but I just can't afford to use it any longer.

CSM v3 hasn't proven to be an improvement. The integrated console is nice - but the product (mostly the console) is unreliable, and the anti-spam feature is a step backwards in performance and features.

I'd recommend staying with V2, and would still recommend V2 for new installs - and will be installing V2 on new SBS networks - as IMHO it's still the best thing going.

I *do* have *some* faith that progress is being/will be made, and there will be an updated version of CSM for SMB that will be as good (probably better) than V2. I'll be among the first to acknowledge it when it arrives.

--

Les Connor [SBS Community Member - SBS MVP]

-----------------------------------------------------------

SBS Rocks !

In case you don't want to install V3, V2 still is available and the keys still work... 

http://www.trendmicro.com/download/product.asp?productid=39

Terry posts in.....

If you're having trouble connecting your workstation to your SBS server, and you've recently installed Trend Micro CSM 3.0, and you may also have recently upgraded to SBS SP1  ------ check to see if you have the following within the affected workstatation's event viewer/application log :

event ID 1006 - windows cannot bind to local domain, group policy processing aborted

event ID 1030 - windows cannot query for the list of group policy objects ....

If so, it's likely have the "Trend Micro Client/Server Security Agent Personal Firewall" service started on your SBS server.  Even though the default for Trend's Firewall utility is to have it disabled within the application, the service itself has been installed, started and set for automatic start up.  Stop this specific service on your server, change it's startup status to disabled, and the workstation error messages should disappear.

Additional ---- from what I've read elsewhere, this condition sometimes manifests itself on only a few workstations in your SBS environment....sometimes it's only one workstation that seems to be affected (haven't figured that one yet).  However, if you do have this configuration (using Trend Micro CSM 3.0), you might want to check the event viewer/application logs on your workstations for error codes 1006 & 1030.  A couple of the more notable symptoms is the increased time it takes a workstation to boot up (the "applying personal settings" splash screen runs longer than normal), and connecting to Exchange server via Outlook client is problematic.

Trend's KB link is here....

Missed any webcasts and there's no Football this weekend?

Susan Bradley has invited you to view a Microsoft Office Live Meeting recording.

View Recording

Recording Details

    Subject:              KYSBSUG - Jan 2006 - CRM
    Recording URL:        https://www.livemeeting.com/cc/winserver_usergroup/view
    Recording ID:         KYSBSUG0106

-+-----+-----+-----+-----+-----+-----+-----+-----+-

Susan Bradley has invited you to view a Microsoft Office Live Meeting recording.

View Recording

Recording Details

    Subject:              ISA on SBS for Larry's Taco Talks
    Recording URL:        https://www.livemeeting.com/cc/winserver_usergroup/view
    Recording ID:         F8S6KB
    Attendee Key:         n"bD7P2


-+-----+-----+-----+-----+-----+-----+-----+-----+-

Susan Bradley has invited you to view a Microsoft Office Live Meeting recording.

View Recording

Recording Details

    Subject:              Patching your network - how to get started
    Recording URL:        https://www.livemeeting.com/cc/winserver_usergroup/view
    Recording ID:         B3H4JQ


-+-----+-----+-----+-----+-----+-----+-----+-----+-

Susan Bradley has invited you to view a Microsoft Office Live Meeting recording.

View Recording

Recording Details

    Subject:              KYSBSUG - Dec 05 - SBS R2
    Recording URL:        https://www.livemeeting.com/cc/winserver_usergroup/view
    Recording ID:         KYSBSUG-1205


    Attendee Key:         N"}P_8b

-+-----+-----+-----+-----+-----+-----+-----+-----+-

Susan Bradley has invited you to view a Microsoft Office Live Meeting recording.

View Recording

Recording Details

    Subject:              Macs on SBS [Second chance webcast]
    Recording URL:        https://www.livemeeting.com/cc/winserver_usergroup/view
    Recording ID:         2Q2DHH



-+-----+-----+-----+-----+-----+-----+-----+-----+-

Susan Bradley has invited you to view a Microsoft Office Live Meeting recording.

View Recording

Recording Details

    Subject:              ISA 2004 for the San Antonio SBS group
    Recording URL:        https://www.livemeeting.com/cc/winserver_usergroup/view
    Recording ID:         Q78FXW

-+-----+-----+-----+-----+-----+-----+-----+-----+-

Susan Bradley has invited you to view a Microsoft Office Live Meeting recording.

View Recording

Recording Details

    Subject:              KYSBSUG - Nov 2005 - WSUS
    Recording URL:        https://www.livemeeting.com/cc/winserver_usergroup/view
    Recording ID:         KYSBSUG

    Attendee Key:         SqPq4`P

Dear Mr. Cook and Mr. Bennett:

January 27, 2006

Scott Cook Chairman, Executive Committee

Steve Bennett, President and CEO

Intuit, makers of Quickbooks

Dear Sirs:

Just thought I’d type up this official blog post to let you and other firms like yours know that there’s some resources you’d probably need to pay attention to in the coming months.  You see there’s a new Operating system in beta testing right now, …it’s called Vista.  And in this new operating system it handles user rights a little differently than has been in the past.  Certainly a lot differently than Windows 98 anyway and even a bit different than Windows 2000 and XP logo program specifications that used to be the benchmarks in the past for a good way to code software.   

Vista will be going beyond those guidelines to something new… something called UAC. User Account Control.  There are already some resources that you might want to download and let the folks that work on developing your software know about. 

The first is a MSDN article called “Developer Best Practices and Guidelines for Applications in a Least Privileged Environment“ and it can be found at this link.  The second resource that you should have your folks subscribe to in their RSS reader is the UAC blog.  The User Account Control Blog is the team that used to be called LUA and then called UAP and now they are called UAC.  Yes, I know it’s sometimes hard to follow what the name of some of these Microsoft programs are as they keep changing (let’s not even bring up the WUS to WSUS naming shall we?) …but as long as you just remember that LUA/UAP/UAC is just another name for not requiring administrator rights to merely run a software program, and just subscribe to that blog, that should keep your developers well informed of what lies ahead.

In case your folks are not involved in a MSDN beta test of Vista, feel free to holler as I have a one or two Vista beta invites available that I can send to your employees. 

Speaking of Vista, fellow Security MVP Dana Epp blogged about some of the changes that Vista is making in an earlier blog post of his and it reminds me that while I’m on the beta, I keep forgetting to load up Quickbooks 2006 and see how it does on the current test build of Vista.

In the meantime, thanks again for Brad Smith’s statement that this will be fixed in the 2007 version and I’ll get cracking on updating the webpage on www.threatcode.com to document the 2006 instructions on getting Quickbooks to run without admin rights that “Tbone” posted to the Quickbooks community forum.

Thanks again for keeping us informed about the issues with the 2006 version and how we should install the R3 version directly.

Susan Bradley

JeffM says......

I cannot do IM from a phone....

the t9 stuff I just cannot handle it

oh I could ask a really nasty technical question and make you t9 answer it this could be great fun

let's see...food... wireless... connectivity..... communication... what more can you want?

That's true

I'm waiting for the chip implant for brain waves transfer personally

Okay are you sure this is 99 page white paper Jeff or is this some of our new International non English Speaking MVP that we've yet to track down that I'm IMing with?  This can't be you

Hey.. that's why I carry the Tablet PC, and the verizon card with me.... I tried it once... I have new respect for the coherent emails I get from folks that have the tag line "typed on a Windows mobile"

am I annoyed? No I think this is funny

I may copy this to the blog as an historical moment.....as this ranks up there with the times that Jeff posts "yes"

and we all fallover in a faint at your short content

so it has to relearn? ooh yuck

well it's about as fun as the times that IM converts ( ) into funky stuff

There's a Small Business Summit that's a snap to attend

So the tag line talks about a webcast with Entrepreneur extraordinaire, Maxine Clark, is the CEO of the “Build-A-Bear Workshop™,” a teddy bear-themed experience retail store combining the appeal of plush animals with an interactive assembly line where children create their own huggable companions. After 25 years in the retail industry Maxine decided to pursue her passion. Her goal: Put the heart back into retailing and make owning a business fun.

Except there's one problem with that.... you see there's one adult that I know of personally that during the holidays when we were down in Disneyland created her own huggable companion.  A pink Poodle with a Mickey Mouse shirt.  Yes, that's right, the same sister with the customized Disney desktop, created a poodle dog Mickey Mouse wearing companion.

Yes, the insanity probably runs in the family.  So what in the world does that have to do with SBS?  Everything.  Because Maxine is just one of the speakers at the Small Business Summit.  A conference JUST for small business owners.  So, I'm sure you are thinking as I was... oh...yeah... how in the world are you going to get small business owners to a conference?  The travel costs?  The expense of a hotel.  Are they crazy? 

But...hang on...what if I told you that you and your clients could attend this conference at home, in the comfort of your bunny slippers or other suitable attire?  Because Maxine and yours truly will be part of an online conference.

The Microsoft Small Business Summit will be March 14th through the 17th.  My talk is on Friday and it's on how having a server, having technology helps me and my firm to be more productive and responsive.  We literally could not do the work we do today without having a server.  Without the ability to share information, and collaborate, we just couldn't do what we do.  I think back to where we've come in technology, from one computer that we all would share, to now where our phones have the ability to get firm updated calendar information, it's amazing how far we've come in a short time.

Okay so how is this a "worm"?

When reports of this "worm" (and the word should be used loosely) came out it was impacting over 700,000 computers because there was a counter on the site... well now it comes out that there was a script running to up the count...so it's not 700,000...but more like 300,000.

Incidents.org has some write up on it...and in a listserve someone made a valid point.... this takes a "click" to infect....so...why is it being called a worm?

In the “Weekly Assessment” sent out last Friday, we provided our members with information regarding the W32.Blackmal.E@mm (Symantec) worm. This worm is expected to delete certain files from infected systems on the third of each month - starting on February 3rd. As there has been some confusion surrounding the various naming conventions for this worm, we would like to note that the Common Malware Enumeration (CME) group has assigned it the following ID: CME-2412. Some of the naming conventions associated with CME-24 are Win32/Blackmal.F (Computer Associates), Nyxem.E (F-Secure), Email-Worm.Win32.Nyxem.e (Kaspersky), W32/MyWife.d@MM (McAfee), and WORM_GREW.A (TrendMicro). The majority of the antivirus vendors are rating this worm a “Low”. We continue to recommend that our members review the publications supporting their AV solution, ensuring that the current protection updates against this threat are applied.

More info on the malware blog...

Now's your chance to say what you think

Microsoft Small Business Community Blog : Small Business Partners, tell us what you think - What do you want from Microsoft? What have you liked or hated so far? And more.:
http://blogs.msdn.com/mssmallbiz/archive/2006/01/26/518006.aspx

There's this guy that I've had the pleasure of meeting... straight shooter.... great on licensing..... and will take feedback and turn that feedback into an action plan.

And look...he's doing it again.  He's asking to hear from you...the Microsoft partners.... about what you like, what you don't like.

So?  Now's your chance to speak up.

Network install instructions for QB 2006

When using QuickBooks 2006 or QuickBooks Enterprise Solutions 6.0 in a multi-user environment, *the one best thing to know* is that the new QuickBooks database requires new installation procedures with all machines running on Release 3 or above.

To help you support your clients with QuickBooks 2006 in a multi-user environment, Intuit offers:

   * White Paper on QuickBooks 2006 in Networked Environments  
     PDF file (313KB) 
   * Master Tip: Installing QuickBooks 2006 in a Networked Environment 
   * KBID on Troubleshooting Error (-6177,-0) 
   * Special for Users of Enterprise Solutions 6.0 
     See article below.

*Caution.* Please do not attempt to *Upgrade* QuickBooks, *Rebuild* a data file, or *Clean Up Company File** across a network. If you have clients in a networked environment, please work with them to make sure they avoid such actions.

The caution holds true *whenever* the file is being accessed from a remote drive. QuickBooks never supported major file operations across a network in earlier versions and does not support them in QuickBooks 2006.

Our technical support center has recently seen a spike in calls generated by this problem. For background on the issue, and instructions on how to proceed, please read KBID 118556, "Rebuild, Update, or Condense Takes an Exceptionally Long Time or Does Not Complete

*Warnings to Be Added in Future Release of QuickBooks.* Intuit will be adding a warning message in a future release to help avoid the problem. Then, when the software senses that a major file operation is being attempted across a network, the user will be warned first. (The warning was in earlier versions of QuickBooks and was omitted from QuickBooks 2006 in error.)

** Condense vs. Clean Up Company File.* What was called "Condense" in QuickBooks 2005 and earlier is now "Clean Up Company File" in QuickBooks 2006. In 2006, QuickBooks is using a new database structure for improved operations; however, the overall size of the file does not reduce significantly during cleanup. While old data is removed, the overall structure retains much of the same footprint, and therefore the action was renamed.

Release 3 (R3) addresses several rare issues that could be troublesome should they occur. We recommend you confirm that your clients have upgraded their systems to R3.

Specific R3 modifications include:

   * The "*Connection Has Been Lost [99937]*" error message related to
     network installation has been updated. The occurrence of such
     "Connection Lost" messages should be greatly reduced.
   * *Error 1911 *(when desktop icons no longer work after an
     unsuccessful attempt to install) *has been eliminated in the
     current release*. This situation is triggered when an installation
     of QuickBooks 2006 is attempted on top of a pre-existing
     corruption in the user's Windows system registry. While the
     problem is not unique to QuickBooks, a fix in R3 removes the
     potential that the error would arise in future installations.
     *Note:* If you or a client should experience this issue with a
     previous release, Intuit will help you resolve the issue.
   * C=224 errors should no longer appear when making a backup.
   * Icons listed in the Navigation portion of the Icon bar *can be
     removed or edited*.

For a complete list of the changes to QuickBooks included in the R3 update, see the release notes

*Note:* Release 4 (R4) is not meant for general use. R4 includes all issues addressed in R3 but makes an additional adjustment to work with one third-party application (ReportWiz). The vendor is separately alerting its customers on how to obtain R4. Other QuickBooks users on R3 don't need R4.

*Changes to Install Process: Read before You Install. *Because of the new database across QuickBooks 2006 and Enterprise Solutions 6.0, the install process in a multi-user environment will differ from previous installations. These issues are especially important when dealing with QuickBooks Enterprise Solutions 6.0.

Bottom line... need to mess with that data file?  Drag it to a local drive for maintenance...fun huh?

How do you get the Industry journalists to care?

Earlier today I was called by a journalist for my industry to ask some follow up questions about some statements I had made to an author... and it showcased to me just how far we need to go to get people to care about Computer Security.

---------------------------

Thanks for the follow up call regarding the article that was written for _my industry journal_.  I am concerned a bit that you stated that your reviewer of the article did not understand that running with administrator rights on our systems is a key factor of why we get malware and spyware on our machines.  By all means forward this email and my email address to him or her and I'd love to discuss this in greater detail.

In my own office I had a Secretary that was getting malware and spyware on her system and the antivirus and spyware tools would not stop them.  Remember that such software is always 'reactionary' and not proactive in defense.  Since I took the time to adjust her system to run without administrative rights, she can no longer surf to sites and download icons and emoticons that I have not authorized, she can no longer merely 'surf' to web sites that may infect her system.

Two actions can get malware on a system typically in my office.

1.  Clicking and downloading from web sites that are designed to 'trick' the user into installing spyware.
2.  Surfing to a site that injects the spyware into the system because it piggy backs on unpatched web browsers, Sun Java or other 'infection' means.

Now given that I keep my web browsers fully patched, the second risk is lessened, but unless we stop the end users from downloading and installing software that they are truly not authorized to install, we will always be one step behind the bad guys.

Moving to another web browser is not the answer in the fight against malware and spyware.

Let me point you to a couple of articles on this topic:

http://www.thechannelinsider.com/print_article2/0,1217,a=166172,00.asp

http://blogs.technet.com/jesper_johansson/archive/2005/11/30/415328.aspx

"Barring users from gaining administrative access—and thus restricting their ability to install such unwanted or malicious software—will automatically tighten security and will garner other benefits as well."

Spyware and Malware was voted number 10 of the Top Tech issues by the CITP and ISACA members in an AICPA poll recently.  Spyware and Malware is big business that includes Russian mobs and other criminal elements.  By not doing all we can to protect our weak links in our firms…the desktops… we are playing right into their hands.  Firewalls do not stop this activity.  Antivirus and Antispyware are always one step behind.  As long as we do not control our desktops and instead rely on the ability for our end users not be be 'tricked' and 'scammed' we cannot adequately protect our systems.  The average user doesn't want or need to be a geek, but we in business need to protect their systems accordingly.

http://www.crt.net.au/etopics/migmaf.htm

Vendors like Quickbooks that consistently require "Administrator" rights also impact our security decisions.  I built a web site to highlight these vendors www.threatcode.com They don't have to care about coding securely because we… the buying marketplace does not care.  We do not care because we do not know why running with administrator rights is dangerous.  It's a vicious cycle.  Because the marketplace doesn't care, the vendor won't change.

To give credit to Intuit, the maker of Quickbooks, they have stated that they will change the way the 2007 version of the software is built to be more secure.  But this was only after the SANS.org organization made them their first "Hall of Shame" vendor for coding in this manner:

http://www.sans.org/newsletters/newsbites/newsbites.php?vol=7&issue=59

Application Vendor Demands Unnecessary Administrative Privileges Violates Policy of Least Privilege

This new section allows the user community to share intelligence on applications that require users to lower their barriers to cyber attacks. Now that the US Air Force has established a minimum standard of due care, soon to be adopted by other government agencies, there is a standard against which to measure the application designers' security decisions.

The first inductee into the Application Security Hall of Shame is QuickBooks.

The latest release of Intuit's QuickBooks, widely used by accountants and businesses, negates the security attributes of the underlying operating system (e.g., Windows) on a computer using this Intuit product. Installation and operation of QuickBooks requires granting operating system "Administrative privileges" to the user, giving users complete control over the security features of the computer on which it is installed. In an enterprise setting, this hinders the organization's ability to ensure security policies are implemented appropriately for password control, user privileges, and other security disciplines for a computer with QuickBooks installed. This is an unfortunately perfect example of an application software product demolishing the security capabilities of the underlying operating system. Computers with unprotected operating systems are easy pickings for would-be intruders looking for personal identity and financial information in QuickBooks files.

In response to Newsbites' recognition, Brad Smith, senior vice president of QuickBooks, confirmed on December 2, 2005 that this problem will be fixed in the next major release (QuickBooks 2007), scheduled for delivery within 12 months.

--------------

Bottom line... as long as we don't know...don't understand.... we won't care.  We won't ask for vendors to make the software help us be more secure.  We and vendors both have to understand that that least privilege is an absolute minimun in this day and age of security issues.

Do you use Disk quotas?

I'll be flat out honest, that I disable Disk quotas on every SBS box under my control.  I watch the daily email and ensure that things never get out of hand [they don't] but with the price of harddrives these days... no matter if you have SATA to SCSI, we typically have enough harddrive space that in the typical SBS network.. limiting drive space ... I would argue for your typical firms..... isn't needed.  Yes, you might have clients that this is a concern, but I think our old Exchange 2003 store limits of 16 gig was the bigger issue in our networks.

Just remember Exchange 2003 "is" supported on SBS 2003 and can easily be applied to 'up' our limits to 75 gigs.  Read the articles on Vladville for more info.

Some old fashioned guidelines about Fax

It's funny...faxing is such old fashioned technology ...but some firms just can't live without it.  For my firm, we don't use centralized fax, but for others, the fax solution that SBS provides is exactly perfect.  But the one thing I've noticed about faxing... is that "it's the hardware, stupid" and while this white paper can tell you the "White paper way", Danne "the LAN Man" on the SMBTN listserve has the "Been There, Done That" way:

He said....

• Premium-grade EXTERNAL Modems are the RIGHT solution for SBS fax and dialup data applications, because they can be power-cycled when necessary – and it does become necessary for any modem to be cycled.  You don’t want to have to boot the entire server to accomplish that.  Plus, having meaningful modem status lights is VERY reassuring to you or anyone you ask to look at them for you over the phone and tell you what they see…
• Multitech is a top name modem and communications gear manufacturer with US-based support services.
• Multitech’s MT5600ZDX is a sure fire winner and costs about $100 wholesale.  Add more for the data cable, as it isn’t included.  SBS has drivers built-in for this modem; no disk needed!
• For NOW, avoid the newer, cheaper MT5656ZDX-V at the lower cost of about $80 wholesale.  Needs a special driver and It has caused me nothing but fits on one SBS installation.  Maybe I’ll get that sorted out when time permits, but as soon as I replaced it with the recommended model, 99% of faxing issues disappeared.  And maybe I won’t even bother.
• In SBS FAX Wizard, set your MT5600ZDX to auto-answer on 1 ring and ALWAYS daisy-chain your dedicated FAX telco line TO, then THROUGH the fax modem, terminating it at a physical fax machine (set for 4+ rings), for those times when the server is in some kind of maintenance mode, rebooting or ???down???.  Any time the client tells you they are dying because they can’t get any faxes, just have them slide the modem’s little black power switch OFF and the old fashioned fax machine will take over until the problem can be resolved.  (Faxes remain important for my Mortgage Banking, Construction, Produce Distribution and Naval Manufacturing clients… they still live by faxes, but fewer and fewer need them printed on paper. SharePoint’s Incoming Fax viewer is S W E E T !

Just a final comment from me...If you want to just play a bit and see how faxing works and have never done it before on a SBS box, grab a US Robotic External V Everything off of Ebay and set it up.  Brooktrouts are probably the premo...but the price tag for that 'premo' comes with that. The key is having an external modem that you can cycle on and off without rebooting the server.  But it seems like when you do get decent hardware, you end up not cycling that much anyway. 

Converting a 2000 KB to a 2004 KB

"Connection Error: 10057” error message when you try to connect to the Lacerte Web site or to download updates of the Lacerte Tax program in SBS 2000 or in SBS 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;839503

So that KB is written for ISA 2000...and we need to 2004ish it....

So in 2000 we build protocol wizards... so how do we poke these holes in 2004?  Let's see if we can figure this out...the KB says for 2000 we need to enter 'protocol definitions' and poke inbound ports in 10010, 10020, 10030, 10040, 10050, 10051, 10052, 10060, 10070 and 10099. [I know...yuck and stupid but that's Lacerte for you who is owned by Intuit].

So....we go first to the 2004 interface and expand the tree under the domain name, and then look for "Firewall Policy".  On the right hand side we have a section that has tabs for "Toolbox", "Tasks", and "Help".  Let's click on Tasks.  See that "Firewall Policy Task" there?  See "Create New Access Rule"? 

Okay lets start the wizard there....let's call it a new access name..Lacerte....and click next, now click "Allow" and then "next", then change this rule to "Selected Protocols", and click "Add", then click "New", the "Protocol", now define the Protocol, I'd call it something like "Lacerte TCP" just to be descriptive, click "next", now click new and build a list of those inbound connections as shown above.  Click "next", and say "no" to secondary connections, then click "next", run the 'protocol' wizard.  Now in the back in the add protocol section, find that Lacerte protocol you just built, add it, click close, and now you should see in the "selected protocols screen" the "Lacerte Protocol".  Click "Next", and from the 'applies to traffic from these sources, you can either say from external [probably not too wise] or build a new set of IP address ranges that include the 198.31.208.130 to 198.31.208.145 and then add an additional one for 208.240.240.200.  Click "next", then for the next screen where you are specifiying the destination, I think that's "Internal" is what you want but I'll probably run this by Chad and Amy to see if there's a 'tighter' way to do this.  Click "next", and the request should be only for SBS users on your network so click "next" for SBS Internet Users", and remove the "all users" that is the default.

Click next... and that should be it..... I think...and don't forget to hit "Apply" at the top to ensure that the rule has been applied.

I'm glad I'm running CCH these days... it doesn't need all these icky ports and instead will just go out port 80/443 as needed.

(Please note... we found that the Lacerte rule posted by Amy works http://isainsbs.blogspot.com/2006/01/allowing-lacerte.html ...rather than the instructions here converting the ISA 2000 info)

Blame the fruitcakes in Calfornia on this one....

A followup post about the issue of Access and Excel

You cannot change, add, or delete data in tables that are linked to an Excel workbook in Office Access 2003 or in Access 2002:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;904953
 

Background and Summary

A recent decision from a court case has determined that certain portions of code found in Microsoft Office Professional Edition 2003, Microsoft Office Access 2003, Microsoft Office XP Professional and Microsoft Office Access 2002 infringe a third-party patent.  As a result, Microsoft must make available a revised version of these products with the allegedly infringing code replaced. 

To comply with the court order Microsoft is now requiring all future deployments of Microsoft Office Professional 2003 and Microsoft Access 2003 to include service pack 2. Microsoft is also requiring all new deployments of Microsoft Office XP Professional and Access 2002 to include a special patch.

Customers who have previously installed affected products are being requested to voluntarily install the patch although installation is not required. In order to ensure customers are aware of these new requirements, Microsoft has been mailing notification letters throughout the month of January.

We have received requests from customers to provide more information about the situation leading to this requirement. The attached frequently asked questions document goes into more detail on the circumstances related to this requirement, information on deployment and additional context to the legal situation.

Frequently Asked Questions

General Questions

Q: Who needs to install Microsoft Office 2003 SP2?

A: Any customer installing Microsoft Office Professional 2003 or Microsoft Office Access 2003 from the date of their notification must install Office 2003 SP2. All customers will have been notified, worldwide, by February 2006.  

Q: Who needs to install the patch for Microsoft Office XP Professional and Microsoft Access 2002?

A: Any customer installing Microsoft Office XP Professional or Microsoft Office Access 2002 from the date of their notification must install the special patch. All customers will have been notified, worldwide, by February 2006.  

Q: What if I am in the middle of an existing deployment of Microsoft Office Professional 2003? Am I affected by this requirement?

A: Yes. Customers currently deploying Microsoft Office Professional 2003 or Microsoft Office Access 2003 are required to apply service pack 2 to all computers from the date of their notification. All customers will have been notified, worldwide, by February 2006.  

Q: If I have a computer with Microsoft Office Professional 2003 already installed on it do I need to update that computer with Office 2003 SP2?

A: A customer is not required to install Office 2003 SP2 on any machine already deployed. However, Microsoft strongly recommends they do install SP2 as the service pack includes many product updates the customer will likely value.

Software Deployment and Technical Questions

Q: Can you explain to me exactly what product behavior needed to be changed to address the intellectual property concerns in question?

A: You can find more technical information on the patch at http://support.microsoft.com/default.aspx/kb/904953/

Q: The letter I received directed me to the Microsoft site http://office.microsoft.com/en-us/officeupdate/default.aspx, but this is a very general Office Update site. Is there a more direct link I can go to for downloading the appropriate patch for my software?

A: This is the Office Update site.  Clicking on “Check for Updates” link from this page will activate the process necessary to download the patch for Office XP or Office 2003 SP2.

To directly obtain the patch for Office 2003 please visit:

http://www.microsoft.com/downloads/details.aspx?FamilyId=57E27A97-2DB6-4654-9DB6-EC7D5B4DD867&displaylang=en

To directly obtain the patch for Office XP Professional and Access 2002 please visit: http://www.microsoft.com/downloads/details.aspx?FamilyId=7497D7F0-BEF5-4054-B854-B1240B5135F5&displaylang=en

Q: How can I find out if I have Office 2003 SP2 already installed on my PC?

A: You can find out if Office 2003 SP2 has been installed on a machine by starting any Office application, selecting the “Help” menu choice and then selecting the “About” menu choice. In the “About” dialog box, next to the product name, the letters “SP2” will be displayed.

Q: Must I download Office 2003 SP2 from the web?

A: Office 2003 SP2 is included in volume license media kits.  If volume license media kits are not part of your volume licensing program or you have not received a disk and prefer not to download the service pack over the Internet you may order a disk by visiting http://office.microsoft.com/en-us/FX010383631033.aspx

Q: Office 2003 SP2 makes more changes than simply updating the code affected by the US court case.  Is there a patch or hot fix I can use that takes care of the intellectual property concerns without making all the other changes related to this service pack?

A: Office 2003 SP2 is the only patch available to properly update Office Professional 2003 and Access 2003.

Q:  If a customer is only using Microsoft Access 2003 do they need to install Office 2003 SP2 or is there a separate Access only service pack?

A:  There is not a separate service pack for Microsoft Access.  Office 2003 SP2 is the correct patch to apply for suites and individual applications such as Access.

Q:  How will this affect Office 2003 SP1?

A:  Office 2003 SP2 is a cumulative release and includes SP1. This does not, however, affect the support policy for SP1.  Microsoft will continue to support SP1 as defined in the lifecycle support policy.  More information can be found at http://support.microsoft.com/.

Q: I deploy Microsoft Office using a standardized corporate installation image. Do installation images that have been previously created and tested with Microsoft Office 2003 need to be updated to include SP2?

A: Any new installation of Office Professional 2003 requires SP2 be applied. If you use a standardized installation image to facilitate corporate deployments you will need to update that image to include SP2.

Q: How does this affect Windows Terminal Server installations of Office 2003?

A: New installations would require Office Professional 2003 to be installed with SP2.

Q: If I just deployed SP1 do I have to go back and now deploy SP2?

A: No, you do not need to deploy SP2 on an existing installation. Only new installations of Office Professional and Access 2003 require deployment with Office 2003 SP2. Existing machines with no service pack or with service pack 1 do not need to be updated. However, Microsoft strongly recommends they do install SP2 as the service pack includes many product updates the customer will likely value.

Q: I have noticed that the date for Microsoft Office 2003 SP2 on the Microsoft download site has changed several times from its initial release. Has Microsoft changed service pack 2 and does that mean I need to download SP2 again and apply it to my machines?

A: No you do not need to download Office 2003 SP2 again or re-apply it to machines already patched with SP2. The contents of service pack 2 have not changed since its initial release.

Q: What are the system requirements for Office 2003 SP2?

A: Office 2003 SP2 system requirements are the same as the Office 2003 System requirements for Office client applications. In order to install SP2, you must have installed Office 2003 on a system that meets the installation requirements.

Legal Liability and Microsoft’s Indemnity Policy Questions

Q: Microsoft has told me that this action is required because of a ruling in a court case. Can you tell me which case this is and which court is involved?

A: The case which necessitated this action is Amado vs. Microsoft which was filed in federal court in California.  

Q: Am I considered out of compliance with my volume licensing agreement if I do not deploy Office 2003 SP2 in future installations?

A: Installation of Office 2003 SP2 is a requirement for any new deployments of Office Professional 2003, regardless of which licensing program you are enrolled in. Any future deployments of Office 2003 without Office 2003 SP2 included would be considered out of compliance with Microsoft’s licensing requirements.

Q: Are retail customers affected by this action?

A: Yes.  Our retail license has been changed and all retail boxes which contain the affected products will also include a disk with Office 2003 SP2.

Q: Is it correct that if I have deployed Office 2003 SP2 then I have nothing to worry about with respect to intellectual property infringement?

A: If Office 2003 SP2 is installed you are in compliance, you will not infringe the intellectual property that is at issue in this case.

Q: I thought that Microsoft’s indemnity policy meant that Microsoft stands behind their software and limits my liability against a third party suing me for intellectual property issues related to that software. Doesn’t Microsoft’s indemnity policy protect me from actions like this?

A:  Microsoft’s indemnity policy does cover your pre-existing installations with respect to intellectual property claims in this case.  Microsoft’s ability to protect customers from future infringement claims depends on our ability to change products to comply with court orders. Microsoft respects the intellectual property of others. As such, Microsoft’s licenses specify that new installations of affected products only be made with the appropriate patches applied.

Want $100 off an accounting program?

SEATTLE: Microsoft Corp unveiled a new rebate and free service offer for its small business accounting software today, aimed at luring customers away from rival Intuit Inc in the months leading up to tax season.

Jeff Raikes, president of Microsoft's business division, said the latest $US10 million ($NZ14.50 million) marketing campaign is part of a larger effort by the world's biggest software maker's to gain share in software and services tailored to small businesses – a market estimated to be worth tens of billions of dollars.

"Small businesses are relatively underserved compared to large businesses when it comes to using information technology," Raikes said in an interview with Reuters.

"We see that as a very large opportunity."

The company plans to offer a $US100 rebate for Microsoft Office Small Business Accounting 2006, which lists for around $US180, and one-year of free technical support to help customers move to digital book keeping or shift from a rival product.

Rebate here

Quickbooks 2006 - non admin rights instructions

So you are now installing the 2006 [the R3 version of course] and you want to run without admin rights on the 2006 version?

Here's the updated instructions:

QuickBooks Community - Running QB 2006 without Power User or Admin Privs.:
http://www.quickbooksgroup.com/webx/forums/install/385

I'll try to spare you any editorializing. Suffice to say, these changes will allow regular users to run and use QuickBooks 2006. Updating will not work unless you are an administrator, but it will abort relatively gracefully with a message along the lines of "Only adminsitrators are allowed to update QuickBooks." I'm not quite sure how I feel about this development. I can't verify this yet, but it seems that this is not a matter of file or registry permissions, or of windows installer policies, but rather a direct check of group membership tokens. In which case we'll probably just have to learn to live with it.

SBS KBs of interest

Error messages that you may receive when you try to download and install updates from the Windows Update Web site, from the Microsoft Update Web site, or from a WSUS server: "0x800704DD," "0x80240020," or both:
http://support.microsoft.com/?kbid=910341
Naming conventions in Active Directory for computers, domains, sites, and OUs:
http://support.microsoft.com/?kbid=909264

...don't think this one will be an issue for us....

Client computers do not report back to the Windows Software Update Services (WSUS) server:
http://support.microsoft.com/?kbid=909131

SBA 2006 Knowledge base articles

So how can small firms share?

Greg asks about the concept of partner groups in a follow up to my post about the first Fresno meeting... and there's a couple of ground rules about the Partner group that was discussed at the meeting I didn't blog about.

First off, let me state again, that each of us have niches.  You may think that you are a generalist, but I'll bet you are not.  I for one do a lot more in computer forensics, accounting deployments.  Another person last night was a wiz bang at access databases.  Another at training.  So already while each person had installed SBS networks, each one had a niche from the get go. 

Then the gentlemen's agreement of no poaching and vacation help.  The 'no poaching' rule is that when a person wants to take a vacation, they they just cover for that person, but will not take the client nor leave business cards behind.  There's a gentlemen's (or woman's) agreement. 

Okay Greg?  Question for ya...when's the last time you had a vacation?  Can you go on vacation and not panic that something will happen? 

Next, about your clients.  If you are going to be in here for the long haul, you won't be a 'generalist' that your client is willing to replace you with, you will be the "Outsourced Chief Technology Officer" of that firm.  You will be a trusted advisor.  The person who guide them in their technology decisions and choices.  Part of the reason that I'm so jazzed about the "Small Business Specialist" credential is that I envision it growing to a place where small firms will understand that that credential means that this person is this trusted advisor. 

As far as revenue sharing, sometimes you do get in a pinch and need an extra pair of hands so some of the groups make a business rule of whatever that person bills, the person doing the job for that other person gets 70%, the person who has the client gets 30%.

And sometimes you don't have the competition you think you do.....you know I work for an accounting firm and my sister used to work for another accounting firm a few years' back and we never competed with one another.  Because she tended to specialize in a certain type of clients... and I tended to specialize in another.  So while Greg may be right that he's a generalist in deployment... I'll betcha he's got a few 'types' of clients that are in a certain industry.  I'll bet there's something that he's got a smidge of a niche about.

So Greg?  It's the tech knowledge sharing, it's the business practices sharing, it's the war stories sharing [like I acknowledged that Attorneys are at least less techonology savvy than Accountants] that you can get in these meetings.  What you don't get is direct competition.  There is more than enough firms that need servers to go around. 

So Greg... to support SBS you have to be a generalist...but I'll bet you've got a niche hiding in you somewhere....

SMBTN Fresno first meeting

The first meeting of the SMBTN Fresno Partner group met last night at the Fresno Airport Holiday Inn. 

Graciously making the long trip up from San Diego was Roger Otterson, the smaller trip up from Bakersfield was Ed Roberts, and the trip down from San Francisco was Steve Lai.  As Steve said, probably the first time the California SBS MVPs have been in the same room in the state of California [we tend to get together in Redmond for some unknown reason].

The night's meeting was organizational where we've decided on a meeting night of a Thursday [most likely the Thursday after patch Tuesday] and we all said, no to a Monday meeting and NEVER meet on the holiest of evenings, "Patch Tuesday".  Besides, meeting on a post Patch Tuesday evening means that we will have the recap from "Dead body Wednesday". 

The concept of a partner group, where there is enough business in the small business marketplace, that we all have niches and specialities, that we all gain from our shared peer group was discussed.

A survey of future topics was gathered with top vote getters being WSUS [hey, as the patch Queen did you expect that I wouldn't put that on the list?], Small Business Specialist, and the Managed Service Model being top vote getters.  (that reminds me I need to blog on some of my thoughts on Managed Service Model being a true 'Secure network' model ...but that's another blog post....)

Not quite as many people showed up as I would have liked...but it was a start, and I got several RSVP cancellations saying that business got in the way... dang... that annoying business stuff....

Next meeting is tentatively set for February 16th, 2006 starting at 6:30 p.m. and I will confirm the date and time as soon as I can.

So what's the ratio of Lawyers to Software Engineers these days?

An email was sent to some folks saying that they needed to ensure they were on a certain Office service pack.... and it looks like it's another case of Lawyers and Patents going overboard again....

Thanks to Mr. Amado, you can't link Access and Excel one way, you have to go back to Excel and change things.

From the PatchManagement.org listserve.... 

I believe this might stem from the Carlos Amado vs. Microsoft patent case
(http://www.siliconvalley.com/mld/siliconvalley/11829604.htm).  It's US
patent # 5,293,615 for those so inclined to read the volumes of legalese
abut it on uspto.gov.

Microsoft has KB article 904953 (http://support.microsoft.com/kb/904953/)
which is titled:

"You cannot change, add, or delete data in tables that are linked to an
Excel workbook in Office Access 2003 or in Access 2002"

This is the "More Information" section of that article:

"Because of legal issues, Microsoft has disabled the functionality in Access
2003 and in Access 2002 that let users change the data in linked tables that
point to a range in an Excel workbook. However, when you make changes
directly in the Excel workbook, the changes appear in the linked table in
Access."

So what do you want?

I want a SBS best practices tool.
I want a automatic GUI domain migration.
I want a ISA log that doesn't track the first 'unauthenticated and then authenticated' log in the log file.  Pick one,  I don't need both.
I want a tool that goes into a Spyware infested XP and can lift out all the good data and clear off the bad.
I want OEM systems to stop shipping with all the crud they do.
I want to have filtered audit logs that will warn me when only the bad stuff is occuring.
I want all error logs to be written in plain readable English and not require me to go first to www.eventid.net and then to google and then dig up something else.

I want all wizards to tell me proactively when I'm about to screw something up and didn't mean to do that....

I also want world peace and and end to world hunger and everyone getting along and virtual hugs to everyone and know that there's not enough money in the world to get ever everything I want out of either Microsoft or SBS or the rest of that list.

At the end of the day someone says "okay we can do this, we can't afford to do this".  It's called a budget.  It's something that we in Small Business tend not to do like our Big Server counterparts.  This is budget season where my sister works and the manuverings and stuff that goes on as they snip a bit from here... do a bit over there... and in the end no one gets everything they want.  It's a compromise.

In small business, our budget is typcially the checkbook or the credit card.  The ones I've seen never sit down with a plan at the beginning of the year and forecast revenues and expenses.  They don't set an 'expense goal' as it will for departments.  There isn't this end of the year, let's spend our budget because if we don't we won't get it allocated to us next year ridiculousness that large companies have. 

I'm also going to generalize and say that many small businesses are cheap.  Dirt cheap.  And what they don't realize that their manner of 'break/fix' computers is not only costing that firm more in the long run, it's placing them at much greater risk.  But that's the problem isn't it with small businesses.  They aren't used to the budget and plan method are they?  Rather then break it and panic and fix it.

So what do you want?  Because you can't get it all.  It's about choices and trade offs isn't it?

In case you wanted to get a command line thrill today....

To Access…. - Run Command
Accessibility Controls - access.cpl
Add Hardware Wizard - hdwwiz.cpl
Add/Remove Programs - appwiz.cpl
Administrative Tools - control admintools
Automatic Updates - wuaucpl.cpl
Bluetooth Transfer Wizard - fsquirt
Calculator - calc
Certificate Manager - certmgr.msc
Character Map - charmap
Check Disk Utility - chkdsk
Clipboard Viewer - clipbrd
Command Prompt - cmd
Component Services - dcomcnfg
Computer Management - compmgmt.msc
Date and Time Properties - timedate.cpl
DDE Shares - ddeshare
Device Manager - devmgmt.msc
Direct X Control Panel (If Installed)* - directx.cpl
Direct X Troubleshooter - dxdiag
Disk Cleanup Utility - cleanmgr
Disk Defragment - dfrg.msc
Disk Management - diskmgmt.msc
Disk Partition Manager - diskpart
Display Properties - control desktop
Display Properties - desk.cpl
Display Properties (w/Appearance Tab Preselected) - control color
Dr. Watson System Troubleshooting Utility - drwtsn32
Driver Verifier Utility - verifier
Event Viewer - eventvwr.msc
File Signature Verification Tool - sigverif
Findfast - findfast.cpl
Folders Properties - control folders
Fonts - control fonts
Fonts Folder - fonts
Free Cell Card Game - freecell
Game Controllers - joy.cpl
Group Policy Editor (XP Prof) - gpedit.msc
Hearts Card Game - mshearts
Iexpress Wizard - iexpress
Indexing Service - ciadv.msc
Internet Properties - inetcpl.cpl
IP Configuration (Display Connection Configuration) - ipconfig /all
IP Configuration (Display DNS Cache Contents) - ipconfig /displaydns
IP Configuration (Delete DNS Cache Contents) - ipconfig /flushdns
IP Configuration (Release All Connections) - ipconfig /release
IP Configuration (Renew All Connections) - ipconfig /renew
IP Configuration (Refreshes DHCP & Re - Registers DNS) -
ipconfig /registerdns
IP Configuration (Display DHCP Class ID) - ipconfig /showclassid
IP Configuration (Modifies DHCP Class ID) - ipconfig /setclassid
Java Control Panel (If Installed) - jpicpl32.cpl
Java Control Panel (If Installed) - javaws
Keyboard Properties - control keyboard
Local Security Settings - secpol.msc
Local Users and Groups - lusrmgr.msc
Logs You Out Of Windows - logoff
Microsoft Chat - winchat
Minesweeper Game - winmine
Mouse Properties - control mouse
Mouse Properties - main.cpl
Network Connections - control netconnections
Network Connections - ncpa.cpl
Network Setup Wizard - netsetup.cpl
Notepad - notepad
Nview Desktop Manager (If Installed) - nvtuicpl.cpl
Object Packager - packager
ODBC Data Source Administrator - odbccp32.cpl
On Screen Keyboard - osk
Opens AC3 Filter (If Installed) - ac3filter.cpl
Password Properties - password.cpl
Performance Monitor - perfmon.msc
Performance Monitor - perfmon
Phone and Modem Options - telephon.cpl
Power Configuration - powercfg.cpl
Printers and Faxes - control printers
Printers Folder - printers
Private Character Editor - eudcedit
Quicktime (If Installed) - QuickTime.cpl
Regional Settings - intl.cpl
Registry Editor - regedit
Registry Editor - regedt32
Remote Desktop - mstsc
Removable Storage - ntmsmgr.msc
Removable Storage Operator Requests - ntmsoprq.msc
Resultant Set of Policy (XP Prof) - rsop.msc
Scanners and Cameras - sticpl.cpl
Scheduled Tasks - control schedtasks
Security Center - wscui.cpl
Services - services.msc
Shared Folders - fsmgmt.msc
Shuts Down Windows - shutdown
Sounds and Audio - mmsys.cpl
Spider Solitare Card Game - spider
SQL Client Configuration - cliconfg
System Configuration Editor - sysedit
System Configuration Utility - msconfig
System File Checker Utility (Scan Immediately) - sfc /scannow
System File Checker Utility (Scan Once At Next Boot) - sfc /scanonce
System File Checker Utility (Scan On Every Boot) - sfc /scanboot
System File Checker Utility (Return to Default Setting) - sfc /revert
System File Checker Utility (Purge File Cache) - sfc /purgecache
System File Checker Utility (Set Cache Size to size x) -
sfc /cachesize=x
System Properties - sysdm.cpl
Task Manager - taskmgr
Telnet Client - telnet
User Account Management - nusrmgr.cpl
Utility Manager - utilman
Windows Firewall - firewall.cpl
Windows Magnifier - magnify
Windows Management Infrastructure - wmimgmt.msc
Windows System Security Tool - syskey
Windows Update Launches - wupdmgr
Windows XP Tour Wizard - tourstart
Wordpad - write

What do you do with old batteries and computers?

From the web....

All batteries are considered hazardous waste in California when they are discarded. This includes all batteries of sizes AAA, AA, C, D, button cell, 9 Volt, and all other batteries, both rechargeable and single use. All batteries should be recycled, or taken to a household hazardous waste disposal facility, a universal waste handler (e.g., storage facility or broker), or an authorized recycling facility. After February 8, 2006, all batteries in California must be recycled, or taken to a household hazardous waste disposal facility, a universal waste handler (e.g., storage facility or broker), or an authorized recycling facility.

What do you do with your old computer?  Do you recycle them? Do you make sure that the data on them is deleted in an approriate manner?  It's quite interesting though, how hard they are making this, they only accept throw aways twice a year, and only three monitors at a time.  So far we've done the "office handmedown" route ...but those machines that the office staff are replacing with our handed down office ones, we'll have to figure out what do to with them, as I doubt any agency would want some of our throwaways.

We still in fact have a few computers in our museum section ... one still with Lotus 123 burned into the green screen (ah what memories).

So what about the data?  Check out this article about hard disk data issues and how to properly dispose of data. 

Do you dispose of both the computer and the data in an appropriate manner? 

BCM and SBA service pack 2

Service pack 2

Just call it "Sam the SBS Server"

It's funny.... there are times I don't get marketing.....and there are times I don't get customers....

...take this for example... a guy complaining about the mailing about the "New" Small Business Server 2003.  It struck me funny for two reasons... for one there is a bit of a point to it that the consumer focuses on the 2003 and doesn't realize that there has been changes to the SBS platform since October of 2003 when it shipped.

Let's see what's different shall we?

For one... if you have Premium.. in the year 2006 you have the latest version of ISA Server 2004 that you didn't have in 2003.  We now have Exchange 2003 sp2 supported on SBS 2003 and thus can go up to 75 gigs of Exchange storage that we didn't have before. 

For two... since October of 2003, we've installed Windows 2003 sp1, Exchange 2003 sp1 and 2, Sharepoint sp1 and 2, MSDE and SQL Server sp4, Outlook sp2.. and every month I install new bits on my machine.  For that matter...every month I have a "New" SBS box as the bits I had the month before are not the same bits I have now.

You know what I would do if I were in charge of marketing?  Stop calling it by the year.  Instead just call it the "Latest SBS".

And when it comes down to it.... that business owner really doesn't care what you call it.  He's buying a solution, not a year. How about we stop worrying about the names of products and instead understand that what we're really selling here is a business process solution.  We're not just selling technology, we're here to help find a solution to a business need, fix a business pain, make something work, enable someone to do something.  The name of the technology solution is, quite frankly, irrelevant to the person writing the check.

They just want it to do when you said it would do.

So where's your media?

I sure hope Merv is wrong...but it sounds like he's not.

JRittley is stuck.. he can't find cdrom1 of his SBS 2003 media set that he got with the OEM Gateway server that he got. And what's the only way that he can get a replacement?

Buy an entire new Server OS.

Yes, you read that right, unless you order replacement cdroms within 90 days, Gateway says he has to rebuy the Server OS all over again in order to replace the missing cdrom.

You know.. I sure hope Microsoft realizes that all these stupid policies by the OEMs... no media and only the OS on a hidden partition replacement method, a 90 day replacement media policy... are affecting John Q. Public's view of Microsoft.

And me as a shareholder of Microsoft in my 401K is concerned about that...Dell or Gateway shouldn't have that much ability to impact the view of a software company in my book....

So ... you made a duplicate copy of your media and stuck it in a lockbox or something paranoid like that?  Me on Open License... I can get replacement media all the time for a nominal shipping charge.  I sure don't have to rebuy the server OS if I accidentally lose the disks.

Wow.

So?

Where's your media?  Got it in a safe place?  Got all your disks?

Is that where WSUS puts the IMF updates?

No wonder I'm not getting the Exchange IMF updates offered up to me on WSUS... I didn't have the box checked.  Or at least I think that's where they should be triggered from... but it's not clear is it? 

On the WSUS blog it sounds like this will be the section that will be updates for Windows defender, but I think these are also the place for the Exchange IMF junk file updates. 

WSUS in sychronizing now... I'll let you know if my guess is right.

Update:  Nope..not right... hmmm... wonder if I forgot the registry edit to enable detection or something?

...and as your domain admin, I'm not going to let you delete that

The IE7 blog talks about a feature that you can delete your IE 7 history.

Well first... delete is a relative term because in operating systems unless you write over it, it's not deleted, and secondly, I as an Admin will want that 'feature' turned off.

I want to see where you are going and what you are doing in my firm.. it's in my Internet Use Policy that I can do it in fact.

Patching risk

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System:
http://www.incidents.org/diary.php?storyid=1052

"Before he turns it off though he tells me something very worrisome. It went like: "We turned off the windows automatic updates". I wasn't sure if I'd wipe the harddisk or not at that point, but as such things would convince me to wipe, I answered "No problem, I'll enable it when I get home, thanks for the warning". Then he goes on to explain they do that always as "In our experience windows update and all those patches break more than the viruses harm you. Just add a good anti-virus program, we've already tightened up the windows firewall. You'll be safe, don't worry. In our experience it is best to install the service packs Microsoft brings out, but stay away from the crap in between". Painfully wrong advise in my opinion, from a shop I like a lot for their hardware."

I read that today and there's a part of me that sees that ...and it kinda in a weird way... breaks my heart.  That people have such an untrust about patches.  In my world, I have not had the issues with the individual patches, hotfixes and the like.  Service packs?  Now those are what are icky to me.  But security patches?  To me that's a normal monthly ritual now of test, deploy, evaluate.  In my network, in my workstations, on my computers, patches don't do more harm than the viruses that harm me.  If a virus harms me, it's because my defense isn't good enough.  They've broken in.  If a patch hurts me, even a little bit, that's just a normal process of software in my book.  Why would anyone want to choose a virus over a patch making the help file inside my tax program not work?  And honestly that's the last 'thing' that broke in my office.

The help file inside my tax program didn't work until I adjusted it. 

Now compare that with the risk of a virus that disrupts my network, my email, introduces a back door into my network or any other nasty thing...and someone thinks the risk of THAT is preferable over a possible issue with a patch?  I'm sorry but that risk is too great in my book.  You have a problem with your computer if a patch is an issue. 

Now that said.... many folks say that patching should not be knee jerk automatic in a business that depends on software... if you depend on an app...and that app has a history of breakage...then you need to fix the app, for find a way to protect that app, and mitigate the issues without patching.

That's the tricky part.  In most small firms, it's much easier to patch and risk the small chance of patch issues than to take the time to 'mitigate' for not patching.

Bottom line...don't turn off automatic updates...and Mr. Computer maker... I agree with the gang from Incidents.org... that's bad advice.

Exchange Best Practices Analyzer updated

2.10.0.1 - Minor enhancements and fixes. Enhanced support for Small Business Server, Exchange Server 2003 SP2, and third-party antivirus products.

Download details: Exchange Server Best Practices Analyzer Update:
http://www.microsoft.com/downloads/details.aspx?familyid=4f2f1339-cbcd-4d26-9174-f30c10d7ec4c&displaylang=en

The listing of what is updated is here.... and I found this comment interesting... Check that Trend Micro ScanMail 6.20 Patch 3 is installed

Which can be found here btw....and here's the write up.

The Non Admin white paper is out!!!!

This technical white paper describes the least-privileged user account approach and provides information on related tools and resources.

Whoo hooo the LUA paper is out!  LUA...you know ... LUA.. Least privilege and non admin and all that.  If you want to begin to get control back over your network, this, in my opinion, is the way to go.  We HAVE to get control of the desktops.  And having your stupidest user [lets face it, we all have them] have the right to click, to install, to launch, to load, to do anything on their workstation...those days are over.  Vista will be doing a better job in this area...but Vista is later...not now and we need all the help we can get to take back our desktops and make them part of the security fabric of our network.

The XP sp2 firewall is step one.  Non Admin is step 2.  Now this is not a trivial task and takes time and energy to do.  But if you can do this... you will be one more step on the way to defeating the bad guys.

Demand that our vendors support this.

www.threatcode.com

It's time we start setting our risks...and not our vendors.

Looking for WSUS resources?

Need resources to get your brain around WSUS?

Here's my recommendations

• Books - as far as I'm aware there is no WSUS only book...but I do have WSUS info in the SBS Unleashed book
• WSUS on SBS whitepaper - download here
• WSUS wiki - linked here
• WSUS blog - http://blogs.technet.com/wsus
• WSUS listserve - sign up at www.patchmanagement.org
• WSUS webcast that I did [on patching]
• Patching Podcast - Vlad's SBSShow mp3

Btw ...just opened up a new category on the blog about WSUS

Rotations of Backups

At the MCPmag Handy Andy chat earlier today the conversation came up about tape/disk rotations....and the interesting comments surrounded the number of rotations depended on the clients needs for retaining data.  Many took a special backup once a year, once a quarter or once a month.  Many had a week or multi week rotation.  Many tried to make it so a weeks worth rotated offsite each time.  But it depended on the needs/wants/retention of the data for each client.

Also one person was using the workstations to make backups 'to' so in the office Monday went to 'Fred's' computer, Tuesday went to 'Jane's' and so on.  The problem that I personally had with that setup was that in my own case, we had a burglary and lost a workstation in my office.  I don't want ANY sensitive information AT ALL on the workstations.  Someone asked me about their new setup and how secure was it to have Joe have data on his system and have Jane be able to remotely log into that workstation.  I told him that Joe's sensitive data should be up on the server with the proper NTFS permissions and auditing turned on, it should not be saved on the workstation where all I would need would be physical access to workstation, one freely downloadable NT admin password boot disk and whammo those files are in my possession.

Sometimes the best place to protect things is in one spot, one place, with RAID and backups, and shadow copies, and auditing, and NTFS permissons and all that stuff.

So why do people think you need something special for restoring?

I find some of the comments to my "Drive monkey" posts funny... for one... I personally think that the robustness of USB drives versus tape is tied to whether the server natively supports USB 2.0 or you have a good USB card.  Then comes the follow up question.....

Good feedback here on the tribulations some have using USB HDDs for backup.  My question is:  What is your restore process?  Are you just backing up data and will reload from scratch?  Or, are you using SW that will give you bare metal restores with that USB HDD? (If so, what is it?) Just curious. IMHO, regardless of the medium one uses to backup, it is the restore that really counts.

Since the 2003 platform, the issue of 'bare metal restores' has been mitigated due to the shadow copy.  To all of you who have this question... do me a favor... build a box.  One that you know you won't care about.  Load it.  Back it up with the built in SBS backup program.  Make sure you get that backup verification email in the morning.

Okay?

Now format the drive.

You heard me.  Flatten it.

Okay now read this document on backing up and restoring the system.....

...and while you are restoring the system...check out all the other resources here...

So yeah folks can argue that tools like Paragon Drive imaging is easier, the point is the built in SBS backup is all that is needed for a disaster recovery method.  All you need at a minimum is a hard drive.  Nothing fancy.  Everything else we layer on is just because we are paranoid...or want more confirmation ...or more bells and whistles....or whatever...but all we need for a recovery plan is right in our SBS boxes.

If you are a vap/var and have not flattened a box in the pursuit of trying this out.... what are you waiting for? 

Btw I should point out that the only reason that we CAN do drive imaging of our domain controllers is if you HAVE just a single DC in the domain.  If you have more than one DC, you would NOT want to do this [tombstone/usn restore issues..bottom line icky stuff], so for all those folks who say that we're crazy to have a single domain....sometimes that means we can do stuff that no one else would DARE to so.

So how do I track RWW?

A commenter [I'm too lazy to go link it up as I was in the office at 6 ungodly am this morning to ensure that a Tax Webcast training seminar was working properly and right now I'm blogging as the Earl Grey tea attempts to clear the grogginess from my brain matter], was wanting to open up RWW for all employees but wanted to track/log/audit it.  And I got to thinking how I do it here.. or I should say...how I've started to be able to keep a real close eye on it here.

There isn't [as far as this sleep deprived brain can remember] a RWW log in database.....but.... the beta that I'm on with the Scorpion Firewall is giving me the tracking that keeps the paranoid me happy.  In the firewall dashboard new beta, Dana tracks connections...and guess what...443 and 4125 are just that...connections.. and every morning [since I set the dashboard email report up to hit my inbox at 6 a.mish like my other emails] I look and see just who connected in on port 443 and in particular 4125.  90% of the time the IP address I see that come in from is me at home [yeah it's pretty sad when you recognize your own IP].  But that 4125 port ... I should only see the connections I expect on that one.  Every now and then I see a 443 connection from Korea or Guatemala and I've been building up a 'block connection list'.  In fact I should take the time and dig up a really good 'this are typically bad IP addresses' list or just break down and get one of those ISA add in thingymajiggers [you expect me to coherently remember a vendor's name at this hour of the morning?] that do the work for you.

In the meantime, if anyone is more awake than I am.... comments about ISA add ons that you use and like would be appreciated so my brain doesn't have to wake up.

So what does your Tape monkey change ...when you don't use tape?

Speaking as the office monkey here... I use Lacie harddrives now and as the 'drive monkey' I swap out the drives by turning off the power and unplugging the usb cable and power cord and swapping the devices out.  This ensures that I don't have that icky "Ghost ...you have no space left" message on the usb drive that isn't there because you didn't properly shut down the USB connection.

There's also another model that I'm trying out this week that can handle a weeks worth of backups on one device [it's a bigger drive] now that does beg the question of the risk of the entire drive going south...there goes a week's worth of backups... but I tell ya.... the harddrive backups have been way less of a bother than my tape backup device.  Say what you guys like about how 'supposedly' fragile harddrives are over the stability and portability of tapes...but I had way more headaches with tape drives than I have with the Lacie's hanging off my USB 2.0 connection on the server.

So?  What your Tape Monkey routine when you are using hard drives to back up?

There's this little problem with authentication, John....

So John asks if folks are exposing their sharepoint to clients and putting up invoices and stuff up there for clients to look at.

There's one problem.

It's the authentication issue.... you see for those folks to privately get into your Sharepoint and not expose that data to the universe you'd want them to authenticate.

To authenticate takes active directory rights and uses.

To use AD rights and uses takes CALs.

To use CALs means... they gotta be official users on your SBS box.

That's why for many folks wanting to share out Sharepoint to clients, they won't do it on their own SBS box due to the licensing and instead put it on an externally hosted box.

Bottom line...read this past post...and remember that www.mssmallbiz.com is on such an externally hosted sharepoint.

P.S. Happyfunboy reminded me of how we first met and bonded.... over a presentation where someone said access didn't matter...[yeah right, both of us afterwards were like 'He said WHAT about licensing?]

Hey... the antispyware thingys are going to be in WSUS

WSUS Admins:

Today you will see a new product category and update classification in your WSUS Synchronization Options dialog.  Windows Defender, formerly Microsoft Windows AntiSpyware (Beta), will as of today’s synchronization show up as a new Windows product category.  A new update classification will also come on line called “Definition Updates”.   Currently Windows Defender is only released as part of a VISTA beta release.  Definition Updates will only be available to beta participants from the Microsoft Update site, with Vista Windows Defender Beta installed.   Windows Defender beta will be available to down level clients, and Definition Updates available via WSUS in the coming months.   As with CodeName Max, when new product updates are released to MU, their categories and classifications also appear on the corresponding WSUS options dialogs.  Unlike CodeName Max, Windows Defender  Definition Updates will be available to synchronize to WSUS servers and approve for installation on clients in the coming months.  For right now, no Definition  Updates for Windows Defender will be available from MU to WSUS servers. 

To learn more about the Windows Defender Vista beta see:  http://www.microsoft.com/presspass/newsroom/winxp/12-19WinVistaDecCTPFS.mspx  Visit the Windows Defender team blog for the latest news on Windows Defender and Definition Updates availability via WSUS at  http://blogs.technet.com/antimalware/archive/2005/11/04/413700.aspx.

Thanks -Bobbie
--
Bobbie Harder
Program Manager, WSUS
Microsoft

The thing we need to do more of

Flatten.

You heard me.  We need to flatten the boxes we get from the OEMs and rebuild them as we see fit.  Without the junk.  The add ons.  The third party crud.  We also need to purchase the right boxes.  Yeah... it's hard as a VAR/VAP to argue with the cheap OEM special but they are introducing too much risk in our firms... even our small ones.

SANS today has on their front page a discussion about deploying...and most of them flatten them and get them to a known state.

And look what we do around here.  We get OEM images that have stuff all over the place and have ....typically no restore disk [it's hiding in a partition and you have to build your own] when you buy the cheap machines.  I've bought business machines and you 'can' ensure that you get real media and not 'restore everything back to it's annoying state' restore media.

But it's hard to talk a client into taking a nice new box and destroying it, isn't it?

[and I don't mean that you necessarily buy new licenses ...but that you ensure you get that OEM media WITHOUT the crud and install from that]

While you are installing... do you 'value add'?

Gregg brings up a wonderful point in the blog comments..... do you look for ways to introduce Sharepoint into the firms you install SBS in?

Do you look for ways to help someone learn how to use their SBS box better?  To increase the use in the firm?  I just set up an Excel shared spreadsheet this weekend... one that I knew that I wanted to have better control of the employees use of it... so that one person wouldn't get in the document and lock out all the others and you'd have to buzz them on the phone and tell them to get out of the file.  Yeah, it's the way that most of us small businesses do it, but it sure isn't efficient is it?  So I enabled 'sharing' of the spreadsheet and set up a shared workspace so that the changes are better tracked and updated without having to buzz someone in the office.

...so the next time you install SBS... look around at those dog eared documents tacked up on a bulletin board.... Sharepoint 'em.

So what do you use Sharepoint for?

I use it in my office to share out Word documents that I want to ensure are kept intact and not rewritten over again.  I use it to keep our employee manual and other resources that I tend to go...dang.. now where did I save that?  I put things like instructions to the phone system.  Set up for the Scanner.  Other things that I do ...but infrequently.  Why?

Because the Search box in there that I have from SQL makes it perfect for this.  I can find things.

Stephanie talks about backing up Sharepoint in this blog entry but doesn't make it as clear as I would like, that her instructions allow you to do file by file backup...the Sharepoint is really backed up as a whole each time you backup the server.  So don't worry... the SBS is truly backing up Sharepoint..but as a whole, and thus you have to restore the entire thing.  If you want to be extra paranoid and have a file by file backup, you need to follow her post.

So?

What do you use Sharepoint for?

The spyware guys know we don't care.

In a spyware listserve I hang in... comes a sad but true story.... in the registry log file of a malware and spyware'd computer was this line....

 HKLM\..\Run: [I downloaded pirated Software from P2P and now I post my Hijack log whining] C:\WINDOWS\system32\Fifa Football 2006 crack.exe

Look at that...the bad guys are laughing at us and how we download software.  How we don't care about security... how we don't even validate what we are downloading.  They know that people will download anything if given the choice. 

Look at that ...they are taunting us that we don't care enough about what we download...what we do on our computers...it's sad isn't it...that they know we don't care.

Do you use RWW?

RWW.. you know Remote Web Workplace?

One of my new SBS admins that just migrated into SBS I don't think knew what RWW was and man... it's the killer APP of SBS.

It's a way to connect securely to my SBS box.  And in my case I chose to not use remote Outlook in the form of Outlook over Http to ensure that my data stays inside my firm.

What is RWW?  It's a web page that I log into, give credentials, and from there I launch off to other options inside my firm.  Want to connect to just email, I can do that.  Want to connect to my desktop, no prob.  It's all about remote connectivity....and if you are a new SBS owner and have not used RWW... man are you not taking advantage of the killer app of SBS.

Watch this webcast.... see what I mean...

The connect computer and one Nic and the MCE problem

In the mssmallbiz yahoogroups, a post reminded me that you need to make sure you only have one active NIC alive and kicking when you run that wizard as I've seen that wizard fail when two or more nics are active [even vmware network adapters].

• Place the http://name/connectcomputer in the trusted zone spot in IE
• Ensure one nic [and only one nic] is live and active

But then came the real reason that the wiz wouldn't wiz.... the computers that were being attempted to join the domain were Media Center Edition Computers...which ... officially CANNOT join a domain.  Yes there is the 'banana' hack, but unless you are using that MCE to drive a High Defnition TV in your conference room [and btw those units do look very cool] you need to get yourself to XP Pro.  I'll be the first to say that yes, I run a MCE here at home joined to my domain...but this IS my home and not my business.  Again.. choose the right tool, and you want an XP Professional or XP Tablet in a firm setting. You don't and can't use XP Home,  and 'might' want MCE for the 'wow' factor in the conference room.  Otherwise stay away from them.

Career or a Job?

For those of you that are consultants... is this a career to you.... or just a job? If it's a job... all you will need to do is just 'act' like you know what you are doing and take on any jobs that come your way. 

If, however, this to you is a career, the question becomes... do you treat it like one?  Do you take the time to get education and training in various formats?  Do you run a SBS box at home as well as for business [if you have a business office]?  Do you hold yourself out like a professional?  Business cards... professional attire...

SAGE is a group for system administrators...but for those of you that this is a career.. you are the Outsourced Chief Technology Officer and the same rules apply....

http://www.sage.org/ethics.mm

So what about you?  Is this a career?

Knock it off Apple

Matt blogs....

Ever try to JUST install Quicktime recently?

AICPA names top 10 technologies

In today's Consulting Insights.. Bob Scott reports that the AICPA Top 10 Technologies is out..... and look what's number 10!

AICPA NAMES TOP TEN TECHNOLOGIES.
The American Institute of CPAs has named information security as its No. 1 technology issue for 2006, a repeat winner, and it's hard to disagree with the choice. I think this year's Top Ten is more practically oriented than some I've seen in the past. Either that, or I know more than I did and they were right all along. Issue No. 2 was assurance and compliance apps. Here are the rest of the winners:

• 3. Disaster and business continuity planning;
• 4. IT governance;
• 5. Privacy management;
• 6. Digital and authentication technologies;
• 7. Wireless technologies;
• 8. Application and data integration;
• 9. Paperless digital technologies; and
• 10. Spyware detection and removal.

Ensure tinfoil is in place please?

Quick you may need this protection..... especially if you go and listen to the latest Steve Gibson podcast about the 'rogue developers of Microsoft' who placed 'an intentional back door' into the operating system.  In the meantime you may wish to also read the MSRC blog and their take on the same issue.

Now Steve says 'he's leaning toward Open Source because you can review what's in there'.  Oh.. really ...just like this vulnerability in Novell's SuSe Linux that just came out today and appears to already be under attack.  The vendor was notified on 11/15 and the fix out 1/13/2006.  "Remote exploitation of a heap overflow vulnerability in Novell Inc.'s Open Enterprise Server Remote Manager allows attackers to execute arbitrary code."  Why isn't that a 'back door built by rogue developers like the WMF exploit?

Tim says he's waiting for next week in his blog about this...and that's exactly what Steve wants.  Look at the 'buzz' this one podcast has gotten.  Talk about a very VERY unprofessional way to handle this.  First off... Mr. Gibson, I email secure@microsoft.com ALL THE TIME and seemingly even with the spam filters that tend to mark my pacbell.net as spam, I get responses from them.  Secondly, whether he cares or not, on the backchannels of security listserves, his podcast is being ...well quite frankly...laughed at.  Next...for him to say that he is the 'first' in this charge.....he was not the first to charge that WMF issue was a 'backdoor', on January 2nd to be exact, other bloggers and companies did.

If you are going to charge something like this, Mr. Gibson... first off don't charge something of this magnitude without contacting the company first, secondly .... to podcast something when you aren't even sure of all the facts?  That's just irresponsible in my book.

Enough with the tinfoil folk... get real....flaw yes.  Intentional backdoor by rogue developers?  Get reasonable Mr. Gibson.

Okay so you heard all the horror stories about Quickbooks 2006 and you'd like to install the R3 version directly?

In addition, if your clients have purchased QuickBooks but have not installed it yet, and want to use R3 to install, please visit the link for the appropriate product to download directly to your computer.

QuickBooks Direct Download Links.

If you would like to install the Simple Start Edition of QuickBooks, select this link:
http://http-download.intuit.com/http.intuit/Downloads/2006/R3/
QuickBooksSimpleStart2006.exe

If you would like to install the Pro version of QuickBooks, select this link:
http://http-download.intuit.com/http.intuit/Downloads/2006/R3/
QuickBooksPro2006.exe

If you would like to install the Premier version of QuickBooks, select this link:
http://http-download.intuit.com/http.intuit/Downloads/2006/R3/
QuickBooksPremier2006.exe

If you would like to install the Enterprise version of QuickBooks, select this link:
http://http-download.intuit.com/http.intuit/Downloads/2006/R3/
QuickBooksEnterprise6.exe

Note on Long URLs: Because the above URLs are long, your e-mail browser may insert a hard return in the middle of the address, with the result that you will need to cut and paste both parts into your Web browser. We apologize for any inconvenience.

CAUTION: If you have installed R3 or R4 and receive an error message reference "-6177,-0" please see "Error (-6177,-0) after updating to QuickBooks 2006 R3."

 Caution. Please do not attempt to Upgrade QuickBooks, Rebuild a data file, or Clean Up Company File* across a network. If you have clients in a networked environment, please work with them to make sure they avoid such actions.

The caution holds true whenever the file is being accessed from a remote drive. QuickBooks never supported major file operations across a network in earlier versions and does not support them in QuickBooks 2006.

Our technical support center has recently seen a spike in calls generated by this problem. For background on the issue, and instructions on how to proceed, please read KBID 118556, "Rebuild, Update, or Condense Takes an Exceptionally Long Time or Does Not Complete."

[thank goodness I don't have to put that program 'on' my server]

So what about coffee shops?

So in the comments of a previous blog entry about remote access, comes the question about 'coffee shop' access.

That is indeed in a different section, along with the information that before an employee takes a company laptop and is anticipated to use a Starbucks, they get a one on one training course on remote access.  I do and have allowed connectivity ala java, ala airport wireless and what not, but ensure that the employee understands the 'expected behavior' of each.

Starbucks access should always be a T-mobile web site access with an expected look.  So yes, I do allow this, but yes, there is the same stress of paranoia.  Now yes, there is the risk of someone putting up a fake AP and all that...but remember RWW is over SSL and thus information isn't passing in 'clear text'.  The other day I had a ping about a business owner who wanted to 'pop' back into his SBS box and one of the things that I warned the Admin was that when you use POP, you pass that username and password over clear text.

Is coffeeshop access secure?  Secure enough in my book.  I'm willing to accept the risks knowing that I have protection in place.

Taking the server for a spin...

So Michael pings...

I'm wondering if you could reccomend a book about SBS to me. 

We were running SBS on NT 4.0 and have recently installed SBS 2003 Premium so I'm after a book that will explain the possibilities of SBS 2003 Premium to me.  I've got a book called "Exchange Server 5.5 & Outlook Complete" published by Sybex, which explained was pitched at the right level in terms of explaining what could be done with these products, how they interact together, and how to configure them.

I've had an extensive look around Microsofts website, and find it's too vague (collaborate, work smarter, stay productive)

In particular I'd like to know how to best use Outlook 2003 when using Exchange Server, and what are the possibilities with Sharepoint and how that can interact with Outlook/Exchange.

The majority of books available are for system administrators and are very technical and detailed.  I'd just like to know what the additional functionality in SBS 2003 is and what the possibilites are.

Now while I can send Michael to my past posts about books...There's a lot of stuff right inside the Remote Web Workplace...help menus and what not.... and how about that first set of emails you got when you set up the server?

Your company installed Windows Small Business Server 2003 on your computer network. Windows Small Business Server provides software tools that help you work more productively, and communicate more effectively with co-workers and clients. Some or all of the following options are available. Click a link for more information:

• Internal Web Site Your company's new internal Web site allows you to share information, such as documents, photos, and events with your co-workers. Open the internal Web site.
• Shared Documents Using document libraries on your company's internal Web site, you can share many types of content, such as documents, faxes, presentations, and proposals. Take a look at your company's document libraries.
• E-mail Communicate with your co-workers and clients by using either Microsoft Outlook or a Web-based version of Outlook.
• Mobile Devices Use your mobile device on the Small Business Server network.
• Calendar Keep track of meetings, events, and appointments by using Microsoft Outlook 2003. You can also use the Vacation Calendar on your company's internal Web site.
• Remote Access Check your e-mail or access files over the Internet or by dialing directly into your company network.
• Fax Send and receive faxes while working at your computer

Go find that email..... and click those links.... see exactly what this box can do.  My fellow beancounters LOVE remote web workplace as they can even access their desktops from clients.  I love it because it ensures that I can be paranoid and secure at the same time enabling remote access for our employees.

The checklist before the transition pack

On the heels of the 'black hole' post, we have an update and a checklist guide to ensure you 'transition pack' deployment goes well...

Damian [the guy with the funny accent] is on the SBS blog with the recap....

http://blogs.technet.com/sbs/archive/2006/01/12/417350.aspx

"You have successfully updated your computer"

.... yup...no reboot this month.  Did everyone catch that?

SBS aka 'the kitchen sink' normally has at least one patch that causes or forces a reboot...but not this month.  All of the patches that came down on this Patch Tuesday [excluding 06-001 for the WMF of course...as that was earlier...] did not force a reboot.

I personally thing that the "world record for uptime" that everyone boasts about is overrated...but that's just me...

What's in your remote access policy?

Here's a section of mine.....

In general:

When you are accessing the Firm’s network from a remote location, you must pay the same attention to security and privacy regarding client files that is required at the office.  Those employees previously identified by Management as needing remote access should ensure that at all times the connection to the Firm’s network does not in any way jeopardize the safety and security of the network.  Therefore, anyone with permission to run remote access is required to have installed an up to date antivirus and an active firewall on their personal home computer.  Periodic onsite visits by the Network Administrator may be required in order to approve a request for remote access and to maintain the access.  If you feel it is necessary for you to have remote access to the Firm’s computer network, please fill out a request form for remote or offsite access. [Please see a copy of this form in the appendix].

Remote access via Kiosks:

It is recommended that only personal equipment be used to remotely access the Firm’s network resources.  You should refrain whenever possible from using open, Internet café style connections.  Those users with remote connectivity will require special training on the risks of such access and will be instructed on ensuring that usernames and passwords are not saved on such devices.  This type of access should only be used in an emergency and only when deemed to be appropriate for the need.  Remote access may be necessary while traveling.  You should submit a request for a laptop for use while traveling prior to your trip.

...and we'll be adding a section on our Audiovox Cell phones as they have usernames and passwords on them.  Even with this... I monitor the access.  I have a rule that lets me know when a password attempt has been made on the system. 

But I think I'll be going back and beefing up that section and instead forbid Kiosk access entirely.  One should ensure they can 'trust' the device they are using to access the network with. 

Top tips from the Partner newsgroup

RECENT ISSUES AND TROUBLESHOOTING TIPS
-----------------------------------------------------------

ISSUE #1
=========
When generating a Server Performance\Usage Report via SBS Monitoring, the
reports are generated properly and when viewed through Server Management,
the report displays the correct date format of D/M/YYYY (English -
Australia).
When viewing the report after it has been auto-emailed to the administrator
the date format is in English (US) (mm/dd/yyyy).
How do I change the format of this date?

CAUSE
--------
This is a result of an English (US) operating system install.
This was installed by the OEM manufacturer of the server.
Also, multiple registry keys have had their sShortDate key modified to
D/MM/YYY

RESOLUTION
---------------
To resolve the problem we first put everything back to default English (US):

1. Go to Control Panel\Regional and Language Options.

On the Regional Options Tab:
- Set "Standards and formats" to English (United States)
- Set "Location" to English (United States)

On the Advanced Tab:
- Set "Language for non-Unicode programs" to English (United States)
- CHECK "Default user account settings"

2. Hit OK

3. Open Regedit and make sure the following sShortDate registry keys are set
to m/d/yyyy:

HKEY_CURRENT_USER\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\S-1-5-18\Control Panel\International
HKEY_USERS\S-1-5-19\Control Panel\International
HKEY_USERS\S-1-5-20\Control Panel\International

4. Then perform an IISReset and log off/on.

Then to make sure the generated reports were viewed with the proper date
format we performed the following steps:

1. Go to Control Panel\Regional and Language Options.

On the Regional Options Tab:
- Set "Standards and formats" to English (Australia)
- Set "Location" to English (Australia)

On the Advanced Tab:
- Set "Language for non-Unicode programs" to English (Australia)
- DO NOT CHECK "Default user account settings"

2. Hit OK. Log off\on.

3. Open up regedit and set the following registry key:

HKEY_USERS\S-1-5-20\Control Panel\International

Value Name: sShortDate

Value Data: d/M/yyyy

4. Perform an IISReset then Log off\on.

5. Generate a new report by going to Control Panel\Scheduled Tasks and right
click on the following and selecting RUN:

Small Business Server - Server Status Report - Server Performance Report
Small Business Server - Server Status Report - Server Usage Report

We verified that the Server Performance and Server Usage reports now display
the desired date format d/M/yyyy



ISSUE #2
======
PROBLEM
-----------
When you try to connect to server/client desktops via RWW, you get a blank
page; and you will see "Error on page" in the bottom left corner.
Double-click "Error on page", Show Details, and you may see:

Line: 337
Char: 4
Error: Invalid procedure call or argument
Code: 0
URL:
https://localhost/remote/tsweb.aspx?ServerXP%Port=4125&FS=1&User=xp&Domain=woody&redirectPrinters=1&redirectAutio=2

CAUSE
--------
The time out values (in minutes) are incorrectly configured in the registry,
at:

HKEY_LOCAL_MACHINE\

    SOFTWARE\

          Microsoft\

              SmallBusinessServer\

                   RemoteUserPortal\

                     PublicTimeOut

By default, it is 20. Based on testing, the maximum time out value is 482.
If you specify a time out value greater than 482 (say 483), you'll see this
issue.

RESOLUTION
---------------
Correct the registry value PublicTimeOut.



ISSUE #3
======
PROBLEM
-----------
Every 5 minutes an event 529 was logged for a specific user.

CAUSE
--------
Problem in User profile.

RESOLUTION
---------------
Renamed the user.

A conversation on Malware

Microsoft TechNet Radio:
http://www.microsoft.com/technet/community/tnradio/default.mspx

Steve Santorelli spent most of his career in Scotland Yard, so what is he doing at Microsoft? Steve is putting his sleuthing skills to work for you. Working with international law agencies, he and others in his group are tracking down the criminals who are creating the malware that keeps your IT group up at night. Steve is about prevention — not through technology, but through law. He is making sure the creators of malware are brought to justice. Hear a conversation with Steven on the human side of malware

...now if they can just put a podcast feed on this site......

The black hole of the transition pack

SBS 2003 has a 'transition pack'.  A method that you can upgrade from SBS 2003's restrictions to the full fledged products of it's big brother servers...and big brother price tag.....and as SBSers go through this transition pack, invaribly they post in the newsgroup "What's the transition like". 

I swear this is a worm hole.... because they ask about it...and never post back.

Well one mortal who has survived in our SBS MVP ranks posted about it and I thought I'd capture it here...from Michael Cocanower of ITsynergy.com

 OK, here's what I found.

Installed the Transition pack on SBS SP1 Premium (running SQL but not ISA). It churned for a while and rebooted twice. Note that you are warned all over the place that you'll have to reinstall all service packs after installing the transition pack. Towards the end of the install, I get a message box "Setup cannot continue because the version of Windows on your computer is newer than the version on the CD. Warning: If you decide to delete the newer version of Windows that is currently installed on your computer, the files and settings cannot be recovered. To exit, click Cancel. For more information, click Details. Clicking Details got me nowhere, so I clicked Cancel. I thought I was in trouble, and was ready to call PSS. I rebooted after clicking cancel, and much to my surprise, I get prompted that the transition pack was installed successfully. So now the box is in the "I think the transition pack is applied" state. I moved FSMO roles to another box without a problem (something you're only supposed to be able to do post transition pack). I moved Exchange and SQL each to their own box. I am also now running 2 DHCP servers in the environment, and the old SBS box seems to be stable. I'm not sure what else I can do to confirm that the transition pack is OK, but everything seems to be stable at this point.

To give more background... the transition pack was indeed applied successfully... ...the way you check is attempt to disable license logging serivce and sbscore services. If those two services will shut off and stay off, you don't have a SBS box anymore. In this "no longer a SBS box" state, Remote Web Workplace and all the SBS wizards still work, there are just no guarantees that future patches/service packs will break things. 

The 'transititioned' server is now three boxes.  Exchange was the snap migration process to a new box.  SQL LOB app, also a piece of cake.  Sharepoint was the one that needed fixing in permissions, site owners, versions of MSDE and what not.  The site to this day is still chugging...OWA running fine along with Remote Web Workplace...and yes the client fully understands that technically while it still is running, [and they use it quite a bit] there are no absolute guarantees that RWW might be broken with some security patch or service pack and it's no longer supported.

If I were in charge of the Universe.. I'd steal RWW...customize it a smidge more...and stick it in Centro.

...now... to go get myself in charge of the Universe... that's the problem...

So... there we go... one 'story of someone who survived the "Black hole of the transition pack" and we've now posted his story.

P.S.  For you folks that have commented with issues....can you email me at sbradcpa -at- pacbell.net as I'd love to check with you guys on some points you've raised. When you don't leave an email address, I can't email back directly.

KB articles of interest

All port scan attacks in ISA

On a listserve today someone indicated that their client had shut off VPN because they were concerned about the 'intrusion' alerts they were getting and thought their server was compromised.

First... don't panic.  Many of these are false positives.

ISA Server Port Scan Alerts: Tip of the Month - December 2005:
http://www.microsoft.com/technet/community/columns/sectip/default.mspx

Two read that.

Three... check out a beta of a product that I think adds a lot more information and value to ISA server 2004.

The Scorpion Software Firewall Dashboard..."Cases 123-125: We have added a few new reports to show top service and connection usage so you can see what IS getting through your firewall. You can match this up against your server connection logs to see if things match up. There is a top service usage over the last 24 hours graph which shows the top 3 services against each other."

Can Bob the System Builder Swing a bit?

Today comes the word that BOB the System Builder will be doing a swinging good time on January 12th!

Join Sterling Jones [aka BOB] and Jeff Middleton doing a bit of 'swinging' this Thursday.

Microsoft US System Builder Technology Team is doing web cast explaining Swing Migration as a strategic approach for System Integrators who "build and deploy" custom servers to consider. To prepare for this, Jeff Middleton identified some unique discussion points and presentation materials for the web cast he will be doing later this week Jan 12, 2006  at 11AM Pacific (GMT -8). http://www.msusapartnerreadiness.com/WS_abstract.asp?eid=15003648

Join the SBS community leader and migration specialist Jeff Middleton (MCSE, MVP) for this overview of the swing migration strategy. Jeff has researched and documented strategies that use standard data migration and disaster recovery techniques in a novel, strategic way to gain enormous flexibility and benefit from network migration processes. Swing migration facilitates retaining the same server and domain name, the ability to perform the entire migration process on an offline server, complete rollback capability, and much more!

Dana points to Eric who updates us on "Brett the Blogger"

Dana points to Eric's update on Brett'sforay into blogging:
http://silverstr.ufies.org/blog/archives/000899.html

To follow more of the saga.... see here...

An ISO for the patches?

Two bulletins today

January 10, 2006

Today Microsoft released the following Security Bulletin(s).

Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summary:

http://www.microsoft.com/technet/security/Bulletin/ms06-Jan.mspx

Critical Bulletins:

Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519)

http://www.microsoft.com/technet/security/Bulletin/ms06-002.mspx

Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution (902412)

http://www.microsoft.com/technet/security/Bulletin/ms06-003.mspx

/...they've done that thing where each Outlook patch has a separate KB article and then Exchange has a KB article number.  I understand the process [it's one vulnerability] but I see it as two programs/patches and thus track it differently/

This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.

So what communities do I hang in?

So Keith asks...what is my choice of a newsreader and what newsgroups do I follow?

I'm weird.  [yeah like that's a surprise] in that I compartmentalize my newsgroups.  I am partial to Thunderbird for my MS public newsgroups and honestly only track a few.  The major one being microsoft.public.windows.server.sbs [home base of the SBS 2003 newsgroups].  But lately I have been keeping an eye on the WindowsUpdate one as well.

Now then in the Microsoft Partner newsgroups I read those in Outlook Express and in there I track both SBS 2003 and SBS 2000 as well as SBA, Security, Windows Update.

Now then.... wanna know the listserves I'm on?

• SBS2k-subscribe@yahoogroups.com
• mssmallbiz-subscribe@yahoogroups.com
• smallbizit-subscribe@yahoogroups.com
• smbmanagedservices-subscribe@yahoogroups.com
• The listserve on Patch Management at www.patchmanagement.org
• The listserve on WSUS on www.patchmanagement.org
• The ActiveDir listserve from www.activedir.org [where I'm a lousy lurker I might add]
• bugtraq@securityfocus.com
• vulnwatch - http://www.vulnwatch.org/
• Several of the Security Focus listserves http://www.securityfocus.com/archive

Okay so is it any wonder my mailbox gets a lot of email?

My server broke

Happyfunboy showcases every tech support person's dream.

A knowledgeable person who doesn't say things like "my server broke"

Taking the time to gather the information ahead of time means that your call to support is as good as can be expected with a dead server on your hands.  Business critical down is... well... one dead network on your hands.

This struck me funny...

So on Vlad's site it reminded me that I hadn't linked to his SMB book podcast with Beatrice Multzer and he has a link to his podcasts... that says.... and I quote...

"Listen to Vlad's soothing voice"

unquote.

Now... we really and truly love Vlad...but I don't even think that Microsoft's spinmeister's the PR department of WagEd could ...with a straight face...say that Vlad has a 'soothing' voice.  A voice to get you excited about SBS, yes.  A voice to get you inspired to sell, yes.  A voice to make you want to set some goals for the next year, month, week,...heck the next hour and minute, yes. 

But soothing?  Uh.  Uh....Um.....

But we love you, Vlad, nonetheless.

Dear Tip Top Equities

If you think for one moment that I will even think of buying anything from you after you've spamming my Pacbell account for the last few hours.... guess again folks.  And why in the world would I want to buy a penny stock called HLV Capital anyway?

It amazes me that spam works.  Obviously it does enough otherwise it wouldn't be effective. Today I was asked if I could get rid of junk mail completely and I said "No."  Just like how junk snail mail pays for the rest of us to use regular postal mail, so much of what annoys us and bothers us, has a value to someone, a market. 

If there was only a way to get rid of the profit motive, this stuff would dry up.

So Mr. "Under the Radar Equity", "GrandSlam Stock", "Stock Radar", guess what....I'm not buying!

Okay I'm leaving WMF's blocked

The other day I put in place blocking of WMF files in my network.... and I'm not going to adjust that setting one bit.

There is no need for my users to have or need that file and today's update on the MSRC blog proves that indeed.

http://blogs.technet.com/msrc/archive/2006/01/09/417198.aspx

Let's just keep those files blocked, shall we?

You in Fresno and want to join a SMB Partner group?

Join us January 23rd for the first meeting of the Fresno Branch of the 
SMB Technology Network.

SMBTN [www.smbtn.org] is a growing group of computer consultants and 
professionals in California and we are starting a Partner group in the 
Fresno Area. 

Our first meeting will be January 23rd, at the Fresno Airport Holiday 
Inn starting at 6 p.m. [refreshments and finger food provided free of 
charge]

The meeting is expected to be in the Yosemite room but please check the 
board for SMBTN-Fresno upon arrival.  The hotel is located across from 
the Airport in Fresno.
http://www.ichotelsgroup.com/h/d/hi/1/en/direction/fatap

Come and be ready to win books [SBS unleashed, SBS Admin Guide] and 
other giveaways and learn how joining a SMB Partner group can help you 
in your business.

There is no fee to join the Fresno group and to join in the peer sharing.

As a consultant or reseller in the SMB market space, you know how 
difficult it can be to grow your business.  The SMBTN offers three major 
components to help you:

Education through monthly meetings, In the Field seminars, and our 
annual conference, helping you stay abreast of the latest SMB trends and 
technologies.

Collaboration with vendors and manufacturers, including special programs 
and hands-on training.

Networking with peers and at client facing events, helping you to expand 
your business.

Please RSVP to Susan Bradley in Fresno, California to her 
email address at sbradcpa@pacbell.net

If you are interested in this group, please RSVP to Susan or join this 
Yahoolistserve.  If you are not interested, but know of someone that 
might be, please feel free to pass along this invite.

http://groups.yahoo.com/group/SMBTNFresno/

Don't have a copy of SBA and want one?

Want a copy of the Small Business acccounting?

Apparently you have to ask for it?

Microsoft Partner Blog - Stephen Cracknell - Your Southwest TS2 Presenter : Acquiring SBA Through The ActionPack:
http://ts2community.com/blogs/stevencr/archive/2005/12/06/477.aspx

So I was on the MS Partner site...

And I was looking for SMB partners... so I started with the site how your clients would see you.... and I gotta say... now maybe this is Fresno or something... but have you truly looked at how professional you look to a client from that MS partner portal?

Some of you list no web sites, no email addresses, or your web sites are dead.... or better yet... the bio of your firm is .... well... if your only experience in computers came from after you yourself surfed to p_rn sites and you ended up having to clean up malware...that's not exactly professional in my book.

And folks?  Frontpage makes some better [admittedly boring] websites better than you guys do. 

Come on guys... look at what you look like to your customers and clients.  And quite frankly....some of you need to take a second look.

Okay so you have your Action pack SP1 media..but...

You get to the part where it asks for Outlook and you don't have it?  Go grab the previous Outlook from the first non SP1 version of SBS.  Even though it's dated November of 2003 it is the same media as before and there is no difference.  The SBS sp1 part will layer on the SP1 part of the install.

Also if you have Open License media you should get the Outlook in the media kit.

So what tools do you use?

So a bit back I asked what tools that SBSers should have on hand and here are some answers...

www.sysinternals.com

www.dnsreport.com

Besides www.Eventid.net and www.Experts-Exchange.com and the others
mentioned by Susan I find having a Bart's PE Builder CD on hand with
recent antivirus and antispyware a real life saver.  See
http://nu2.nu/pebuilder/.  I also have on the CD GetDataBack and other
utilities from http://www.runtime.org/.  The RunTime.org people have
even provided the plugins for Bart PE.  If you have ever lost a volume
on a drive due to disk failure, this utility will amaze you with the
data it can recover if the drive still spins.

From Peter

1. nslookup
2. telnet
3. eseutil
4. filemon
5. regmon
6. netmon
7. pokemon (cmon, all work and no play...)
8. netstat -aon | find ":portnumber"
9. tasklist /svc
10. adsiedit.msc <<-- always install the support tools
11. www.sysinternals.com
12. www.hotmail.com   <<-- testing external mailflow
13. recovery console
14. exmerge
15. treesize

Jim says...

Good start, but let's not forget:
- pathping (built-in)
- ldp (support tools & far better than adsiedit, IMHO)
- shutdown (resource kit)
- Duke Nukem (need you ask?)
- whois (resource kit)
- winsocktool (http://isatools.org/winsocktool.msi )
- portqry http://support.microsoft.com/?id=832919
http://www.windowsecurity.com/articles/Mastering-PortQryexe-Part1.html 

http://www.windowsecurity.com/articles/Mastering-PortQryexe-Part2.html
- netsh -diag (built-in)
- netstat -anob (built-in)
- netdiag /fix (support tools)

Over my dead body

On a couple of listserves and blogs the idea that now that this patch got out so quickly that all patches can get out this fast. 

First off, I think that's a simplistic view as not all patches are created equal.  This one was a small file.  Take a look at the IE patches and their file manifest.  Huge in comparison.  Thus to say that say an IE patch can be written, tested, and signed off in the same fashion as this patch is ... I think... too simplistic of a view of how 'change management' works and how each security issue is not the same as another. 

It's easy for bloggers to say 'oh we need to demand beta patches as admins can decide the risk and apply them" and not realize the near 'freak out' that I'm sure would result because quite honestly we have no clue whatsoever as to our real risks out here.  None.  Zilch.  And as a result, each of us would think that we are in need of that fix.  So what would happen?  Untested patches unleashed on our networks.  Okay so how do we track issues now?  Is it beta version 1 of that patch you are seeing that with or beta version 2?  Yeah right, that would work out well wouldn't it?  We'd have absolute freak out on our hands.

Furthermore, I don't see these posters and bloggers in the newsgroup on the day after patching when, on the rare occasion, we do see issues.  I don't see you there helping that computer user try to get that box into a usable condition.  It's easy to ask for this when you are where you are at and do have the resources to handle such things, unlike most home and small businesses.

Yeah there are times that I will look at how long a patch takes to come out and wonder ...gee..that's a long time... but at the same time... I ...nor many out here making these demands...have no idea of the process that it takes to get a patch out, coded, tested on the umpteen versions.  It's easy to say these things when we're on this side.

Some have suggested that beta patches be handled like KB articles so that you'd call into PSS to get them.  And all that would do would to get code that could be reverse engineered into the hands of the bad guys that much faster.

I'm not saying that I know the right answer here, the right balance, or anything.  But I'm tired of 'standards' and 'best practices' being used in such an easy way without understanding what you are saying and asking for.  Sometimes 'standards' force you into being too rigid and not being agile enough.  I'm not going to ask for a standard patch build timeline because we truly have no way to set such a standard.  Some issues may be so deep and embedded in the operating system that it will need additional analysis.

I do like the once a month patch deployment because it means I can plan my month and security accordingly. 

The standards that are in place now... a patch no sooner than it's ready... a patch for all critically vulnerable systems at the same time.... a patch for all languages..... a patch for all versions.....released on patch Tuesday unless it's an unusual event.....that's enough of a standard in my book.

Except for one more standard....... over my dead body will untested patches be unleashed on the SBS community.  That's one standard I will enforce.

Are you ready for the Home Network?

CNN has a podcast about the Apple effect on CES and it reminds me of my visit to my friends.... at home they have a replay TV and a media center and numerous machines all peer to peer together and now they have a HDTV in the bedroom and have customize Pronto remotes.  But no real centralization and no real backups for all that music and digital video and what not...

And know with all the video on demand stuff....it reminds me that I think there's a marketplace out there for the house/network installer.  I wonder if the VAR/VAP community is plugging into the tract home developers as I think there's a marketplace.  As geeky as my friend is, he was asking me for advice about a Server and how to set it up.

We went around Disneyland and went into their Innoventions building where all of the technology was what was already here.... The dog from Sony.... the whirlpool fridge that has the bar code reader and Internet in the kitchen.  We have technology all around us now and I don't think we're integrating it well in our homes.

Are you seeing what I'm seeing?  That the geeky home user is starting to have a lot of stuff and not backing it up?

And check out this firm [in my own back yard no less] that is already doing the home networking stuff.

Welcome to David Barrios Designs:
http://www.davidbdesigns.com/home.html

I say it looks like a trapezoid

It's all David's fault... okay so I changed the logo on my blog to be this:

From what it used to be...like this...

And I'll admit it was a bit scrunched up and icky.... but what I was pointing out to David that was driving me crazy was that all other logos that I've seen on pages look crooked.

See if you can see it...

See the illusion that occurs on those white beveled edges on a white background?  It looks like a Trapezoid.  Okay so maybe it's me, but it does!  So I found one that doesn't do that and hopefully David will approve it as he was pretty proud of his accomplishment of passing the exam [as he should be].  It truly brands him as saying to clients 'hey, I'm a person who knows about your small business technology needs!".  Have you taken a look at the updated Microsoft Partner web site?  Wow.  A lot of changes.  And even more so if you are a Small Business Specialist Partner.  And there's a store for SBS logo'd items as well [as soon as I dig up my program number anyway]

So David?  How's it look?  Enough white space?

P.S. The squared up design 'is' from the logo builder site... so I think it's legal?

Outgoing VPN connections having issues?

So Mike asked.....

Hi,

I was wondering if anyone else has a problem with outgoing VPN connections after uploading SBS SP1.

Everthing works as before with ISA 2000 but I have a VPN connection to a friend I support and this is now being blocked by ISA2004 in the SBS Internet Access Rule. I have tried all I can think of and studied that rule until cross eyed but cannot see why its blocking it.

I know it is doing by setting up a logging task on the external IP I am trying to connect to, this reports which rule is doing the blocking, but not a hint of why.

Any advice appreciated

Mike

And if Mike would have listened to the SBS podcast, he would have probably heard the resolution.....

When you use the ISA 2004 Firewall Client program, you cannot make a PPTP-based VPN connection:
http://support.microsoft.com/default.aspx?scid=kb;en-us;887006

So why aren't 98's being patched?

Microsoft Security Bulletin MS06-001: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919):
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx

A question that even I had came up on a listserve... why isn't this critical to Windows 98/ME machines?  Because on all the machines my fellow MVPs attempted to automagically infect with this exploit, none of them would automagically get nailed.  All of the 98's and ME's needed user intervention.  Now one could argue that Windows still has more stupid users, but the reality is, because the 9x series did not use the default viewer, they are less vulnerable.  Thus, not critical.  Thus, because 98's only get patched when it's a critical issue, there will be no patch.

Updating a a/v subscription apparently takes a village

...or at least a fellow SBS MVP who's done this before [thanks Steve]

Well it started out that my Trend 2.0 was indicating that it was expiring and so I contacted my vendor and they sent me a form to fax back.  So I'm waiting for 'something' to come back and giving me codes or something and happened to mention to the gang that how long should it take for that Fax to be processed.

Well... looks like all I had to do was to go into the console and check that button that says "Check Status Online" and it would grab the renewal and I didn't need that faxed form at all.

And there we are back in business.....

So, thanks to the gang... I'm back in 'non expiring' mode.

Steve said that Ingram Micro now does Trend via their Click2License part of their site.

Newsflash at 11....the sky will continue to fall....

In our continuing saga of keeping secure online...just wanted to update everyone that even though I'm fully patched the sky will continue to fall.

Why?

Read this.

In particular ...this..."Patches are always likely to be necessary because software will never be perfect as long as it is written by imperfect human beings,"

So to me..it's pointless to argue over the merits and numbers of patches and what not.  Because we will always want to interact with one another... we will always be at a slight risk.  Not to mention.... " Though Windows suffered fewer flaws it is still the platform with the most security problems, given its wider user base of less tech-savvy users."  ...that's politically correct speak for 'we got more stupid users than you do"

Fixing up a little annoying OEM Exchange error

Mark reminded me that I never followed up on that Exchange error issue I get on a preloaded OEM image.

The solution is that it's missing two reg keys...

Start by looking under 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\

okay now look for the name of your Exchange server

And the look for both the Private-Guid-of-private-mdb and then the Public-Guid-of-the-public-mdb

And in each section under both private and public there should be two added registry entries...

• Gateway In Threads with a Reg_Dword value of 0
• Gateway Out Threads with a Reg_Dword value of 0

So you first start and on the right hand side in the white space click on new, dword

Then in each section you add these values so they look like this:

Voila....

What I learned from this

First read a good blog post from Mike Nash on why this came out early.

And here's what I learned from this....

1. This is my firm and only I can decide the risks.  It got to the point yesterday and today that I was about ready to yell "enough" and stop reading the blogs, the news sites, the stories of how I was at risk.  So much of what we were getting as 'gospel' was second hand and third hand and never disclosed the actual methodologies of how numbers and stats were determined.  On the one hand there were folks saying they did see threats, on the other hand folks were not seeing any. 
2. The security biz is a PR opportunity.  Security should be icky and boring.  About as boring as reading financial statements.  Man the 'spin' on this issue was unbelieveable.  'The worst security event ever'.  'Every OS back to pencil and paper is vulnerable'.  [okay so now I'm exaggerating...but you get the idea].  Most of the headlines were not facts but spin jobs done to sell more product of 'fill in the blank'.
3. No one has a good handle on the true risks of their firm [and we may not ever].  My impression is from all this 'yes it works', 'no it doesn't', 'yes it's vulnerable', 'no it's not', is that none of us truly have a handle on what is installed on our systems and all of us have so much third party crap.  So much of this incident was fear of the unknown, fear that something bad was going to get us, yet .... it was said that it was not an RPC type issue, it would not turn into a worm and yet look how much at what we were freaking out on this.  On a daily basis we have risks out here on the Internet.  And if there's only a patch between you and the bad guys... maybe we are in more trouble than we think?  Maybe we need to ensure we have layers, and defensive moves, and stop running as admin....and all those things that we really should be doing so that we're not totally going wacko over a security issue that some bozo brain timed to screw up our holidays.

And now if you'll excuse me.... Shavlik is ready to patch and so am I.

...so you didn't get an email until hours later...

...well then you don't have instant paranoia now do you?

First off we should understand that mail servers take time... so don't expect the Microsoft security email to get to you immediately.  Next you can easily sign up for 'Instant Paranoia Alerts' on MSN....then you will get them and be instantly paranoid....but I think we should give everyone a break on this.

Security bulletin 06-001

Microsoft Security Bulletin MS06-001: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919):
http://www.microsoft.com/technet/security/Bulletin/ms06-001.mspx

Gentlemen start your testing on the real patch

ONE OUT OF BAND PATCH HEADING OUR WAY

Welcome new MVPs

In the Small Business Server category ...so far we have

• Kevin Royalty
• Eriq Neale
• Stuart Applegate
• Tobias Redeleberger
• Oliver Sommer

In other product categories

• Dana Epp - Security MVP
• Amy Babinchak - ISA MVP
• Larry Lentz - CRM MVP
• Vlad Mazek - Exchange MVP

Welcome on board to the MVP community!

SBS KBs of interest

The sky must be falling

We have truly gone insane around here.....

Tonight comes this comment....

Is this blog payed for by Microsoft? This was the strangest thing I ever read. The 3rd party patch you're advicing people not to install is made by a very respected programmer and is also an adviced install by f-secure and others. (and it is reversible once the microsoft patch is released)

Advicing people not to patch their machines is just pure stupidity. I didn't know you were a Microsoft Extremist but now I do.

For the record Klas I can't make your risk analysis for you...only you can.  For number one..that post that I did is a cut and paste from the Security advisory apparently you didn't read it closely enough as I didn't post anything in there that wasn't a cut and paste.  For two, this blog comes out of my personal pocketbook, and is thus my opinion and only my opinion....for three, I'm not going on record as advising anything but this....

IF YOU DO INSTALL THIS PATCH TEST THIS SUCKER and understand that you have possibly put this in an unsupported position.

I find it insane that folks are wanting untested patches on their systems, both in the form of a third party patch or in the form of an untested Microsoft patch.  Sorry folks, but I don't see you in the newsgroups scraping the dead servers off the floor come the aftermath of Patch Tuesday.  F-secure doesn't understand my network, my risk tolerance, my lob apps any more than Microsoft does.  So if I do my own risk analysis and don't always follow Microsoft's advice, why should I follow anyone else's?

I'll bet you a 6 pack of Mountain dews that folks that are wanting a quick untested patch would also be the ones screaming bloody murder when their boxes got nailed by a bad patch.

I can't do your risk analysis for you...but neither can F-secure or anyone else.

Read this.

Make up your OWN mind please.  And I think we need to ask ourselves... if the existence of a patch is the only thing between us and utter doom... we got bigger problems on our hands as we can't patch everything around here.

SBS kbs of interest

ISA server team blog opens up!

ISA Server Product Team Blog : Welcome to the ISA Server Product Team Blog:
http://blogs.technet.com/isablog/archive/2006/01/03/416787.aspx

Very cool....

The risk

So as we get back to work all of us have to evaluate the risks… do we deploy a third party patch or do we check our other defenses to see if we have enough in place.  There’s been a couple of interesting threads on this that I wanted to capture.

1. If only they’d rip everything out and make it more secure, we wouldn’t have this.  The reality is folks, when business and security are weighed side by side, business will win hands down each time.  And if we are going to argue that we should rip out and make things more secure from the ground up, you’d better start at the very foundations of the Internet.  TCP/IP is not built with security in mind.  So if you want to build things from the ground up with security, then you’d better start ripping out from that level.  But given that we can’t even kill off Win 98, do you honestly think that this is a reasonable solution?  I’m not convinced that we can secure even things we design from the ground up….again it gets back to that secure enough argument.  Put too many barriers in my way and as a business person, I’ll find a way around those barriers to provide the collaboration w need.
2. Patches should be released when they are ready, not on an artificial time table and schedule.  Now this is where I will argue against this one, as I’ve been patching for a long time and I don’t think the folks saying this are remembering what it as like before.  The comments are ‘oh but then patching could be on ‘your timetable’ and I don’t think people understand that patching is not on ‘my’ timetable per se’ but on the bad guys time table.  It takes a mere 20 minutes after a patch is released to build an exploit.  I honestly don’t think all those folks who are asking for this truly remember the mess patching was a few years back when patches could come out any time, any day.  I will also strongly argue with the folks that say ‘oh just release a patch and then if there is a problem, release another’.  Yeah right, folks, be careful what you ask for ‘cause if you have just one bad patch that would nail our SBS boxes, just imagine how much you’d be screaming after that one. 
3. Getting good feedback.  The one area that I am a bit concerned about is the issue of ‘good feedback’.  There’s a difference between true facts and second hand information.  This event more than any other has proven to me that sometimes relying on others for your info could leave you confused and uncertain.  On the one hand, I’m not sure Microsoft sees all the ‘body counts’ I do since my communities don’t call PSS, don’t have TAMs and what not.  We don’t use the big programs that capture body counts [like postini and message labs]. I also hope that the a/v vendors are sharing information and not holding it back.  My SBS community sometimes isn’t nailed in the same way as the big server community.  Slammer, Idon’t feel had a lot of impact.  So the problem here is …what is real damage and what is psychological damage?  I hope that the consumer and small businesses are represented well enough when Microsoft makes their decisions, but I don’t know.
4. Using a third party patch.  I haven’t made up my mind on this one…. On the one hand if you have to depend on a third party patch for your protection because the risks are too great, I’m not sure that’s where we need to be heading.  Maybe we need to ensure we have other layers in place, because I’ve got tons of third party crap on my network that I know I can’t patch it all and I’m positivie that each one is introducing threats into my network.  On the other hand, I don’t like feeling that ‘patch Tuesday’ is being used as the release date for this one.  How many dead bodies does there have to be before an out of band patch is released?

It reminds me of my New Year’s trip to Disneyland.  Disneyland is a risk.  Yes, it’s the happiest place on earth, but in reality, folks have died there from accidents on equipment and devices meant to entertain.  I must trust that Disneyland has in place processes and procedures to ensure my day is safe.  But at the end of the day I have to trust that they’ve done their job.  I don’t have the same level of forced trust for my operating system.  I do have more control over it.  So the question becomes…. Whom do I trust?  What is my risk tolerance? 

All I know is that it’s easy to say stuff when I’m not the one making the final decisions.

Patch on the 10th

http://www.microsoft.com/technet/security/advisory/912840.mspx

What's Microsoft's response to the availability of third party patches
for the WMF vulnerability?
Microsoft recommends that customers download and deploy the security
update for the WMF vulnerability that we are targeting for release on
January 10, 2006.

As a general rule, it is a best practice to utilize security updates for
software vulnerabilities from the original vendor of the software. With
Microsoft software, Microsoft carefully reviews and tests security
updates to ensure that they are of high quality and have been evaluated
thoroughly for application compatibility. In addition, Microsoft's
security updates are offered in 23 languages for all affected versions
of the software simultaneously.

Microsoft cannot provide similar assurance for independent third party
security updates.

Why is it taking Microsoft so long to issue a security update?
Creating security updates that effectively fix vulnerabilities is an
extensive process. There are many factors that impact the length of time
between the discovery of a vulnerability and the release of a security
update. When a potential vulnerability is reported, designated product
specific security experts investigate the scope and impact of a threat
on the affected product. Once the MSRC knows the extent and the severity
of the vulnerability, they work to develop an update for every supported
version affected. Once the update is built, it must be tested with the
different operating systems and applications it affects, then localized
for many markets and languages across the globe.

P.S.  That's a cut and paste from the advisory folks... apparently you aren't reading them as this is a verbatim from that...and for the record this blog is paid out of my pocket.