Event 529s I'm ready for Ya

I'm stealing an idea from Jeff Meager in the newsgroup.... he said....

and then don't forget to change the message on the tab:

Okay time to go “fat finger the login” and see if it works!

Big server land versus Little Server Land

There is one thing that both Dr. Jesper Johansson and Steve Riley say in a lot of presentations...they say that “Account lockout has no value”, that it will “cause a denial of service”.  And this is ONE area that I timidly disagree and say... sirs?  I think we can handle this.

• Big server land knows that account lockouts cost $70 a help desk call.
• Little server land says “it doesn't happen that much and we can handle it”

• Big server land says “this is the number one PSS support call“
• Little server land says... “how we set up DNS is OUR number one support issue“

• Big server land says that someone could do a denial of service against our website.
• Little server land says ...”uh...we recommend you don't host a website if you want to be nice and paranoid”

• Big server land says it adds no additional security.
• Little server land says ...”that may be for you, but it lets us sleep better at night”

I think we can handle account lockout.  What do you think?

Allocated Memory Alert on Domain

If you are seeing that like I am I think we're hitting a threshold and we need to bump it up but I still have a SRX [PSS] call open on this.  As you can see tonight WHILE THE BACKUP WAS RUNNING [and mind you mine backs up two machines] and remoting in...and setting up a new monitoring alert [more on that later] and I think I was doing just a smidge too much.  Remind me to call back and see if they want me to kick up the health monitoring a bit.  We've seen a smatterings of them lately and they tend to be Xeon's or Dual Processors.

Just keep an eye out for them and we'll keep you posted.

You know you are a geek when

You know you are a geek when....

• Your best friends who went to the Las Vegas Computer Electronic show and get you a sweatshirt that says “Technology is a girl's best friend“.
• You debate the merits of looking up the TV listings on www.tvguide.com/listings or Media Center Edition with a person online
• You chat more on IM than you do on the phone
• You get goosebumps when a new Dell 19inch flat screen arrives in the office and it can rotate from landscape to portrait and comes with a telescoping stand
• You use the “profile settings“ in Instant messenger to post comments to friends.
• You've taken pictures before of computers that are in public places with BSOD's and error messages [however I'd like to point out that while I've taken photos of these BSOD's, it's another geeky person that I know that actually figured out what the driver error in question was from looking at the digital image on the camera].
• You know what BSOD is without saying “Blue Screen of Death“
• You get a new computer and the FIRST thing you do is load up the Google toolbar and the SearchURL

There are lots more here from another source....and um... for the record.... um.... the Net was on TV this weekend and in the upcoming Advanced SBS book from Harry's Brelsford... and I.....um... I list it as one of my favorite computer related movies.

So you want to be a consultant?

I think this is the year of the consultant.  First I get emails asking about this, the a friend posts a “so you want to be a consultant” on his web site and gets it linked to shashdot. 

Check it out.... a great paper written by a great guy... who probably HATES a SBS 4.0 box these days [long story, long migration, you'll have to ask him about that]

Like yeah, Dude! We do need a MCE Server!

There are times sometimes you want to go.... yo...dude...what have I been saying?  Scoble tonight ponders about a home server.. not a mirraserver but a server based on Microsoft Media Center Edition.  Like YO DUDE...this is what I've been saying for like how many years now?  Especially I said it after touring the E-home at Microsoft.  As we toured the home of the future...well..the home of the future for GUYS as we gals still had to cook and clean and pick up the dustbunnies and what not.  But as we walked around the house I could see.. wow they need a server here.  My friends in LA already have in their closet a wiring cupboard that has the needed router, wireless access point, replay TV connectors, etc.  The house of the future will have a server.

I will wack Scoble upside the head on one thing though, a server in my world is a dedicated box that has dedicated software on it.  The title of this software has “SERVER“ in the name.  Not Windows XP media center or Windows XP.  So many of my fellow computer geeks consider a “workstation“ that they make into the “Mothership server“ role as a server and it's not.  Servers are designed from the get go for maximum “serving“ and they are not designed as a “client“.  MCE is a “client“, not a “server“.

In one of Scoble's link blogs they talk about the lack of a “cult” for MCEers.  Man I guess I'm just more friends with geeks but everyone that I know that have MCEs are quite “culty” about them.  Heck, when two SBSers got together for lunch did they talk about SBS?  No, they talked about MCE. 

So folks..yo..Microsoft... wake up and realize that people are already making the product that they want to have.  A home server. And while we're in rant mode tonight, I was relaying my “computer purchase from h-e-double-toothpick story and everyone in my office says the same thing about their Best Buy Computer experience.  They hate the store.

Build us the product people are starting to want.

Sell it in a better way to us.

Sam the SBS 2003 Server ....the Spammer

We start this interview with Sam the SBS 2003 server

Q.  Hi Sam.... uh Sam?  You okay?

A.  Uh... well.. I'm kinda embarrassed,

Q. Embarrassed?

A.  Yeah, some of my fellow SBS 2003 server boxes ...well their owners and consultants haven't patched me like they should.

Q.  Patched you?

A.  Yes, well just like you would with a car, I need monthly maintenance and that includes patches.  And the thing is Windows Update is not enough.

Q.  It's not?

A.  No, it's not.  You need to visit my download page in addition to Windows Update.  And people running Popconnector and haven't visited that page....well... they kinda got into trouble the other day.

Q.  Into trouble?

A.  Yeah they kinda caused a mess by sending a bunch of emails.

Q.  Oh wow that's a really big mess.

A.  Yeah, a real big mess.

Q.  So what's the best thing to do.

A.  Well obviously download those patches.  And I'd also recommend folks review the password on the Administrator account.

Q.  The admin account?

A.  Yes, by design the admin account cannot have a lockout policy applied to it so it's really important to ensure that a VERY strong password or passphrase is selected for this account.

Q.  That's good to know.  So Patching and Passwords is the lesson for today?

A.  Patching and Passphrases, actually!

Q.  Cool, Thanks Sam!

Hardware, vendors and other rants, oh my!

Wayne pinged me and asked if I had any Netgear PS110 print servers here and I don't.  Seems like the servers just don't want to work on Win2k3 and you either have to buy the 113s or buy some other print server.  Now we all know that hardware firewalls and print servers are just code in a box and you would think that they could just flash it or something but it acts like the vendor doesn't want to do this.  Hey Netgear, how about some better response than this?  Listening out there, Mr. Netgear?

Speaking of vendors, when you buy software these days, do a “Howard/LeBlanc” on it.  A what you say?  A bit of “Secure coding Second Edition” sanity check on how it's set up, what it wants you to do on your system, what it's installing on your computers.  Ask for the specs BEFORE buying the product.  Ask the vendor how “securely coded” they are.  Threat Model that sucker too if you can.  We as consumers have every right to ask how things are setup.

I once had to go up to like third tier tech support to get the right answer when a vendor said they needed an “inbound port 80” connection to our server.  I was like WHAT?  You HAVE to be kidding!  Well come to find out it was like an outbound connection [like we all do outbound connections] and the initial three guys we talked to had no clue. 

If you don't know if the vendor specs are okay, run it by someone more paranoid than you are.  Big firms can do project requirements that lists specifications.  We can't.  But we can start in our own little way start putting the seeds of “hey are you coding right?” into the minds of all software companies that develop for small business.

Wonder if it would be in poor taste to send Scott Cook [CEO of Intuit] a Secure coding Second Edition just to make sure he can hand it to one of his devs to make sure they've read the book.

There are times I love ISA, there are times I hate it

I have a love/hate relationship with ISA server.  Most of the time I love it, but there's that one hour out of the blue that it drives me crazy.  Part of it is my own fault.  I didn't realize when I first setup the server at home, how important it was to put in the right server name [or IP address] to ensure that the Remote Web Workplace would publish properly.  One of these days I need google a resolution of the proper way to remove my unnecessary self certificates as the posts I've seen on the subject so far recommend being careful.  Tonight I was having an issue and probably should not have knee jerk re-ran the Connect to internet wizard, but I did.  And when I did it, the webproxy got stuck and would not restart.  So for anyone else having this issue, this is how I fixed it.  First I was getting these errors in the ICW log file:

calling StartWebProxyService (0x8007041c).
Error 0x8007041c returned from call to CCometCommit::Commit().

-------

CCertCommit::ValidatePropertyBag returned OK
*** CCertCommit::EnableSSL returned ERROR 80070002
*** CCertCommit::CommitEx returned ERROR 80070002

And in the event viewer was this error:

Event Type:    Error
Event Source:    Microsoft Web Proxy
Event Category:    None
Event ID:    11000
Date:        1/28/2005
Time:        6:06:32 PM
User:        N/A
Computer:    SERVER
Description:
Microsoft Web Proxy failed to start. The failure occurred during Reading
publishing rules because the configuration property  of the key
SOFTWARE\Microsoft\Fpc\Arrays\{1D048A10-3BE8-45B1-9670-D878E8E1376B}\PolicyElements\Proxy-Destination-Sets\{0DC896D0-3484-4BC5-926C-E37C43B4B0E4}
could not be accessed. Use the source location 2.546.3.0.1200.365 to
report the failure. The error code in the Data area of the event
properties indicates the cause of the failure. For more information
about this event, see ISA Server Help. The error description is: The
system cannot find the file specified.

I first looked at www.eventid.net and didn't find anything spot on.  Then I googled on what I felt was the most unique thing about that error.  The part that talks about source location 2.546.3.0.1200.365.  I found a Jim Harrison post that gave me a clue:

What that error is saying is that:
1 - there's a protocol rule ("Reading protocol rules") that is referencing
a certain Client Address Set ("Client-Sets")
2 - the Client Address Set "{0FEE7518-FC55-48D1-9DB4-CB3949983e16}" likely
couldn't be located in the Policy Elements
("PolicyElement")

Start Regedit and drill down to:
  
HKLM\SOFTWARE\Microsoft\Fpc\Arrays\{7A3F7837-26E0-4410-A364-DC70E360B72E}\PolicyElement\Client-Sets
...do you find a key named "{0FEE7518-FC55-48D1-9DB4-CB3949983e16}"?

You'll have to search your protocol rules to see which one is complaining
about a missing Client Address Set.

I realized I had a mismash of protocol rules that wasn't matching the registries, so what I did was to manually delete all protocol rules, manually delete all web publishing rules [you have to do the protocols first and then the web publishing] and then I reran the connect to internet wizard and all was well and the wizard would run.

By the way you have gone into the folder called Program files, Microsoft Windows Small Business Server, Networking, ICW and there are included in there an HTM file of what exactly the wizard did

Run the Configure E-mail and Internet Connection Wizard to connect your server to the Internet.

A key function of Windows® Small Business Server 2003 is to configure Internet services to the small business network.

To configure Internet services, use the Configure E-mail and Internet Connection Wizard.

The wizard is designed to correctly configure settings for your network, firewall, secure Web site, and e-mail services that are used when connecting your computer running Windows Small Business Server to the Internet. Additionally, you can use the wizard to return your server's network configuration to its original state.

There are four components for the wizard:

• Configure networking. Define the type of connection that your server will use to connect to the Internet. The wizard is designed to support either a broadband or dial-up connection.
• Configure firewall. Secure your network by preventing unauthorized access to and from your local network. When you enable the firewall on your server, several standard services are allowed through the firewall to ensure Internet connectivity. You can also allow predefined Web services, predefined services, or custom-defined services through the firewall by using the wizard.
• Configure secure Web site. Allow access to specific Web services or to your entire Web site through the firewall from the Internet. You can select to allow access to the entire Web site or only specific Web services. Specific Web services include Outlook Web Access, Outlook Mobile Access, server performance and usage reports, Remote Web Workplace, and the Windows SharePoint™ Services intranet site. When you allow access to a Web service, the service is also automatically configured to use Secure Sockets Layer (SSL) to secure communications between your server and a Web browser.
• Configure e-mail. Specify how you will send and receive Internet e-mail. Based on the information specified in the wizard, a Simple Mail Transfer Protocol (SMTP) connector is automatically configured, which is necessary for your Exchange server. You can also configure the Microsoft Connector for POP3 Mailboxes to download mail from POP3 mailboxes at an Internet service provider (ISP). When you enable Internet e-mail, you also have the option to remove specific types of e-mail attachments from incoming Internet e-mail.
• Troubleshoot network problems. If the network configuration of your server becomes corrupted or changed in any way, you can reset the configuration simply by running the Configure E-mail and Internet Connection Wizard again.

Note

• If you want to run the Configure E-mail and Internet Connection Wizard at a later time, click the Connect to the Internet task on the Manage Internet and E-mail taskpad in Server Management. To open Server Management, click Start, and then click Server Management.

Look for an htm called ICWdetails__.htm and it will let you know EXACTLY what that wizard did:

SUMMARY OF SETTINGS FOR CONFIGURE E-MAIL AND INTERNET
CONNECTION WIZARD

This file contains detailed information about the
configurations specified in the Configure E-mail and
Internet Connection Wizard.
The configurations specified in the Configure E-mail and
Internet Connection Wizard determine the settings for your
network, firewall, secure Web site, and e-mail.

NETWORKING CONFIGURATION SUMMARY

After the wizard completes, the following network connection
settings will be configured:
Connection type: Do not change

FIREWALL CONFIGURATION SUMMARY

After the wizard completes, the following firewall settings
will be configured:

Internet Security and Acceleration (ISA) Server will be
configured as follows:

	Disable existing filters that may create a filter
conflict.

	Create a standard set of network service filters.
For a list of the standard filters, see firewall settings
for your Windows Small Business Server network in Help and
Support.

	Create the following additional filters:
	E-mail
	Virtual Private Networking (VPN)
	Terminal Services
	For more information about the port number and
purpose of each additional filter, see firewall settings for
your Windows Small Business Server network in Help and
Support.

	Create the following custom filters:
	SBS Remote Web Workplace CustomFilter, 4125, TCP
	NTP, 123, UDP

	Add the internal domain name for Windows Small
Business Server to the local domain table (LDT) of ISA
Server to allow ISA Server to route internal network
requests on the local network.

	Enable IP routing.

	Disable automatic discovery as this interferes with
IIS as both ISA Server and IIS attempt to bind to port 80.

	Configure the Web listeners to receive incoming http
requests using Small Business Reverse Proxy Listen Entry.

	Disable the H.323 Application Filter for video and
audio conferencing for security.

	Set the maximum number of incoming Web request
connections allowed to the default Web site to 500. This
improves system availability and reliability by mitigating
denial-of-service attacks against your Web site.

	Add the loopback adapter IP address of 127.0.0.1 to
support the http://localhost for IIS.

	Create an incoming Web request listener and bind to
IP address of server’s local network adapter to allow ISA
Server to handle Web requests from the Internet.

	Set the incoming Web request listeners to allow a
maximum of 300 connections from the outside. This improves
system availability and reliability by mitigating
denial-of-service attacks against your Web site.

	Ensure that the publishing rules created by the
wizard are listed first in the order.

	Create publishing rules to route appropriate
incoming Web requests to the server’s local network
adapter.

	Create a Web publishing rule for Outlook Web Access
that publishes the following IIS Web site directories:
/exchange, /exchweb, and /public.  This publishing rule
routes appropriate incoming Web requests to the server’s
local network adapter. Additionally, Outlook Web Access will
be configured for Forms Based Authentication (also called
Cookie Authentication). The Public folder is also configured
to accept Windows Integrated Authentication.

	Create a Web publishing rule for the Remote Web
Workplace that publishes the /remote IIS Web site
directory.

	Create a Web publishing rule for the Server
performance and usage reports that publishes the /monitoring
IIS Web site directory.

	Create a Web publishing rule for Outlook Mobile
Access that publishes the following IIS Web site
directories: /OMA and /Microsoft-Server-ActiveSync.

	Create a Web publishing rule for Outlook via the
Internet that publishes the /rpc IIS Web site directory.

	NOTE:  Users connecting to Outlook Web Access,
Remote Web Workplace, and Outlook via the Internet, must use
an https:// connection. Additionally, these Web site
directories are configured to require 128-bit encryption.
All other Web sites can use either https:// or http://
connections.
Internet Information Services (IIS) will be configured as
follows:

	Configure http.sys driver to only bind to the local
network adapter to prevent IIS from conflicting with ISA
Server on the ISP network adapter.

	Disable socket pooling.
	Set DNS to listen to only to the local network
adapter.
	To only listen on the local network adapter. This
allows ISA Server to monitor incoming Web requests from the
Internet.



SECURE WEB SITE CONFIGURATION SUMMARY

After the wizard completes, the following secure Web site
settings will be configured:
Secure Sockets Layer (SSL) will be configured as follows:
The Web server certificate required for https:// will be
created for the following Web server name: domain.com
	Create a Web server certificate named ISAcert.cer in
the \sbscert folder and also install this certificate into
ISA Server. This certificate is required so that you can
access secure Web sites on the computer running Windows
Small Business Server if ISA Server is installed.
ISAcert.cer is configured for ISA Server for external Web
clients. Create an additional Web server certificate named
Sbscert.cer and install this certificate in IIS, which is
used by internal clients and by redirected Web requests from
ISA Server.

	The incoming Web listener is configured to use the
ISAcert.cer certificate.

E-MAIL CONFIGURATION SUMMARY

After the wizard completes, the following e-mail settings
will be configured:
Exchange will be configured as follows:
Email: Do not change Exchange configuration for Internet
e-mail.
	Keep the existing Internet e-mail configuration.

After the wizard completes, the icwlog.txt in C:\Program
Files\Microsoft Windows Small Business Server\Support is
updated.
After the wizard completes, the wizard script file
config.vbs is created in C:\Program Files\Microsoft Windows
Small Business Server\Networking\Icw.
NOTE: Each time the wizard runs, a new config.vbs file is
automatically generated to preserve the previous settings.
For example config.vbs, config1.vbs, config2.vbs, and so
on.

Man... I told you someone in the SBS dev team was a beancounter in a prior life.  See people?  Do you REALLY want to do that by hand? 

So anyway I had an extreme low tolerance for tech issues tonight, called Microsoft PSS.

What's funny is that because I ended up fixing the issue myself while on the call, they refunded the call.  ;-)

Migration just sucks, let's face it

I want to revisit yesterday's blog post talking about different ways to go from point A to point B.  There's something that is glossed over in the “zeal” to showcase that SBS 2003 is just...well it's just Windows 2003 [other than we are SO much smarter than plain Windows 2003 that we dont' allow Terminal Server on our Domain Controller ...but that's another hotly contested blog post].  Nearly anything you can do with migrating from/to Windows 2003, you can do with SBS 2003.

But, there's something to remember in all of this talk of migration.

Let's face it.  The process sucks for the consultant.  You are ripping out a working network and hopefully not walking off a deep cliff that you can never return from again.  The Official Microsoft ADMT migration method is the one that Mothership Microsoft will support. 

No matter whether you do it the old fashioned SBSland way of “clean install“, rejoin the domain, and then attempt to make your users are happy that you kinda put their desktops back the way they were, or any other method, migrations is just kinda sucky.  It's equivalent to choosing a “C-section“ or a “natural birth“ method.  Both have the same result. Both can have issues.  Both can have side effects.  Both involve pain and drugs [drugs in the IT migration case is in the form of caffeine].  Both have huge rewards at the end.

Kinda like we joke about when learning SBS for the first time [install it once, screw it up, install it twice, take notes, install it a third time to check your notes], the same thing is true for a migration plan, you need to test.  Even then, stuff happens.  If you have never done even the Microsoft ADMT migration method before, your client is not the one you should be practicing on.  And for those DIYers like me, realize that I've got a support net that's second to none.  [Admittedly though when I needed to rerun the Connect to Internet wizard tonight and ISA web proxy was barfing, it was the fact that I had a laptop still able to get out to the web to find me support that helped better than the Tech Call I made to Microsoft.  [More on this lovely event in a separate blog post]

So what's my point here?  My point is that whatever migration path you choose, be comfortable with that path.  Know why you chose it, why it's the best plan of attack for your situation and just be prepared.  It is doable.  It is possible. We do have options.

Just remember that you can have

• SBS and a file and print server.
• SBS and side web server in a DMZ
• SBS and another SQL server [with cals and what not extra]
• SBS and a terminal server
• SBS and multiple servers
• As long as you stay below the magical limit of 75, you can add any number of servers.

I am constantly amazed by the number of people think that SBS can only be the one server.  Oh and Backup Domain controller or BDC on a SBS network?  I've given up trying to correct anyone about the “BDC thing”.  It's a leftover from the NT 4 days and isn't relevant anymore...but if you ask me “Can SBS support a backup domain controller?”  I'll probably say yes because I've given up trying to correct the Universe over that misconception.  But yes, we can add additional domain controllers, and member servers, and file servers, and print servers, and......well just keep thinking of the possibilities...NOT the limitations.

Carpe Migration... seize the roles!

From the mailbox today comes this question:

I've read some of your Blog regarding SBS2K3 and I'm interested in deploying it my company. But still abit hesitant because of the limitations 'imposed' by SBS2k3.  [my comments:  you see limits... I see ... in fact, I KNOW I have possibilties]

I am encourage by the fact that you guys have done it.  [not just me, many of us]

Though I would like to get your expert advice I'm considered newbie in terms of Server Administration. [that's okay we're all newbies]

Anyways currently i have two Win2k Server one is a PDC that serves as AD and file & print server and the other is my BDC which server as IIS and other stuff.
I would like to know what is the best solution?...

Well planning to get SBS2k3 because of all its functionality and price.  [don't blame you]

1. Is it possible if I upgrade my AD to SBS2k3? [yup]

2. Setup a new machine as SBS2k3 and join the 2 win2k servers. [yup that too - it's called siezing [or preferably transfering] the FSMO roles but it's more like “they“ are joining the SBS box]

Hope you could give me some thoughts and ideas about this would appreciate it alot.

The key element to remember here is that SBS 2003 has to be the PDC and hold all the primary FSMO [weed gunk] roles of the network.  As long as you keep that in mind you can slide in a SBS 2003 box, with no problem.  So what options do we have when migrating from ___ to ____.

Windows NT - Thank gawd you are killing it off to SBS 2003

• Official Migration document of NT to Small Business Server 2003
• Alternative Swing method at SBSmigration.com

SBS 2000 OR Windows 2000 to SBS 2003

• Official Migration document of SBS 2000 or Windows 2000 to Small Business Server 2003
• Alternative Swing method at SBSmigration.com

SBS 2003 to SBS 2003 [upgrading for new equipment because you found you REALLY like SBS]

• M&M's upgrade method
• Alternative Swing method at SBSmigration.com

A little bit of Wolf

So I was helping out an SBSer and doing some investigation of the server and tonight was reading Robert Hensing's posts on “Anatomy of” and Wolf.

Wolf you say?  See when the PSS team [either technical support or in this case Security] want to further investigate they give you a bit of code to pull a detailed file of your system.  It's how they can look at the box and see what's up.  It's kinda cool the information that they can use and review.

Remember my ranting about knowing your log files?  Tony rightly points out that the manual installation setup of ISA server 2000 [our current one] on SBS 2003 does not set up monitoring out of the box and you/we need to ensure it's turned on.  Go into ISA management, click on monitoring configuration and ensure that the logging of ISA is what you want and it is enabled like you want it:  This is the default for the packet filters one.

Remember the default location where the log files will be:

I cannot stress enough how important it is to have these audit log files turned on...for the firewall, for the IIS, for the security log, don't disable ANY auditing.  If you think the log files are too “noisy“... tough.  Deal with it.  Trust me, you'll want that “just in case“.  Windows 2000 didn't have much event logging enabled.  Windows 2003 does.

Robert Hensing points out the other advantages of 2003 and I'd like to point out our comparisons in SBSland:

• 2003 allows you to set up a blank password but YELLS loudly when you stupidly do [but keep in mind that if you do this [now hold on to your hats folks because this is a true statement, as stated by password experts] this blank password can not be access via the network.  So if we truly wanted to “lock“ down our Administrator account from an Internet outsider brute attack, we “could“ make it blank.  Now I'm not quite sure that I'm quite comfortable with a blank password thank you very much INSIDE my office... so I think I'll opt to have a STRONG longer than 15 character password on my admin account.
• We DO have a firewall that if we use two network cards it is enabled BY DEFAULT.
• We don't quite have everything off by default, and that's actually why you don't want to run the Security Configuration Wizard on our SBS boxes as we are pretty darn tuned as it is.

If I could tell every SBSer in the world what's the one thing they could do to make their systems more secure...what would I tell them?

I'd say get the fear of God and Dr. Jesper Johansson in you and choose better passwords....excuse me..... passPHRASES.  Start with that ONE small step... one change in human behavior and you make one GIANT leap for a more secure system.

So should I tell him the info for Outlook over HTTP is right under his RWW?

So I'm looking at RSS feeds and notice a person who is having a hard time configuring Outlook over Http on his SBS 2003.

pssst... should I tell him that his information was right under his nose...or I should say.. right under his RWW? If he logs into Remote Web Workplace [your domain/remote]

See that icon in that RWW login screen? It's the exact customized howto to set up Outlook over HTTP on a SBS box.  If you don't want that info, there is also the detailed info at the Magical M&M's site.

Using Outlook via the Internet

If you are using Microsoft® Office Outlook® 2003, you can connect to the computer running Windows® Small Business Server through the Internet using the feature called RPC over HTTP. This means you can remotely access your server e-mail account from the Internet when you are working outside your organization's firewall. You do not need security-related hardware or software (such as smart cards or security tokens), and you do not have to establish a virtual private network (VPN) connection to the server.

Comparing RPC over HTTP and Outlook Web Access

When using RPC over HTTP to access your mailbox, you get the full functionality of Outlook 2003. For example, you can work offline, use Microsoft Office Word 2003 as your e-mail editor, and easily organize your mailbox.

On the topic of logging

I always joke that someone on the SBS dev team must have been a beancounter in a previous life due to all the log files that SBS has automagically.  Eriq Neale has a great blog post about SBS and logging on his blog.  [by the way if you haven't met Eriq before, he's the resident guru in the SBS communities of SBS and Mac [and obviously as this post points out, he ain't bad at just SBS stuff  ;-) 

So have you read your log files today?

You heard me.  Have you looked at your log files today?  Today I was looking at the log files of a SBS box and in looking at the Security Log files, the IIS log files we found we were missing one key element.  The firewall log files.  Today I was looking at a security log file with a bunch of event 529 codes which indicate bad login [more security code analysis here] we had one big problem.   We didn't have the firewall log files to then make the connection between the Security log files and the IIS log files and compare the patterns.  There was a pattern of 529 codes and then a patter of 680 codes.  Furthermore the error code was

0xC000006A

An incorrect password was supplied which means there was indeed an incorrect password given.

Product: Windows Operating System

ID: 680

Source: Security

Version: 5.2

Symbolic Name: SE_AUDITID_ACCOUNT_LOGON

Message: Logon attempt by: %1

Logon account: %2

Source Workstation: %3

Error Code: %4

Furthermore in the firewall logs you should be able to see exactly what IP address they are coming in from. 

Unfortunately we don't have that.  We do have the IIS log files that we can do a bit of analysis on but it may not be a bad idea to review what the IIS is logging as default and what we may want to kick up.  The default of the SBS IIS logging looks like this:

Now that we've reviewed that .. do we know where the IIS log files end up?

In that location and in that naming sequence.

So where's the log files on SBS standard if you use a two nic setup for it's firewall?  Hmmm...good question.. I'm not really sure myself.  Okay looks like it's here:  C:\WINDOWS\system32\LogFiles but I can't tell if there is logging enabled?  I think I may ask around.. I know that we get a RRAS report of the firewall use, but not sure where the data get stored for long term analysis.

For SBS 2003 Premium, you must make sure that you set up the monitoring in ISA to view the log files [soon to be ISA 2004] and I'll admit that I use Excel many times for that log file but you can use the tools at isatools.org

So on your firewall, whereever it is. Have you looked at YOUR log files lately?  Are they as tweaked as they can be?

Yes it's secure

Amy 'girl power for ISA server' of Harbor Consulting Services has started an ISA on SBS blog.  You go girl in telling them “Yes it's secure”.  I was finishing up the review of Protecting your Windows Nework by Dr. Jesper Johansson and Steve Riley and he [Steve] had a sentence in there that was along similar lines and I felt like giving him a huge hug..... hmmm or maybe I'll ship him a six pack of Mountain dew.....

Man, do we get tons of grief about ISA on our domain controller, but man do I like the fact that with Shavlik I can monitor it's patch status.  And while Matt is TOTALLY correct in saying that firewalls are ALL software, the reality is for my hardware firewalls, I just don't monitor them like I do when the are part of the integrated network.

Amy's ISA blog up on the links on the side!

The SBS "Fresno" Version

How to determine the channel that your copy of Windows Server 2003 was obtained through:
http://support.microsoft.com/?kbid=889713

Hmmm that's an interesting KB.. doesn't list SBS nor the Fresno version, but interesting nonetheless.

What?  Haven't heard of the Fresno version?  Count yourself lucky.  We call it the Server For REally Small NetwOrks.  Get it?  It's this stripped down version that is our core operating system that if you buy it you either .....

• Screwed up and got the wrong SKU
• Your vendor screwed up and got the wrong SKU
• You thought you'd be cheap and buy it as a member server operating system [wrong! can't do trusts]

We've seen it around the newsgroups, but it's like such a rarity, and mostly when someone has it ...the bought the wrong product.

The Right SKUs are listed on the page here.

• Remember.. if you are a SBS 2000 software assurance customer you GET SBS 2003 premium with ISA and SQL automagically.
• Remember.. if you are an existing SBS 4.0/4.5 OR 2000 customer you are eligible for the version upgrade and you get the premium edition [ISA and SQL]
• Remember.. got any other licesning questions the best places are the Official Microsoft Small Business Channel web site, listserve and blog.

Q.	What is Windows Server 2003 for Small Business Server?
A.	Windows Server 2003 for Small Business Server is designed for partners who want to deliver a server solution based on Windows Server 2003 as part of their product offering. It provides the same version of Windows Server 2003 that is used by Windows Small Business Server 2003, but it has none of the added features included in the standard edition or premium edition of Windows Small Business Server 2003. Windows Server 2003 for Small Business Server has the following restrictions: • Only one computer in a domain can be running Windows Server 2003 for Small Business Server. • Windows Server 2003 for Small Business Server must be the root of the Active Directory forest. • Windows Server 2003 for Small Business Server cannot trust any other domains. • A Windows Server 2003 for Small Business Server domain cannot have any child domains. • Each additional server must have a Windows Server 2003 for Small Business Server client access license (CAL). You can use CALs for each user or for each device.   P.S.  Fresno is my hometown so I get the right to joke about the SBS Fresno version  ;-)

SBS Kbs of interest

Project Morale

Sometimes a big project takes time and you need to build team morale.  Sometimes it's as dumb as buying pizza when folks are working late.  Sometimes it's Root Beer... yup.. Root beer.  About 4 p.m. when the brain has totally fried, we take a short break for a sampling of root beer.  But not just any root beer.  It's root beer ordered over the Internet.  [Is there any other kind of ordering if you think about it?]  This year I'm ordering once again the 24pack of Root beer from Pop the Soda Shop.

Projects can be long and nasty and sometimes you just have to set small goal or reward.  Sometimes it's as stupid as a favorite food.  Sometimes it's as stupid as a quick day break. Sometimes it's an “attaboy” for those employees giving it their all.

Rewards...even small ones... even as dumb as root beer shouldn't be overlooked as “goal rewards” in projects.

So what are your best resources for Project Morale?

I just got the "Networking Infrastructure Solutions" for SBS 2003 from the Action Pack

I just got the “Networking Infrastructure Solutions“ from the Action pack and the diagram for networking on the back is a single nic setup.  I just don't get it why every single time I see an official Microsoft “small biz” setup it's a single nic.  You would have to pry my cold dead fingers off my two nic ISA server setup at the office and my two nic RRAS server at home.  I don't want to rely on a hardware router firewall as my only protection and I'll tell you an excellent reason why.

My router at home DIED tonight and was causing such excess packets that it was slowing down my network connectivity.  Now why do I want to rely on a firewall that I haven't patches or bios flashed since the day I bought the dang thing?

I want a stupid cheap firewall on the outside and then my big beefy ISA server firewall on the inside.  [and not to mention in a few short months ISA 2004 as part of SBS 2003 sp1 which we will get as premium customers for a nominal handling and shipping fee]

I do agree with one push in the document.  The push to migrate OFF of Windows NT.  It seems like everywhere I go people are interested in migration.  And yes for the record you can even migrate from Windows 2003 and Exchange 2003 to SBS 2003.  Now why you'd want to buy the normal stuff in the first place I have no idea.  ;-)

Can you put CRM *and* Great Plains on your SBS 2003?

From the mailbag today comes a question from James regarding how much you can put on one SBS 2003 box.  Good question.  I'll check with my gurus.  I know that you can put CRM on SBS and infact the information is included in the CRM documentation.  In fact there's an excellent CRM community at the MS CRM listserve that's headed up by the guru of SBS on CRM, Scott Colson.  But I'm not sure about the combo of Great Plains and CRM.  I'll get back to you on that one.

One thing that I probably would recommend is that you think about doing a joint venture with a MS partner that already does Great Plains or any other of the Accounting applications or Customer Relationship Managment.  To set up a network is one thing.  To set up an accounting installation is something totally different and is a different mindset as you need to analyze document flow.  I'll ping up with Jeff Loucks who along with Chad and Scott areprobably our best “SBS *and* persons around.

Starting February 1 is a huge CRM+SBS partner push to expand the marketplace.  Hope Scott is ready for all the new community members :-)

Choosing good passwords - correction - pass phrases

Configure Password Policies

Using strong passwords is important, and configuring password policies to enforce strong passwords helps keep the Windows Small Business Server network secure. After you configure or change password policies, all users are required to change their passwords the next time they log on. The password policy options are as follows:

• Password must meet minimum length requirements. This option determines the least number of characters that a password can contain. Setting a minimum length protects your network by preventing users from having short or blank passwords. The default minimum length is 7 characters.  [my note... I think we'll all agree that we're kicking this one up past 14 in our own consultant recommendations]
• Password must meet complexity requirements. This option determines whether passwords must contain different types of characters. If this policy is enabled, passwords cannot contain all or part of a user's account name and must contain characters from three of the following four categories:
  • English uppercase characters (A through Z)
  • English lowercase characters (a through z)
  • Numerals (0 through 9)
  • Nonalphanumeric characters (such as , !, $, #, and %)
• Password must be changed regularly. This option determines the period of time (in days) that a password can be used before the system requires the user to change it. The default maximum password age is 42 days.
• Policies go into effect. You can specify when the policies take effect. The default is three days, but the range is "immediately" to seven days.

  You can choose to configure the password policies immediately or after a specified period of time. If you choose to configure password policies immediately, you must use strong passwords to log on to each client computer. You can simplify the process of setting up client computers by choosing to delay configuring the password policies until your configuration is complete. You will be able to work on the client computers without the password policy restrictions. If you use this option, choose to enable the policies after you have set up the client computers but before the users log on for the first time.

  P.S.  remember though...stop thinking passwords...think passphrases!!

So I brute force cracked a password yesterday

So I brute force cracked a password yesterday....It was a 6 character password with one capital letter, one number and the rest lowercase.  I password protected an Office document and then used an Elcomsoft.com program to see how long it would take to brute force crack it.  I came to the conclusion... two things....

• I need a faster computer - it took about a day and a 1/2 to brute force break the password
• And 19,770,609,664 different possible passwords still takes a while to go through.

Now normally I would have no idea whatsoever that a 6 character password like that would have that many passwords to try but I was swapping emails with the guru of passwords, Dr. Jesper Johansson as I was reviewing a chapter on passwords in his and Steve Riley's upcoming book called Protecting your Windows Network and the topic of brute force attacks on Office passwords came up and I was doing a bit of testing to see how long it would take.   

SuperG took a poll of how many of us truly renamed the Administrator account and I'll admit to not doing that.  But I do admit to changing the passwords every 90 days AND my password on that account and others is longer than 14 characters.  I'm the password “wrangler” in my office and the one in charge of saying to folks.. no it's time... not that's not good enough... no pick something else.  Six or seven characters for an Administrator password account is just not good enough these days.  Especially that Admin account, protect that one with a long password or passphrase.  You shouldn't be logging into that account that much anyway.

It's the human thing not a technical thing that I think keeps you the safest.  Letting people know that blank spaces are just fine in passwords.  A small phrase is fine.  Weird stuff like ! and & and other wacko things are great.  Technology will not protect you from weak passwords.  You must inform your small business clients of HOW important this is.

Think about your bank account ATM for a moment.. what protects that?  4 numbers.  I don't even want to think about the lack of password combinations in that one.

Kinda scary isn't it?

Excuse me while I go check my bank balance and change the password on my Amazon.com account which also has a sucky password.

So you want to change the Administrator account name?

Sometimes we feel the need to be extra paranoid in SBSland and that includes making sure the password on the Administrators account is EXTREMELY Dr. Jesper Johansson approved long and hard to crack.  There's also another step you can do BUT remember you may need to then change ALL third party software logins as well... so just be prepared.....

Securing Your Windows Small Business Server 2003 Network http://www.microsoft.com/technet/security/secnews/articles/sec_sbs2003_network.mspx
This document helps you to more securely configure your Microsoft Windows Small Business Server 2003 network. By completing the tasks in this document you can better protect the availability, integrity, and confidentiality of your network.

Inside this document are the instructions to change the Administrator's account.  BUT don't forget to also change the “description“ so it doesn't say “this is the build in administrator's account that the do do brain didn't take the time to change the description so I can still see that it IS the administrator's account“.  Remember too while I say in Harry's upcoming book that PSS have not gone on record in the past as supporting this, the guidance is out there:

SBS Knowledge base articles of interest

"No Updates Were Installed" error message when you try to install an update from the Windows Update Web site on a computer that is running Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=887425
Event 1030 and event 1058 may be logged, and you may not be able to start the Group Policy snap-in on your Windows Small Business Server 2003 computer:
http://support.microsoft.com/?kbid=888943

Your domain user name may not be accepted in Windows Server 2003 or in Windows XP:
http://support.microsoft.com/?kbid=887710

File upload in Internet Explorer 6 to a Web page may time out or take longer than expected to complete in Windows XP Service Pack 2:
http://support.microsoft.com/?kbid=889334
You may receive the "The local device name is already in use" error message when you try to restore a network mapping connection to a shared network folder on a Windows XP-based client:
http://support.microsoft.com/?kbid=890413

How to disable MSN Messenger 6.0 traffic in ISA Server 2000:
http://support.microsoft.com/?kbid=891598

RAY-ISM: So you want Outlook to stay with POP being the default on the client not Exchange?

While I think POP pulling into a workstation is silly as you should use the power of your server, if you absolutely positively MUST have your Outlook on your workstations individually POP AND do Exchange you'll want to make the POP be the “main honcho” of the mailbox.

A post in the newsgroup and a response from Les reminded me of this reg fix [originally posted by Ray-the Man Fong so I'm categorizing it under Ray-ism in honor of Ray Fong who graciously and patiently put up with a bunch of rowdy SBS MVPs in Charlotte, North Carolina]

At the client, create the following registry key:

Location: HKLM\Software\Microsoft\SmallBusinessServer\ClientSetup
Name: NoTransportOrder
Type: REG_DWORD
Data: 1

So exactly "what" does connect computer do anyway?

Remember I said how we add the domain/connectcomputer to the IE trusted zone to properly run it?  So exactly what does connect computer script do anyway you ask?

psst... yes it DOES do way more than manually connecting the computer to the network through the control panel:

Client Configuration
 The following section outlines the automatic configurations performed as
 part of client Setup for client computers running Windows XP
 Professional and Windows 2000 Professional, based on best practice
 implementations.
 
  Important: To connect client computers to the network, use DHCP to
 automatically assign IP addresses.
  
 Client Networking Configuration
 Once you have added users and computers using the To Do List, go to the
 client computer, open Internet Explorer, and type http:// ServerName
 /connectcomputer (where ServerName is the name of the computer running
 Windows Small Business Server). Click Connect to the network now, and
 follow the instructions in the Small Business Server Network
 Configuration Wizard to configure networking settings for your client
 computers. The wizard requires the following:
 
  • You must be logged on as a member of the Local Admins security group
 on the client computer.
 
  • Only one network adapter can be enabled and configured to connect to
 the local network.
  
 • TCP/IP, Client for Microsoft Networks, and File and Printer Sharing
 for Microsoft Networks must be installed and bound to the network
 adapter. TCP/IP is configured to automatically obtain an IP address and
 DNS server addresses.
  
 Client Application Configuration
 After the applications that have been deployed by the Set Up Computer
 Wizard are installed, they are configured for each user and for the
 local network. The following settings are configured:
 
 Microsoft Internet Explorer 6 Service Pack 1
  
 Internet Explorer 6 provides the Web browser for client computers.
 Client Setup Configuration configures Internet Explorer 6 as follows:
 
  • The Home Page is configured to point to “My Company” (http://companyweb).
 
  • The following internal Web site links are added to the Favorites list
 Web site:
  
 Web site Address
 Microsoft Windows Small Business Server Web site
 http://go.microsoft.com/fwlink/?LinkId=17117
 
 My Company
 http://companyweb
  
 My E-mail
 http://sbsserver/exchange
  
 Information and Answers
 http://sbsserver/clienthelp
 
 Small Business Server Administration
 http://servername/tsweb/Default.htm?AutoConnect=1
  
 Microsoft Office Outlook 2003
 
 Outlook 2003 provides a single location for organizing and managing
 daily information, from e-mail and calendars to contacts and task lists.
 Client Setup Configuration configures Outlook 2003 as follows:
  
 • A user profile is created and configured to use Exchange Server 2003.
 The profile specifies Exchange connections and defines account information.
  
 • If the client computer contains existing profiles, the option for
 using Exchange is added and a new profile is created as the default. The
 old profile is backed up.
  
 • If you specify that the client computer will be used remotely, Outlook
 2003 is configured to run in Cached Exchange Mode.
 
 Fax Client
 
 Fax Client enables users to send faxes directly from their desktops.
 Depending on the user permissions, users can view the status of faxes in
 the queue or cancel faxes. Client Setup Configuration configures Fax
 Client as follows:
  
 • Outlook is configured with faxing capability.

Adding Les's comments:

First, there's the whole server site setup that enables and configures
dependencies and configuration options that connectcomputer funcionality
uses. Not discussed here, except to say that you'd have a virtually
impossible task uncovering all of the pieces touched. And if you didn't use
the SBS setup wizard, then you may as well hang up right now and fdisk.

1. Checks Client OS and takes appropriate path (ATAP)
2. Causes an activex control to become available.
3. Determines whether the computer is or is not a member of the domain, and
is or is not a DC or SBS server, (ATAP)
4. Tests resolution to the SBS server (ATAP)
5. Checks for multiple non VPN network connections (ATAP)
6. Checks account permissions, allowed to join computer to domain?
7. Assigns users, and migrates local profile(s), if they exist, to domain
profile (SID mapping)
8. Assigns requered local permissions to domain user account.
9. Provides selection of computer name from list, automatically if there is
one-to-one mapping of user/computer on the SBS.
10. Joins the domain (creating a temp user account for autologon to ease the
process) - including getting the client computer in the correct AD OU so the
GP applies correctly.
11. Sets some runonce reg keys to clean up after the above process.
12. After required input is provided, steps through the above process,
including automatic restarts as required.
13. Now we are into Application Deployment (Susan shows some on her blog).
This is seen on the workstation as the Client Setup Wizard, which is
automatic on login after the above 12 main steps are complete.
14. The list of configurations made after Application deployment:
My network places
TAPI information
Connection Manager
Fax Printer
SSL Certificate
ActiveSync (special, just for SBS and mobility devices)
IE
Outlook
Additional global settings:
DNS Timeout Value
Deleted Item Recovey
Remote Desktop permissions
Network Printer(s)
Disable getting started screen (annoying XP thing)
Disable ICS
(used to turn off ICF, but now handled by GP (xp firewall settings))
Disables network bridging

Note also, we're talking client computers here, but connectcomputer also
knows what to do with member servers ;-) .

If you think you can or want to do all this manually, please be my guest.
This is not the most complex wizard on the box. The wizards are a brilliant
piece of engineering, IMHO you are nuts if you ignore them.

This is either good or bad ... depending on how you look at it

It's good that we're getting important enough for a known 
"google hacker" site to post about our uniqueness... 
 
It's bad that we're getting important enough for a known 
"google hacker" site to post about our uniqueness... 
 
Just a heads up ...they know our "google parts" How do you stop this?
 
First off... don't click the button in the connect to internet wizard to 
“expose the entire web site” Next... if you are stupid enough to do 
THAT one, I'm copying a post from Alan Billharz 
 
Some customers may wish to exclude their SBS 2003 installation
from the scope of Web search sites such as Google.com.  This
may be because you would prefer to restrict knowledge of your
installation only to those who can use it, or, you may want to 
keep some portions of your site (e.g. Business Website) 
searchable while keeping other portions under the radar 
of Web search sites. There is a way to do this using 
the Robots Exclusion Protocol.  
By placing simple text file at the root of your Web site,
you can tell Web search robots which parts of the 
Web site are open for search.I've attached 
two versions of robots.txt that I've whipped up 
for my SBS2003 server:  
 
1.. robots.txt - Allows search of your business Web site 
but hides SBS-specific  sites from search robots.  
2.. robots2.txt - (Must be renamed to robots.txt) 
Denies search of your entire Web site .
For more information, 
check out these sources: http://www.robotstxt.org/wc/robots.html
http://www.searchtools.com/robots/robots-txt.html
http://www.searchengineworld.com/robots/robots_tutorial.htm
Many Web sites implement this functionality.  
For example, you can check out 
http://www.cnn.com/robots.txt .
Please respond to this post if you have any questions 
or comments - let us know how this works out for you!
Thanks,Alan Billharz
--------------------------------------------------------------------------------
# Place this file at the root of the Default Web Site (%system drive%\inetpub\wwwroot) 
# to allow search engines to catalog your Business Web site, but not catalog the other 
# SBS-specific Web sites. 
# 
# Note that you must choose to publish the root of your Web site to allow the search 
# engine robot to read this file.  In the Configure E-mail and Internet Connection Wizard, 
# choose to publish Business Web site (wwwroot). 
 
 
User-agent: *
Disallow:   /_vti_bin/
Disallow:   /clienthelp/
Disallow:   /exchweb/
Disallow:   /remote/
Disallow:   /tsweb/
Disallow:   /aspnet_client/
Disallow:   /images/
Disallow:   /_private/
Disallow:   /_vti_cnf/
Disallow:   /_vti_log/
Disallow:   /_vti_pvt/
Disallow:   /_vti_script/
Disallow:   /_vti_txt/
--------------------------------------------------------------------------------
 
# Place this file at the root of the Default Web Site (%system drive%\inetpub\wwwroot) 
# to prevent all search engines from cataloging your Web site. 
# 
# Note that you must choose to publish the root of your Web site to allow the search 
# engine robot to read this file.  In the Configure E-mail and Internet Connection Wizard, 
# choose to publish Business Web site (wwwroot). 
 
User-agent: *
Disallow: /
 
P.S.  This will be included in the SBS 2003 advanced 
book by Harry Brelsford

Reading those audit log files

I was googling and stumbled across a KB article and thought I'd stick it up here

Codes for the audit logs:

Want to be a "member" of the site?

Jut got an email in the mailbag and this is not the first time I've gotten this question:

How do we become members of your site?

Well see it's like this... it's not really a member site.  You see, that login box is just my username and password to post.....it's just a blog for a wacko SBSer who just kinda does this to relax at the end of the day [I told you I was weird].  But see there are other places where you can become a member of ...it's up to you the “kind” of participation you want.  But if you want to want to join in a peer sharing enviornment we have TONS of options for you:

Starting off with newsgroups, the SBS2003 newsgroup needs Outlook Express or Thunderbird to be read properly.

Want listserves?  We got those in different flavors:

• smallbizit - for sales and marketing
• sbs2k - for technical side of SBS [all versions]
• mssmallbiz - the Official Microsoft Small Business Community Listserve

Just click on each to join

Next we have websites with SBS forums

• http://www.smallbizserver.net with the Magical M&Ms
• Nick's place on the Minasi web site
• Handy Andy's forum

Chats?  We've got those too

• Handy Andy's web chat

And how about face to face meetings?

• We've got those too!
• And if you don't see one...attend a TS2 event and ask to make an announcement to start your own!

See SBSland is kinda like a country...we have lots of places to go and have community.

P.S.  Don't forget to check out the blogs linked on the side as well!

Loading up Remote Web Workplace or ConnectComputers on a brand new XP sp2

I make it a rule to merely add the web site of the SBS server I am going to either connect to internally or connect to externally in the trusted zone in Internet Explorer.  IE, Tools, Internet Options, Security, Trusted Sites, sites and then enter the web site like http://domain/connectcomputer or https://www.domain.com/remote  for the connect computer wizard or Remote Web Workplace respectively.

This ensures that the active X scripting occurs as it should and I can join computers to the domain with no issue.  If you don't, you might not spot the tiny “info bar” at the top that is jumping up and down yelling at you to download the Active X control.

Just stick it in the trusted zone and all is well.

The ports of SBS

From the mailbag today comes the question from Alex... is there a way to publish Companyweb without opening 444?  And the answer is.... No.  You must have 444 for external access to CompanyWeb [Sharepoint].

SBS bascially requires the following ports:

If you need access to Sharepoint .... you MUST go through port 444.  For RRAS, the Sharepoint is automagically enabled if you merely click the box, for ISA they thought we'd be a bit more paranoid so you have to manually publish it.

Got trouble? Well shoot! Not anymore!

Looking for Troubleshooting tips for Small Business Server 2003?

There's an excellent resource on the SBS web site but I“ve put links here as well:

• Troubleshooting Server Setup
• Troubleshooting Users and Groups
• Troubleshooting Client Computers
• Troubleshooting Mobile Devices
• Troubleshooting E-mail
• Troubleshooting Monitoring
• Troubleshooting Backup and Restore
• Troubleshooting Internet Access
• Troubleshooting Your Intranet
• Troubleshooting Shared Network Resources
• Troubleshooting Remote Connections
• Troubleshooting Client Licensing

What are the three things... oh wait...two things I do on my SBS servers?

Back in May I posted of the three things I've done on my SBS servers.  But I'm here for an update because I only do two of them now:

• To ensure that file locking doesn't occur on databases and Quickbooks
  Disable oplocking http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264
• Lastly this turns off the annoyance of XPs and 2k's have of “falling“ off the LAN and then needing to be clicked to be reconnected.  In our little lans I turn this off.  Disable autodisconnect http://support.microsoft.com/default.aspx?scid=kb;EN-US;138365

Flap Flap, Honk Honk

Cal emailed today a “Geese as community” piece that I had to find a copy to share:

When you see geese flying in a "V" formation, you might be interested in knowing what facts scientists have discovered about why they fly that way. While you read this, keep in mind how adoptive families form a community--helping each other, often without the benefit of ever having met.

FACT: As each bird flaps its wings, it creates an uplift for the bird immediately following. By flying in a "V" formation, the whole flock adds at least 71% greater flying range than if each bird flew on its own.

TRUTH: People who share a common direction and sense of community can get where they are going quicker and easier because they are traveling on the trust of one another.

FACT: Whenever a goose falls out of formation, it suddenly feels the drag and resistance of trying to go it alone and quickly gets back into formation to take advantage of the lifting power of the bird immediately in front.

TRUTH: There is strength and power and safety in numbers when traveling in the same direction with those with whom we share a common goal.

FACT: When the lead goose gets tired, it rotates back in the wing and another goose flies point.

TRUTH: It pays to take turns doing hard jobs.

FACT: The geese honk from behind to encourage those up front to keep up their speed.

TRUTH: We all need to be remembered with active support and praise

FACT: When a goose gets sick or is wounded and falls out, two geese fall out of formation and follow it down to help and protect it. They stay with it until the crisis resolves, and then they launch out on their own or with another formation to catch up with their group.

TRUTH: We must stand by each other in times of need.

Okay grab the kleenix folks because not only does this remind me of the Anna Paquin Geese movie that makes me cry at the end even though I've seen it a thousand times, it reminds me of the world I live in.

So many of the people that flap flap around me and honk honk at me all the time I've never met... or if I have, it's only been once or twice and now we only share an online presence.  Between email and IM, there isn't a day that doesn't go by that I don't smile at an email or at a IM tag line that is funny. 

So whereever you are in your life, your career, your job, find a place where you can Flap and Honk.  I think you will find, like I have, that a few years go by and you realize that you've gone a long way on a long journey, and yet you are not one bit tired and enjoyed it the entire way.

To the Communities of SBS that constantly FLAP FLAP and HONK HONK, thank you very much for your consistent uplift.  To the Center for Internet Security where I started out a few years back as just being this little SBSer on the phone calls, thank you for letting me drink in all the information that you put out.  Honk Honk, Flap Flap to you as you have taught me so much.  And to all of you [and you know who you are] that Honk Honk and Flap Flap with me, thank you for this journey.

The stuff we take for granted

I'm sure people wonder what exactly is my job.  Sometimes that's a very good question.  Somedays it's just standing over the shoulder and telling someone in the office how to attach a file to an email.  Somedays it's trying to visualize what a client is looking at over the phone.  Sometimes it's trying to visualize what my partners are looking at on the screen. So many times I have to walk over and see what they are looking at and more often than not, I say “oh yeah, just click there”.  And they'll say...where?  “There, I say... right there”.  I can see the obvious “click“ but they can't.

It's funny that just right after yesterday's post about documentation that was prompted by a newbie SBSer in the newsgroups who came looking for real basic documentation as he was helping to set SBS up in his small firm... comes an article about “the basics”.  I chaired the Top Technology survey and helped “craft” the descriptions.  And in our survey of fellow “uber geeks”, the top issue was Security [gee that's a surprise].  But when the Ohio Society put it out for ALL of the membership to revote on their idea of the top ten...what was their top issue? 

Finding out where to click.

Learning technology was their biggest issue.

It's even obvious in my firm that there are those that are the “technology enablers” and those that ...well are still just dealing with the technology.  John Pocaro back on blogging again, has some great productivity tips about handling email overload that they do in Microsoft.  But they are a pretty darn consistenly agile firm. 

The “real” SBSers are still a bit lagging behind, I think.  What are my goals this year as compared to his daily tasks? 

• To get more people to use the shared calendaring.  I have a few but not all using it.  Some are still relying on paper calendars.  Lose the paper this year.
• We're doing pretty good on saving in file shares but my weekend loss of a desktop reminds me to put a better, stronger emphasis on redirection of the “my documents“ and remind folks to NOT store on local hardrives.  SeanDaniel.com talks about how the My document redirection is for “backup“ purposes.. I'd add how about for physical security purposes?  I can and do physically secure the server... I can't the desktops.
• If the item is of a personal [personnel] nature, I'll be setting up access controls for that location and deny everyone BUT the people that need to have the information
• Install Lookout on all the desktops
• Have more training sessions and do more “picture“ how to's.  People remember with pictures not words in my office.

So I think this year I need to concentrate on taking the concepts that I take for granted and making them more normal for everyone else.  So that folks will just know to click “there”.

Are you a newbie?

You do know about the documentation resources for SBS right?

What?  You don't?

Start here for a Documentation by Task for Windows Small Business Server 2003

Then you do know about the SBS Documentation blog, right?

Huh?  You don't?!!

Dude, click here to see some of the cool stuff they have in store.  You remember how blogs work, right?  You get a newreader [I like newsgator.com] and you sign up inside of newsgator, inside of Outlook so that the information goes directly to you. 

Kewl, huh!!

When is being an adminstrator WAY too much of an administrator?

Too many times I see people not understanding the difference between being a DOMAIN administrator and being a LOCAL administrator. 

Being a domain admin means that the user logging in has full right to anything on that domain and basically has the keys to the kingdom.

Local administrator means that you merely have keys to the local workstation.

So many of our stupid apps want LOCAL administrator rights but they do not NEED domain administrator rights. 

When you set up users and there are the pre-done SBS templates [which it's perfectly normal that they have red X's by them as they are “just” pre-done templates for you and not true users] just make sure that you only give rights that you minimally want to the users ON THAT SERVER.  In my opinion there is no need whatsoever to make a user a domain admin.  Pick Mobile user or user but never domain admin. You then change the user to be a “local” administrator on THEIR machine, but not on the domain.

Over time, both Microsoft will make it eaiser and Vendors will finally see the light and start coding security for running as “USER” on the local machine.  In the meantime, while you are stuck in giving local administrator rights, just don't hand our more rights than you intended. A couple of ways you can use group policy to add the users to the LOCAL group are discussed here, but you could always log in as the administrator on the workstation [and many times the admin account on an OEM box has a blank password which means it cannot be access remotely over the web] and then just flip that domain user to have administrator rights on JUST that workstation.

P.S.  you do know that running the domain/connectcomputer wizard will PUT that workstation in the local admin group, right?

What happened to my nice quiet audit logs?

SeanDaniel.com points out once again that we should WAIT [patience patience] for our OWN SBS SP1 which will include Windows 2003 sp1 and we should not run the Security Configuration Wizard on our SBS [see I was right] and also points to that kewl Exchange “tarpit” that YES you can do on a SBS box to slow down the bad guys.

Sean says that sometimes things slip through the cracks [oooh there's transparancy and credibility] and that's why this SCW tool isn't SBSized but I would argue that it's the SCW that's coming up to the SBS world.... certainly where auditing is concerned as ours are specifically tuned for us.

An often asked question is why the audit logs in SBS are so “noisy” as compared to SBS 2000 and a blog by “the” auditor of windows Eric Fitzgerald talks about what they are doing to “bring down the noise” in the future.

When we look at our SBS boxes, though, what do we audit in our SBS boxes?

• Account logon is audited for success - default domain group policy controls this
• Account management is audited for success - default domain group policy controls this
• Directory services is not audited [for a very good reason] - our SBS group policy kicks in
• Logon events is audited for success, failure - our SBS group policy kicks in
• Object access is not audited - default domain group policy controls this
• Policy change is audited for success - default domain group policy controls this
• Privilege use is not audited - default domain group policy controls this
• Process tracking is not audited - default domain group policy controls this
• System events is audited for success - default domain group policy controls this

And why do we do this?  Because if we are not “pulling a status” of normal, we won't have the data when something bad happens and we need to have auditing logs available.

Keep these audit logs just the way they are.  You will want them when something happens and you need to prove something.  I would argue that you should do similar settings in SBS 2000.  This is one area that turning on auditing really doesn't hurt a well done server at all.  We should all be auditing the processes on our boxes like this.

Then if you need it, it will be there.   If however, you shut them off, you'll not know what happened.

The ethics of marketing

Vendor:  noun:  one that sells something

Customer:  noun:  One that buys goods or services.

Salesperson:  noun:  A person employed to sell merchandise 

VAR/VAP:  Value Added Reseller/Provider

Value:   noun:  quality considered worthwhile or desirable

Added:  verb:  To join or unite so as to increase in.... scope

I looked up the definitions of these tonight for a reason.  On a community listserve the topic came up regarding “should vendors be allowed on a peer resource list who's charter states that it's designed to discuss issues around the marketing, sales and development of small business IT consultants for those IT consultants servicing small to medium businesses“ and it just made me think a bit.  Especially when some of these “customers“ of vendors are obviously, vendors themselves.. I would think that people who are themselves vendors would want to try to bridge the gap between customers and vendors.  The concern was that the “vendors“ on the list would turn on the “sales and marketing“ mode and the real truth would get overwhelmed by the advertisements and offers. 

I too, am sometimes guilty of talking about “marketing” as the dark side.  But here 's the dumb thing... it's doesn't have to be.  Sometimes the best marketing is just being honest.    Jackie Huba today in the Church of the Customer [there's that word customer, again] talks about a disturbing trend in marketing. “Stealth Marketing” as they call it.  And included in the post is a very interesting discussion of “ethics in marketing”.  [Okay, I'll admit that I've never quite thought of that phrase quite like that before].

In an email thread that I was on today, someone wrote that they didn't trust a company to have their [the customer's] best interest at heart.  I find that statement a bit odd since it would seem to me that any company would want to have their customer's best interest at heart because without that customer, they wouldn't BE a viable company.

Jackie talks about that there's a “growing demand of transparency and credibility”. There is isn't there?  Too often I see it time and time again that when the “salesman” says “Oh we can do that” and totally overpromises what the item or software or technology can do and all that ends up happening in the long run is an unhappy customer.  If there is one thing that I could say to any company wanting to bridge the gap between vendor and customer is to just BE HONEST.  I don't expect a firm to say “oh we totally screwed up when we promised you the moon”, but I do expect more of an honest “we can't do that now, but we're working on it for the future”. 

In reality, even though over time I've turned into this hybrid of a wacko SBS customer that is turning into a Windows Software Patching ebook author and newsletter author, I still feel a lot like just a customer around here making sure that the SBS customer gets a fair deal.   I don't like it when a SBS customer doesn't get the installation experience he or she deserves.  I don't like it when consultants don't take the time or the energy to learn the SBS platfom and install it and support it the right way. 

It drives me crazy when people constantly hang onto the myths surrounding the platform.  I was on a security listserve where the topic of having Internet Information Services on a domain controller and here's little ol' wacko SBSer me piping up and saying that these days I wasn't worrying about my domain controller and IIS6 on there but rather freaking out about controlling my workstations.  In the ensuing back and forth threads it was very obvious that people still had stuck in their minds the steroetype of SBS.  “Limitations“ was definitely in their mindset.  Once again the myths of SBS surrounding the backup domain controller, the lack of expandability in their minds.... [hello?]  Don't people know that once you hit the 75 limit there is a transition pack that allows you to grow past 75 and split off the parts to separate boxes if that is truly your heart's desire?

Instead I don't see limits at all... I see possibilities.  Already a couple of folks at my office are thinkin' ...hey with this remote web workplace.... I don't have to come into the office all the time to do my work... I can do it from home!   That's right.  And my boss already asked about email on the cell phone that he saw some other Attorney receiving and responding to.  As I told him, you want it?  Say the word as we can set it up!  [He declined because he said the Attorney was constantly emailing on his phone].  But the point is that seeing technology truly in action, honestly, and credibly had done far more to “sell“ my boss on technology than any glossy ad had done.  He saw it working in real life and asked me about the technology.

The “Build your business“ ad campaign is my FAVORITE ad.  To me it so much showcases when the Vendors and the VARs and the VAPs and customers all come together and synergy is made what possibilities you can have.

Sam the SBS Server answers the question "Can I have a backup domain controller?"

We sit down again with Sam the SBS 2003 Server and ask a few questions:

Q.  Hi, Sam, it's been a couple of weeks since our last Q and A and we just had to do a follow up.

A.  Sure thing!

Q.  We got a question via the mailbag today as to whether you could support a backup domain controller, there seems to be a bit of a misunderstanding about that, can you clarify that?

A.  Sure thing.  I don't know how that myth got started.  I can INDEED support having a backup domain controller in my network and don't mind it in the least.  In fact you probably want to have one around when you have branch locations.  But remember that when you have XP pro machines attached they use cached credential if they can't find me around [say they are laptops or what not] so it's not quite the big issue that people think it is. 

Q.  So you can have backup domain controllers and other servers attached to you?

A.  Oh, absolutely I can.  Like here where I live... I actually ...well...guess I might as well disclose it here... I have a relationship with Tammy the Terminal Server. 

Q.  Oh, really?

A.  Yeah, we have a strong connection, she's acting as remote Terminal Server desktops for some employees at the office. 

Q.  That's really cool.  Congratulations on the relationship. 

A.  Thanks.  Yeah it's pretty recently that we got together.

Q.  So are there things you can't do? 

A.  Yup, there are some things I must have and things I can't do, but it's a short list.

Q.  What are those?

A.  I do not support active directory trusts and must be installed at the root of the forest. There must be only one of me in any domain.  I must hold all of the flexible single-master operation roles [FSMO], I can't be demoted.  I max out at 75 users.  I am just like normal standard Windows 2003 and have a maximum of 4 gigs of RAM.  I cannot [and wisely SO, I might add] do Terminal Services in application mode, but I can be remotely administered via TS.

Q.  What can you do that normal Windows Server can't do?

A.  Well for one I offer SO much more than normal server it's not funny.  I offer Exchange 2003, I offer Outlook 2003 licenses to all my licensed workstations, I have Sharepoint with special templates that offer up unique features like an help desk, I have ISA server 2000 [soon to be 2004], SQL server 2000, and Front Page 2003 in my Premium version and I have Monitoring emails and Remote Web Workplace.

Q.  Remote Web Workplace?

A.  Yeah, let me point you over to Tristan's blog where he called it the Ninja feature of SBS.  I was pretty proud of that.  It's a way for folks to remote back to their desktops at the office.

Q.  Okay I think that's enough for tonight... so just to recap you DO support a backup domain controller.

A.  Oh sure thing I do!

Q.  Thanks!

A.  My pleasure!

[today's excuse is that we're out of Dew at the office]

P.S. Sam would also like to indicate that in the AD world “backup domain controller is technically not true.. we're just “ADDING” an additional domain controller..but the phrase “backup DC” is leftover from the NT days and commonly referred to as a reason for not wanting to install SBS for those more Enterprisey.

Save a Smart Phone from utter destruction -- Patch your POP Connector

Today an email was sent out and it was cc'd to several SBSers.  Due to the fact that there were a couple of SBSers on the list who had not patched their systems for an issue with the POP Connector, those of us on the email blast are now receiving the email....over...and over....and over...and over.

They obviously had not patched for Knowledge base 835734 which says “The SBS 2003 POP3 connector may incorrectly re-send certain messages to recipients who are not part of your SBS 2003 e-mail domain.”  Well everyone on that list can attest that it's not a “MAY it's more like an “IT WILL”.

Folks I cannot stress enough HOW IMPORTANT it is to patch your systems and today's fiasco points out HOW IMPORTANT it is to visit the SBS download page and install ALL OF THOSE PATCHES in that order.  The only exception is if you are not using POP.  If however, you are using POP.. PLEASE on behalf of ISPs and email recipients throughout the world that are now being bombarded with messages... GO PATCH YOURSELF.

• Go to windows update - update your box
• Go to the SBS download page - update your box in the order on that page

Patching your box is very important and the people in Mothership Redmond know this.  They will be working on making it easier...but for now, THIS IS WHAT YOU NEED TO DO.

Let me also take this opportunity to tell you about how all my ranting on the Patch Managment listserve turned into a 'gig' on Windows Secrets for a column called Windows Patch Watch.  My column is only in the paid version, but there's a hint of what is included.  Patching is PART of life and the sooner you understand that we do have information and resources, the better off you are.

If all you are doing is Windows Update... YOU ARE NOT FULLY PATCHED. 

Over the New Year's holiday my firm got nailed with an email message that kept resending and now that I think about it more I'm positive it too was from a SBS box as the cc mail list included folks that I know are SBSers.

Please...on behalf on my own email box and that of a poor SBSer who can no longer sync their mobile device for fear of getting 5 more copies of an email, patch your POP boxes.

Like now.

RIGHT NOW.

PLEASE!

In case you missed it... the recorded spyware webcast is now on the web

 http://mssecurities.savvislive.com/20050118/registration.html

The recording is on now the web.  One of the Security MVPs that I know, “Calamity Jane” was really impressive during the roundtable section.  Remember that all of these webcasts are recorded for later viewing.  All you have to do is go to the Mike Nash Blue Shirt home page [better known as http://www.microsoft.com/security360 ]

[We call it the Mike Nash Blue Shirt home page because while I've seen him wearing a brown shirt at the Security MVP summit, I've only seen him wear blue shirts during webcasts]

Handy Andy SBS Live chat 1/18/2005 at 4 p.m. PST

CHAT: SBS Live! 

** Tuesday, January 18, 7 p.m. Eastern 
Microsoft MVP and SBS expert Andy Goodman helms another year of 
Small Business Server chats; the first of these chats takes place 
this Tuesday, January 18. If you have any questions for your peers 
or want to help others solve their SBS woes, be sure to check out 
SBS Live! and start chatting: 

http://mcpmag.com/chats/ 

To join, to learn how to join a chat, to read the rules of conduct, 
or to obtain a transcript of a past chat, go to 
http://MCPmag.com/chats. If you're using a chat program, such as 
Microsoft Chat 2.0 or mIRC, you can join by going to the 
#MCPmag.com room on the chat.mcpmag.com server.

Malware and Spyware webcast on at 9:00 a.m. PST

Join host Mike Nash, on January 18th at 9:00 a.m. PST Microsoft's senior executive in charge of security, for a discussion of the latest spyware techniques, highlight technologies, and best practices that organizations can use to mitigate the threat of spyware. As with every Security360 webcast, this session includes commentary from industry experts, the Checklist of recommendations and resources, a question and answer session, and a progress update on Microsoft security enhancements.

[one of our own Security MVPs that goes by the handle of Calamity Jane will be on - she's a wizbang at fighting the malware!]

We've added a bit of "intelligence testing" to the blog

In addition to adding the search box for the blog, [see the box above Yoda to the right] we've adding something else tonight.  A bit of “intelligence testing”.  You see like every other “good thing” is this world, we were being overwhelmed in MVP blog land with blog “spam”.  Christian in particular was getting totally nailed.  Thus tonight we added a CAPTCHA to the blog.  A what you say?  A technique to ensure that only humans are posting comments to the blog.  We're using a variation of “Gimpy” to visually distort a random number or word.  At the present time, only humans can process this and convert this distorted image.  CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart.  Steven Toub talks about captcha in this MSDN article.  Stefano Demiliani and Brian Desmond both have to be thanked...first for Stefano for sending over the Captcha code to add to the blog and then the adjustments to postcomment.aspx and then to Brian Desmond to kindly fix this “blonde's” inability to adjust the web.config properly in the first place.  I had the extra code needed in the wrong place.  Brian also helped to identify the additional code lines that I needed to add to the other “skins” that Stefano didn't have so I could keep the LuxInteriorLight skin that I have.

So now when you go to comment, there's a bit of a funky distorted image down there that you have to type in before you are allowed to submit.  I'm sorry about the inconvenience, and I hope you understand it's just there because bad guys and spammers are jerks.

Why they think people will buy stuff off of blog comments ... I have no idea...but obviously someone must click and follow there stupid links otherwise they wouldn't do it.  So do your part, will you?  Tell folks that blog comment spam should be avoided.  Don't give them any more reason to do it in the future.

BE THERE! Director of SBSLand Eugene Ho and Bob Muglia - live - in person!

Executive chat - Windows Small Business Server 2003 [January 18, 1:00 pm Pacific, 4:00 pm Eastern]
Bob Muglia, Senior Vice President of the Windows Server Division, along with Eugene Ho, Director of Small Business Server, discuss Windows Small Business Server 2003 in this January 18, 2005 TechNet chat. Small Business Server is the comprehensive networking solution for small businesses--See how it can help simplify your daily activities and save you time and money.

Add to Calendar: 

Chat room:

Don't forget that tomorrow is the Bob and Eugene show!  Remember Eugene Ho is Director of SBSLand!

SCW on SBS? DDT!

In the world of geekdom we use many abbreviations.  Small Business Server 2003 is abbreviated to SBS.  The new Security Configuration Wizard that will be included in Windows 2003 sp1 is nicknamed SCW.  And DDT?  That's Jason's [a tech lead in Mothership Charlotte] phrase when you shouldn't do something on a SBS box:  “Don't Do That“.

Windows 2003 sp1 will ship with something called the Security Configuration Wizard...the problem is .... we're already pretty Security Configured as it is and don't need it.  In fact, if you run in on a SBS box you are going to end up shutting off something that I think provides you with MORE security.

Just for grins I ran the SCW included in the Windows 2003 sp1 release candidate on a SBS test box just to see what it would break.  And based on my unscientific testing it's going to hurt us more then it helps us.  In fact it was interesting that it didn't really do much on our SBS boxes that I would call of any real value. 

The major change it made in auditing, changing the auditing of directory services from “not audited“ to success, could actually hurt us, as SeanDaniel.com pointed out that we shouldn't be auditing that.  The good news is that it appears our SBS unique auditing policy does kick in but I'd rather not mess with the stuff that the SBS team has done to make backup work.

Next the other big thing that it hurts more than it helps is turning off the performance monitoring and alerts which will blow off our SBS monitoring email.  I don't know about you, but I check that every morning just to make sure that my server is a “happy camper”.  Again, why mess with a good thing here?

You see, SBS is already pretty well “tuned” to begin with.  We really DON'T need the Security configuration wizard at all.  In fact, I would argue that these days, it's not my server that I'm worried about at all.  In fact, I'd much rather have a security configuration wizard for my desktops than I need one for my server.

Reminds me of something funny, in the newsgroup the other night a poster asked “Is there a document on creating a bulletproof, high security SBS server?” and both Javier and I said “Yeah, don't have end users!”  Seriously, what is the “thing” that introduces the most risk into my network?  End users.  If I could just have a wizard for them, that would be real grand.  I have one that we joke about, but it's a bit messy in it's application.

I would argue these days that you can't just look at protecting the server.  And in fact if that's all you are looking at you are so missing out on where most security issues are entering these days... at least in the small business world of computing anyway.  Heck this weekend's burglary showcases even more than ever that my weaknesses are my workstations, both in terms of my inability to physically protect them [even though we did have an alarm system, the machine taken was near the front of the office and quite visible from the outside, definitely a smash and grab], and to lock them down via group policy in a simple and easy manner because many of my line of business applications refuse to work without administrator rights.

So if you start hearing in the “buzz“ from Microsoft about a Security Configuration Wizard and wonder about it's applicability to Small Business Server 2003 know two things:

1. We are already pretty tweaked as it is and running this wizard will only hurt not help
2. The folks in Mothership Redmond are going to come out with our OWN SBS 2003 sp1 which will include ISA 2004 [for those folks on Premium edition] and thus you'll want to pass on downloading and installing the normal Windows 2003 sp1

So about that Security Configuration Wizard on Small Business Server 2003?  Just Don't Do That! 

The right password in the right place

Many eons ago I thought I did a brilliant thing about passwords.  I made sure that all the local adminstrator passwords on my desktops matched the Administrator password of the domain.  But see what I didn't realize was that I was in reality causing my server to be more insecure.  Dr. Jesper Johansson made me realize what a dumb blonde move I made by doing this because I was making my domain controller rely on the security of my desktops and laptops.  As he says, more secure systems shouldn't rely on the security of weaker ones. 

Since then I have a different password for the admin account that does not match the server's admin account.

Today one and only one of our desktops was stolen from the office and because it did not have the default password of the server on it, I didn't have to freak out and change the admin password of the network. 

It's obvious that my most insecure systems are the ones that can be easily stolen.  I was a local CPA tech meeting last week and they said that these “snatch and grabs“ were happening all over town.  One firm even had 8 such buglaries over the last three years.  Wow. 

In the 10 laws of security, law number 3 says if a bad guy has physical access to your computer, it's not your computer.  Well I can certainly attest to that.  It's definitely NOT my computer anymore.

The experience of buying a computer -- ugh never again

I had to buy a computer in a retail computer store today. 

I hope I don't have to repeat the experience.  You see we had a bit of a problem at the office.  We had a break in and lost one desktop.  Fortunately because there is NOTHING on that desktop that has identity information on it, I had no SB1386 notifications, and because I had pulled an inventory script of the network prior to migration, guess who had a full itemized listing of what was stolen.  Came in handy!  Because all of my data is on my server, and once I got word that it was fine, I was much more relieved and just more in a “Oh bother” mood [as Pooh bear would say].

But I needed to get a computer back in that person's desktop as soon as possible.  I normally purchase systems from Dell, specifying what I want, but decided to order the Dell and then get an inexpensive desktop at a retail store for Monday morning.

I've come to the conclusion even more than before that the retail experience is overwhelming and confusing.  I went into Best Buy with a range of computers in mind, found what I wanted and then went in search of a salesman.  Now I can't blame Best Buy for being busy and having their salespeople needed to go in detail over all the options, but I can fault them as to the ambiance.  Blaring stereo noise coming from the video section, and just an overall “cluttered” feel.  The Windows Media player was getting a lot of attention but it was in the far back wall and the one kid that had settled down in front of it had pulled out a chair and was sitting in the middle of the aisle working the remote.  The area where the laptops were, again seemed a bit cluttered.  You can definitely tell that Laptops are hot sellers because there was more floor space for them than for desktops.  I could tell that I was not in my normal “patience” mode today because after waiting for about 15 or twenty minutes for a salesman to free up I finally left BestBuy and went to CompUsa where I bought a desktop.  Now trying to find a XP Professional machine when you want to attach to a domain was just about impossible.  Fortunately I keep a copy of XP Pro upgrade around at all times “just in case” and I have Office 2003 MOLP media that I have licenses for so I knew I didn't care what OS the machine was, as I'd put on it what I wanted to. 

After getting the retail box home I found it had the following installed:

• Norton antivirus suite
• McAfee security suite
• XP sp2
• BigFix Consumer
• AOL

Ick... and I promptly removed all of those.... well obviously NOT the XP sp2  :-)

Then because I couldn't find a desktop WITHOUT about four media slots I had to go into computer management and move all the media drive slots away from my network drives.

There was a guy there comparing prices to Costco.  You know that makes me wonder about if there was more “small business network computers” there at Costco that had XP pro it might be better for small businesses.  I don't know how a small business would ever find a computer SBSized in a retail store these days.  No wonder all the VARs and VAPs complain about small businesses ending up with XP Home.  It's hard to find a XP Pro from a retail store.

Did see an interesting thing at the checkout.  A plastic bubble pack for a $99 per month subscription to XDrive with a 5 user version that advertised file sharing and collaboration.  Chad was talking in the listserves that he does whiteboxes because retail computers load up with Soooooo much gunk that they spend more time uninstalling all the junk that it's just not worth it.  I definitely found that to be true today.

To all of those folks who beleive that you can safely run TS in app mode on a SBS 2003 box:

To anyone who truly beleives that running Terminal Server in Application mode on our SBS 2003 domain controller can be made secure and could ever be secure, I am reminded of a joke that Dr. Jesper J said and has been repeated in SBSland.... “what are you smokin' and why aren't you sharing?”

Today, in addition to screwing up the user versus cal in Terminal server I loaded up more applications on it.  I loaded up Office application on my Terminal server [keeping in mind that normally we tell folks to NEVER install any applications like Office on a server.]  I flipped the “Themes” service to automatic and started it so that the desktops could “look” like Windows XP.  I uninstalled [but only for the users] the Enhanced IE active X blocking.  I basically lowered and totally introduced threat vectors all over the place.  All the hard work done by Michael Howard and his team to protect that server from the stupid user, I totally ripped out everything that his team did.  I still haven't even grabbed the security resource kit to apply the recommend guidance.

How can anyone honestly and truly think that they can in turn ACL and permission themselves back to the lowered attack surface that the Microsoft server team built. 

I enabled services, I installed software [which reminds me need to Shavlik that box again because that's “unpatched Office 2003 as it's fresh off the CDrom”, I'm letting a user “drive” that box instead of normally how my domain controller runs, left alone to do it's job, with most of the time having me remote in from my desktop and not even walk over to the console. 

Sorry all you folks who think that they have the skill to lock down a domain controller enough so that it can be run in TS in application mode, I just so totally disagree with you folks. 

You want to introduce too much risk, Way too much risk.  Remember, where I'm at, in California I must make reasonable Security precautions to protect my data.  If you think that running Terminal Server in application mode on our domain controller was ever reasonable.... “how about sharin' what you are smokin'“?

I will post once again what I've ranted about in the newsgroups before:

The "blonde" versus the Terminal Server

Well I feel quite silly and foolish.  I totally did not understand the significance of the choices that I made when installing my member server and when it came to licensing the Terminal Server part of the member server I forgot a two letter word.

You see the guidance for setting up the member server in a SBS network is as follows:

  *   When you install a new Windows Server 2003-based computer on an
      SBS 2000 or a Windows Small Business Server 2003 network, select
      the *Per Device or Per User* licensing mode. To do so, click *Per
      Device or Per User* on the *Licensing Modes* screen in the Windows
      Server 2003 Setup program.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;327644

Okay notice the word OR in there?  Device OR User?

Okay now when we get to the point that we need to license the Terminal server part of this box, totally stop thinking about what you just did.  You are all set with the underlying licenses of the server base.  Now we make the decision as to how to license the TS box.  Now this is where I screwed up.  I didn't read the .. um.... well I didn't read the OR in the Device OR User.  So I didn't realize that when I installed my member server that the default mode for the TS “license type” was device.  I bought user TS cals [actually they were grandfathered XP cals because I owned these XP licenses prior to the Windows 2003 server launch].  So when I installed the “per user” I didn't realize that my server was still in TS “per device CAL” mode. 

I realized today that my TS clients were being issued temporary device cals instead of user cals and I “thought“ that because I was “forced“ to chose a licensing of the member server of the SBS box that I was “forced“ to choose the Device cals.  But I totally blew past the “OR“ in that base licensing of the box.  I have another choice.

So what I “should” have done was flip the TS to per user, instead I stupidly and blondley called into the TS licensing, renamed the TS licensing folder, reset up the TS licensing and reactivated the licenses as “device cals”.  So then I'm chatting with the guys and realizing that I was thinking that the type of license that I placed the server in “fixed” me in a TS per device license.  It doesn't.  They are two totally separate things.  Man was I “totally“ blonde on this.  I should NOT have re-installed the CALs as per device, instead I should have flipped the CALs to per user.

Remember if you don't match up your CALs to the way your Server wants the CALS you'll accidentally have the server install temp licenses.

So now I”m going to reset my licenses and put them BACK to user and flip my server to “USER” TS license mode.  I'm probably going to keep my connection method for the clearinghouse to phone as it talks about here.

In SBSland we would probably WANT per user to be very mobile-enabled and not tied to device but rather free to assign to your mobile USERs.  To change the DEFAULT of the CAL style from Per Device to Per User, Make sure you change the licensing mode.to per USER.  Got it?

1.	On the Terminal Server computer, click Start, Programs, Administrative Tools, Terminal Services Configuration.
2.	Click Server Settings in the left pane.
3.	Double-click Licensing in the right pane.
4.	For Licensing Mode, select the mode for this Terminal Server.  [We want USER]

Dean added these comments:

You need to make sure you change the TS licencing mode (in TS
configuration) from DEVICE to USER, then delete the registry key from
the device whos licence is expiring. When it reconnects it will be
issued a USER CAL (not quite the correct wording but I'm sure you
follow). Reg key, if you need to know, is under
HKLM/Software/Microsoft/MSLicensing/Store - delete the "LICENCExyz" keys
where "xyz" is a number from 000 to 999.

P.S.  Dean posted in this newsletter from THE TS expert MVP Christa Anderson.  Quite timely in fact.

Photos from the The "Oh Canada" event and Harry and SMBNation heads off to Asia

For those of you who missed the “Oh Canada” event, we've got some more photos on the web site.  Harry and the SMBNation will be travelling next to India, Singapore, Japan, Korea, China, Hong Kong, Bangkok, and Taiwan.

I'm hoping too that Harry and the SMBNation events can do his “Pied Piper of user groups” that he normally does and find us some SBSers to complete the circle of SBS coverage around the world.  [We're going for total world domination here]

And just one more reminder that if you missed the Toronto user group, you will have more events.  In fact here's a listing of all sorts of user groups in Canada.

If you are looking for a live, face to face group meeting where peers talk to other peers about “been there” and “done that” search the Microsoft Mindshare page for groups in your area!

Due to requests I added a Search feature to the blog

I've had a couple of requests lately to add a search feature to the blog.  Well I was finding the Steve Riley blog which had a trackback to another blog that had a post about “adding search”.  Kewlamondo.  See that box on the right hand side above Yoda and the Small Business Server 2003 logo?

One newly created search box that will search the blog.

So why do we need more firewalls? Steve Riley says why and now you can listen

A while back I blogged about why we needed multiple firewalls in our network.  In addition to our firewalls on the outside, we in SBSland are now putting firewalls on the inside.  Remember I said that Steve Riley talked about this in his “death of the DMZ” presentation?  Now you can listen to it on his web site and download it or stream it.

ooohhhhhh kewlamundo he's got a blog.  One post but it's a start folks. 

I started reviewing some of the Chapters that he's writing on Protecting your Windows Network [Out in 2005 Addison-Wesley] [excerpt here] and you can tell Steve's chapters and they combine tech words with like ... oh like Rave...and mentions of RFCs [I think he reads them in his spare time for entertainment  - I mean like who else knows the number for the RFC on Pigeons] and citations to the 13 Steps to Mentalism by Corinda and other such slightly unique topics that really and truly do weave together with technology to make for a very educational read.

It's one of those things you're just going to have to experience for yourself.  Trust me on this one.

Is Microsoft asking Hackers for patch suggestions?

Via the mailbag today I got a heads up to a post that says “Microsoft is asking external coders, aka Hackers if they have patch suggestions”.

Now keep in mind, this post is as a result of an eweek article that talks about a closed beta program for External patch testers.  Now, unless I'm mistaken, I think it's the same Security Patch Validation program that was talked about in yesterday's patch webcast.  And based on “my” personal listening of that webcast, I don't get the impression that ... firstly that external “hackers” are being asked for patch suggestions, and secondly, that it is anything other than an exercise in ensuring quality control of patches.

I downloaded the slides to remind myself of what was talked about and slide 25 says:

Doesn't sound like any “hacker“ or third party patch coding to me.  Sounds more like a Patch testing process that Anne and I recommend in our Patch ebook.  Test patches in a testing environment FIRST before deploying them globally.  Even in SBSland, if you don't have a test environment, wait a few days and see if everything is okay.  The kewl thing about SBSland is we report back pretty quickly if we see something.

Besides, according to the article Microsoft Most Valuable Professionals [not players as the article states] are in this program and no MVP that I personally know would I describe as a hacker in the vernacular of “today's definition” of hacker.

Certainly, show me an MVP and they would probably call themselves a person who loves to figure things out [the traditional “hacker” definition before the media took it over to mean the bad guys of today], but certainly they are not “script kiddies” or anything like that.  In fact one of my fellow MVPs that goes by the name of “Calamity Jane” is one of the nicest people I know...except...when it comes to malware when she comes out with both barrels ready to fight the bad guys.  In fact Calam will be on next week's Security 360 Show with Mike Nash on Malware.  She spends tireless hours on webboards helping folks with their hijack this logs ripping out the bad guys.

This does remind me of a thread in the newsgroup and on the patch management listserve.

The question on the patch management listserve had to do whether folks would patch Windows 2000 machines for Security patch 05-003 given that Windows 2000 wasn't “vunerable” but that there was additional security item added to active x component to “tighten it up” called the Microsoft.ISAdm.1 ActiveX control .  I said it depended on if your firm/enviornment was a “100% deploy all patches” or a “just deploy critical ones”.  Dave in the SBS newsgroup talked about how even on our download page you need to evaluate whether or not you truly need the patch.  If you don't run the POP connector... you don't need to load the POP connector patch.

Bottom line ... if this means that patches won't hurt and be more rock solid for us out here?  More power to 'em.

We're now in search of the perfect laptop bag

 We're now in search of the perfect bag for our brand spanking new Acer Tablet PC TravelMate C112. And we've found a web site that sells “laptop carrying cases for women”

Okay I'm not quite sure I'm going to cart around a pink laptop case...[it does fit in with the SBS Diva theme though doesn't it?] but it does point out the “Security by Obsecuity” regarding traveling with laptops that I've heard of before. 

• Don't travel with a laptop bag that SCREAMS “I have a laptop“
• Don't travel with a bag that has the computer logo on it
• Don't travel with a bag that says “Targus“
• Look for backpacks that double at laptop cases.

I know that my Acer in it's “envelope” case can fit nicely in my Lands End backpack.  If I know I won't need the dvd player I just take the Envelope case and the power cord.  Nice and easy traveling!

Can Mini Macs be part of the SBS family?

So even in SBS land there's already few questions on the listserves about the Mini Mac that was just announced at MacWorld.

So just a couple of FAQs for anyone who asks:

• Are they based on OSX?  Yup.
• Does that mean that they can connect/be domained  to a SBS network?  Oh yeah baby.

Eriq Neale [Mr. Mac/SBS or Mr. SBS/Mac depending on your point of view] blogs about how to connect an Apple to a SBS.

Just remember to call your network domain extension .lan rather than our traditional SBSism of .local for the minimal of fuss and bother.  Just call SBS the United Nations of Computer networks these days. 

Thank you Mr. Neale

Drat.  Come home, need to check on something at the office and RWW isn't working.  Rats.  Okay I've got a back door so lets check out the issues.....

Port 443 is responding - ran a Portqry [the GUI one for me] and 443 and 4125 are good.
Web site Certificate is appropriately hooked
Destinations sets look fine in ISA
It was working yesteday and now after security patch reboots is not
Server publishing rule is in place

Hmmm.... okay do the wizard thing and let's rerun the connect to internet wizard.  It's obviously something with ISA.

Shoot the CEICW wizard isn't wizing.  It's failing on me.  Open up the icwlog file and see what it says. 

Drill under program files, Microsoft Small Bus Server, Support and find the icwlog.txt and open it up and start looking for an error:

Error 0x80005006 returned from call to Fixing the inheritance for root dir().

calling Set Web Publishing Rules (0x80005006).

Error 0x80005006 returned from call to CRFireCommit::Commit().

Ah..okay let's google.

Put in the “returned from call to Fixing the inheritance for root “ in Google groups, with the search limited to the group of Microsoft.public.windows.server.sbs

Ah ha...we have a possible hit .

Hey, that's Eriq Neale the SBS/Mac guru [btw, he informed me today it's Mac not MAC]

And Eriq says in his post:

This is the key point in the error logs. Thanks for posting those. Likely,
you are running into an issue with a FrontPage-enabled virtual directory.
Try the following to see if it will address the issue for you:

1. Open the IIS Management snap-in.
2. Open the properties of the Default Web Site and go to the Directory
Security tab.
3. Go to the IP Address and Domain Name Restrctions setting and change the
setting. Just do the opposite of what is set. If currently set to grant
all, change it to deny all except for the local IP and subnet mask of the
server.
4. Select all to apply the change to all subwebs.
5. Select all again to apply the change all the way down.


You should then be able to run the CEICW successfully.

Bingo, I can.  Thank you Mr. Neale.  See how googling helps if you get stuck?

WINDOWS UPDATE FOR SMALL BUSINESS SERVER 2003

It's that time of the month when people go to Windows Update and I need to remind everyone.....big deep breath...

IT DOESN'T PATCH EVERYTHING!!!!!!!!!!!!!!!!!!!!!

You must visit our SBS download page after visiting Windows update.

In my mind our biggie is still the fact that the ASP.net mitigation patch isn't more obvious to us SBSers.

Then there's the POP connector turning into a spam monster patch.

So if you are WUing this week don't forget to surf over to the download page!!!!

If you want a very nice, very cool Travel laptop

Want a really nice sized, fabulous travel laptop?  I'd highly recommend the Acer Travelmate C110 series that is also a tablet pc.  Why do I love it?  Because when I'm attempting to work on an airplane and the guy [or girl] in the seat in front of me suddenly leans back I don't think that my laptop screen is going to get snapped off during the resulting smooshing effect.

The smaller size of the travel mate and the weight [3 pounds] means that it's a breeze to travel with.  I was talking to some gal pals and I probably sold them on the size and style as well.  One of my geek gal pals was visiting the Doctor and was experiencing “Tennis elbow”.  The Doctor asked her, do you carry a large purse or briefcase.... she asked “how about a laptop?”

One thing to think about with our always on lifestyles is ergonomics.  My sister LOVES the natural keyboard and I hate it.  But I have noticed that that I make a “shine spot” on the right hand side of all my keyboards space bars because I'm right handed and obviously my right thumb stays on that side of the keyboard more.

So if you are looking into laptops, and are into mobility...check out the Acer line. 

So how many users does it take to make a SBS network?

Do you remember the ad... “how many licks does it take to get to the Tootsie Roll center of a toosie roll lollypop?”

...”one.... two....three...crunch” as the wise owl licking the lollypop bit into the chocolate center?

I was reminded of this in a strange way by an item from the mailbag and a post to one of the SBS listserves.  First off, the question was poised.. “I have a firm with 10 to 15 users and I don't feel a “true” server is needed” and then Colby via the mailbag asks “how many uses should realistically be using SBS?”  He's got it in his 5 user firm and his brother is wanting reassurance to run it in a 25 user firm.

First off, let me say that I love the Microsoft marketing machine that has brainwashed us into “everything on one box is insane” and oh we MUST have a server for every single function including handling hang nails.  10 to 15 users NEED to be in a network domain setting.  To me that's a totally no brainer.  I've ranted about in the past how I don't get people and their “wanting to stay in workgroup“ mentality.  A domain like SBS has is just a workgroup with more toys.  That's all.

Next comes the argument of us having “everything on one box“.  Most of us out here don't run with our ISA server 2000 [and soon to be 2004] bare and throw a hardware router on the outside anyway or use an external hardware firewall [which should be monitored for patches, I argue] so the argument that we are insane for running our firewall on our domain controller is usually a bit muted anyway.  Then the argument that we have this horrendous single point of failure when show me ANY firm out there has these single points and my sister ...who has way more servers than I do, comes home many a night saying “our server that we save our work on was down” than I do.  Nowadays firms are doing what we've always done.  Server consolidation.  We've server consolidated so long and so well, guess who in the big server land is now stealing all of our wizards for their world.  Uh huh.

How many users can realistically and COMFORTABLY use SBS I would argue these days is more dependent on what kind of pack rat of email firm you are.  As I've blogged about before, we, and ALL standard Exchanges have a 16 gig limit.  While SBS can legally support 75 attached computer, users, devices, whatever, the sweet spot that I've heard [per a Partner drive smart cdrom] is about 50 users, devices, whatevers.  25 is NO sweat whatsoever. 

In my office I'm below that 25 and honestly I purposely really overbuy my hardware.  Well this time I so overbought, Sam, my SBS 2003 Server not only is twiddling his thumbs waiting for commands, he's also snoring from the lack of stress I put on him.

The general rule of thumb is 1 or 2 gigs of ram.  {I have 4 gigs, and have honestly not tweaked anything with the /3 switch and like I said, Sam the SBS 2003 server is yawning on me}.

If you are using SQL server [or plan to] you might want dual processors.

And make sure the disk drives are nice and peppy.

For the record at home we have three users on my SBS network, myself, my sister and the dog [one spoiled toy poodle]. 

So to answer... how many users does it take to make a SBS network?

one... two...three ....certainly.  I would argue that the new “micro small firm” network that should have a SBS installed is now 5 especially for the geeky younger technology empowered folks.  You WANT centralized control of antivirus, of patching, of BACKUPS.  Heck even home networks need backups!  The more you control from that network, the more you are in control period.  SBS 2003 has the active directory gunk and weedy stuff preloaded and all you need to do is take advantage of all that power and control under the hood.  And folks, us SBSers are group policy-ing just as fast or faster than our large firm counterparts.

And the maximum?  I would say it truly depends on the firm.  50 most certainly and even higher than that before you hit the 75 limit, but that Exchange and how the firm works with long term storage of email may kick them to Exchange Enterprise [and get ready for a price tag sticker shock]

So to answer the question... How many users does it take to make a SBS Network......

“The world may never know.“

What do I not do with Remote Web Workplace?

What's the one thing I don't do with the Remote connectivity features of SBS 2003?

I don't connect to my network from any public computer, one that is like a Internet cafe/kiosk computer or even a hotel business center.  Why?  Because it's not my computer, I don't know if it has keyloggers and I haven't “vetted it”.  I have my own laptop but my firm has “floater laptops” that we loan out if people need to take computer on trips.  The risk of potential “gunk” from Internet cafes are not worth it.  And while we just take laptops [or in my case my Acer Travelmate Tablet PC that is just a nice travel size that my sister is buying one as well], for those people that need even MORE mobility, I'd advise that you do the SeanDaniel.com thing and go OMA with a smartphone.  You CAN take “it“ with you and it can bring all your data in a manner which keeps you totally safe.

So be a little paranoid.  Set a policy in your firm that if you don't own “it“, don't trust it.  And remember what Sam the SBS 2003 server reminds us to follow the guidance of Dr. J's passwords, make them good strong passphrases and let Sam the SBS 2003 server make the policy.

Oh Canada! The report from the [slightly cold] troups from the SMBnation mini summit!

Got a call from the gang in Toronto and other than freezing poor Frank [who's from Florida] it sounds like they had a fun time.  If you didn't make the Toronto event tonight remember that the Toronto Server user group meets all the time.  To me user groups are just real time newsgroups.  And the “been there, done that” is just .... well as Chad would say ....it's just cool beans.  So if you didn't make tonight, that's okay, just make the meeting the next time.

If you happened to be walking around the Toronto area and saw this guys wearing THIS hat...well there's a story behind it.  You see, I'm this really wacko person who loves to force grown people into wearing matching stuff.  I think this is left over from the time my Mom used to make me and my older sister wear matching outfits.  My poor sister [who is six years older] will always be scarred by the fact that we had to be photographed wearing matching dresses when I was in kindergarten and she was in 6th grade.  Scarred both of us for life for sure.  So much so that when there is a bunch of people for an event I just HAVE to force them [or try to anyway] to wear matching shirts. 

Well Cal, one of the Canadian SBS MVPs, out did me on this one.  Knowing that this time of year wasn't exactly t-shirt weather ...he made matching “HATS”.  Now not just any hats, mind you but “Bobcat-eared” hats.  Why Bobcat?  Because that's the beta name for the SBS 2003 platform.  The white hairy things are Bobcat ears in honor of SBS 2k3, the Canada logo...well that's obvous isn't it?

I do have a picture of grown men actually wearing this hat....but I doubt that they'd let me live it down if I blogged the photo for all to see.  So for now, just know that if you saw anyone with this hat one.... they were crazy and insane...but given that they are SBSers, this is quite normal and expected behavior.  Reproducable even. 

Robert Scoble only had one set of longhorn ears.  SBS 2003 has ten grown men wearing Bobcat ears.

P.S.  I was googling to find the photo of Robert Scoble and his Longhorn ears but when you google search in images for “Robert Scoble Longhorn” you end up with a Michael Jaskson photo.  Hmmmm.......I'm not even going to ask what the connection is.

So what kind of admin are you?

Come sit on the couch while Psychologist Hensing determines what kind of computer admin you are, shall we?

I was a bit surprised that 60% of admins set up their servers without a firewall.  I guess I've lived too long in wizard land where we just take a firewall for granted.  I mean like how can you NOT have a firewall these days since most DSL modems come with a bare minimum?

Me, I'm somewhere in between the Skilled admin and the Sophisticated.  I know what I need to do, just haven't gotten around to doing it or just not quite yet ready for that step. 

So what kind of admin are YOU?

Heads up - Security bulletins today

 January 11, 2005
Today Microsoft released the following Security Bulletin(s).

Note: www.microsoft.com/technet/security and www.microsoft.com/security
are authoritative in all matters concerning Microsoft Security
Bulletins! ANY e-mail, web board or newsgroup posting (including this
one) should be verified by visiting these sites for official
information. Microsoft never sends security or other updates as
attachments. These updates must be downloaded from the microsoft.com
download center or Windows Update. See the individual bulletins for
details.

Because some malicious messages attempt to masquerade as official
Microsoft security notices, it is recommended that you physically type
the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summary:

http://www.microsoft.com/technet/security/Bulletin/ms05-jan.mspx

Critical Bulletins:

Vulnerability in HTML Help Could Allow Code Execution (890175)
http://www.microsoft.com/technet/security/Bulletin/ms05-001.mspx

Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code
Execution (891711)
http://www.microsoft.com/technet/security/Bulletin/ms05-002.mspx

Important Bulletins:

Vulnerability in the Indexing Service Could Allow Remote Code Execution
(871250)
http://www.microsoft.com/technet/security/Bulletin/ms05-003.mspx


This represents our regularly scheduled monthly bulletin release (second
Tuesday of each month). Please note that Microsoft may release bulletins
out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation
after reading the above listed bulletin you should contact Product
Support Services in the United States at 1-866-PCSafety
(1-866-727-2338). International customers should contact their local
subsidiary.

Kewl tool and it's a GUI as well!

Used this PortQuery tool tonight to do some debugging and ensure that the port I thought I had open was indeed open.  Had to laugh... the tool says the port exits.  I think they mean exists.

More kewl tools are discussed on this blog post.  Check it out!

Microsoft's Canada Server Group Event

I checked with Microsoft Canada and there is still plenty of room so PLEASE if you are in the vicinity tomorrow night of Mississauga and the Microsoft Canada location - SHOW UP!

TechNet Canada and the Toronto Windows Server User Group (TWSUG) are proud

to host sessions focused around Windows Small Business Server (SBS) 2003.

Date: January 11, 2005

Time: 6:30 - 8:30 PM

Location:   

Microsoft Canada / Events Entrance

1950 Meadowvale Boulevard

Mississauga, Ontario Canada

L5N 8L9

Trend's SMEX patch is now PUBLIC

In this patch release, the issue that causes queueing of mails downloaded using the POP3 Connector has been resolved. 
http://www.trendmicro.com/download/product.asp?productid=39

http://kb.trendmicro.com/solutions/search/main/search/SolutionDetail.asp?SolutionID=23065

Patches

Client Server Messaging Suite for SMB v2.0 Patch 1 for Messaging Component
Platform:		Windows
Description:		It is recommended to install the patch release if you are currently running Client/Server/Messaging with Exchange 2000/2003.
Date:		Jan 10, 2005
Files:		csm2-smex621-win-patch1.exe
Before downloading, view this ReadMe first.
Client Server Messaging Suite for SMB v2.0 Patch 1 for Messaging Component with deployment tool
Platform:		Windows
Description:		It is recommended to install the patch release if you are currently running Client/Server/Messaging with Exchange 2000/2003.
Date:		Jan 10, 2005
Files:		csm2-smex631-win-patch1-deploy.zip
Before downloading, view this ReadMe first.

Just know it's going to be cold, so Les says to pack shorts

Last chance to meet up with the SBS family members in Toronto on Tuesday

First up is the SMBnation event

Sponsored by HP, this one-day workshop is a retreat that focuses on the business and bits (technology) of Windows Small Business Server 2003 for consultants, resellers, technology professionals and Microsoft Partners. Hosted by international SBS author Harry Brelsford (Seattle, Washington).

NOTE: SBS Starter Kit owners will want to select discount option from OPTIONS menu (drop-down option for $25 USD savings). Once verified that you are a SBS 2003 Starter Kit owner, your order will be processed.

Wyndham Bristol Place

950 Dixon Road

Toronto, Ontario M9W 5N4

(416) 675-9444

NOTE: As a special treat - Toronto attendees receive a complimenary copy of the popular SMB Consulting Best Practices book ($59.95 USD value).

All prices USD

Next up:

TechNet Canada and the Toronto Windows Server User Group (TWSUG) are proud
to host sessions focused around Windows Small Business Server (SBS) 2003.
 
Date: January 11, 2005
 
Time: 6:30 - 8:30 PM
 
Location:   
Microsoft Canada / Events Entrance
1950 Meadowvale Boulevard
Mississauga, Ontario Canada
L5N 8L9
 
 
Session 1 - Migrating Windows Domains using Swing Migration
Presenter: Jeff Middleton - US Microsoft MVP for SBS 2003
Website: http://www.sbsmigration.com
 
 
Session 2 - Windows Small Business Server - A Year in Review
Presenter: Harry Brelsford
Website: http://www.smbnation.com
 
Meeting Agenda:
6:00 - 6:30 - Registration and Dinner
6:30 - 6:45 - TWSUG Announcements
6:45 - 8:30 - 2 Sessions on SBS
8:30 - 8:45 - SBS Partner and Customer Programs by Pamela Lauz, SBS Product Manager 
8:45 - 9:15 - Q&A with Harry Brelsford, Jeff Middleton and Pamela Lauz 
9:15 - 9:30 - Draw for prizes & Future events
 
Find out more details about the event here:
http://www.twsug.com/Default.aspx?tabid=62
You can sign up for the event here:
http://www.microsoft.com/canada/events/event_details_ww.aspx?event_id=1032267060

When Jeff did his organizational pdf he didn't even bother to put in the weather report.

Les said the weather wasn't bad and to pack shorts.   Yeah... right.....

"Let's be careful out here"

I'm starting to sound like a broken record but watch out and keep IE [and I would argue all browsers] in high security

Tools

Internet options

Security tab and reset the Internet for High security

From Incidents.org

Secunia Advisory for IE
Thanks to John Germain for bringing this update to our attention. Secunia has upgraded the advisory for SA12889 to "Extremely Critical" as of January 7th. They also have add a nice link to test your browser. The orginal advisory was posted at http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm
The vulnerability is yet another cross-site scripting vulnerability. It will allow remote code execution on a victim's system just by visiting the website. The Storm Center has received one email of such a site and confirmed that it was actively using the exploit to attempt to download XP.exe from several locations. Currently vulnerable is IE6 on a fully patched WindowsXP system. As of now, there is no patch available. I know Symantec is detecting this as bloodhound.exploit.21 from what I have observed, but I'm not sure what other antivirus software is doing. It is advisable to keep your antivirus software updated and move to another web browser if possible. For more information, please see

http://secunia.com/advisories/12889/

For those who would like to check out the source code themselves before visiting an untrusted website and don't/can't use wget, there is a good online tool found at the following URL which will retrieve the source code of the web page for you.

http://willmaster.com/master/snooper/MasterSnooperV2.cgi

Secunia states that you need to disable the “Drag and Drop or copy and past files“... I say “run in high security“

Internet benefits - do employees have the right?

Is it the right of employees to surf the net, download anything, use personal email?

It is if you don't have an acceptable use policy.

Sample policies can be downloaded and customized from the SANS.org web site.

Sample checklists can be downloaded here.

Security whitepapers can be viewed here.

Remember .... policy first...technology second.

It's all XP sp2's fault

Today I fielded a call from a fellow CPA who was trying to fix an issue with his computer at home.  He started off by saying “well I installed XP sp2 and I probably shouldn't have done that”.

Wrong.  You SHOULD do that!  AND we all should do that step.

See his problem was that his easy no brainer way of viewing photos from the memory stick from his camera wasn't working anymore.  No matter what he did it wasn't bringing up the photo wizard anymore.  So I walked him through checking some things and just as I suspected the file extensions for .jpg got “sucked over” to be controlled by another program.  Roxio 7 was the program that he updated AFTER installing SP2 that was the problem program.

Now did he remember that he installed Roxio 'after' SP2?  Did he blame Roxio for the issue?  Of course not, XPsp2 was initially seen as the cause of the problem and he was about ready to uninstall it.

Sometimes it's hard being a person who likes to give ALL software the benefit of the doubt.  Too often we are quick to jump on the “Oh it's Microsoft's fault” bandwagon.  It's fun and so easy to do isn't it?  I mean, yeah, when it comes to certain things we all know they have the agility of a slug.  Right now Internet Explorer is down in that slimy slug category.  But I would argue [and there's a couple of people that I truly respect that say similar things] that we really shouldnt' be trusting ANY browser.  I'd be keeping an eye on this site and checking ANY browser you are using.

I was reminded of this “blame it the software..or not“ on Friday when I was ranting on how badly Quickbooks was coded and a guy there who was on the Intuit's Accountant group in the past who basically said that it took several years to recode the program and that kind of gave the impression [to me anyway] that we, as an industry should cut them some slack because rewriting the application was a big process.  Cut them some slack?  They sure love to force my clients to upgrade from Quickbook 2002 to Quickbooks 2005 for payroll tax purposes.  How about coding in a Windows 2000/XP manner instead of a Windows 98?  Is it Microsoft's fault that I have to beat my head against a wall to get my workstations to run in user mode or is it that vendor who won't follow the proper guidelines for coding to make their app work properly.  Can't they just set the permissions on the keys and files they need as they load up?  I'm sorry but I dont' think this is acceptable.  If they force my clients to buy new software in 2005, they should at least have programmers that code like they are living in the year 2005.

I mean if Best Software's Peachtree can do it.. come on Intuit.  We deserve better than this.  To my fellow CPA who was saying “well it takes time to recode”... how about giving all software that same “leeway”?

So why did the laptop have that key and not my workstation?

Fixing my sister's laptop that has been giving problems with USB devices like the thumb drives and I was trying to get her new gig drive working and it kept coming back with an error message:  “The specified service does not exist as an installed service“

Fixed it.

But don't know why her machine had this key and my desktop does not:

HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}

Under there was indeed a key called “lower filters” and it was indeed a binary. Deleted the key out, rebooted and it can find the drive just fine now.

Weird.  My desktop doesn't have it.

Must be sunspots again.

A message from Sam the SBS 2003 server

Hi!  I'm Sam the SBS 2003 server with today's friendly reminder:

To the Computer installer community, just remember that when it comes to renaming me you can't run dcpromo on me and rename me.  This is the one area where I differ from my big brother counterparts.  My Motherships that support me don't support renaming the domain once it's built.  I've got a lot of glue and gunk in active directory and even with ADSLedit,  I have Exchange under the hood, so you can't [even with Exchange 2003 sp1] just rename me with no consequences.  To rename my domain the best and only way to do it is flatten me and start over.  Now remember, no matter what you name me internally, this has NO bearing whatsoever of what I need to use to pick up email.  So you can name me anything at all for my internal domain name, but when you run the connect to internet wizard, name that email domain name something else.

In my world I don't need dcpromo as my wizard does it for you. In fact, how the normal big server world can stand running those commands, honestly, it would drive me crazy.  It's sooooooo lame how they have to manually type that stuff in.  Wizards are so important to me and they make your life easier.

In fact, I had to snicker just a little bit when I read from one of my builders, the post from Charlie that he had to manually set up his internet connection and couldn't use the wizards.  And he even wrote it!  Made me laugh.  Made him appreciate what he did too!

So if you ever start mucking around deleting users like the backup user, remember to let me reinstall from the integrated install so I can put the glue back.

[again a little too much Dew and newsgroups today]

So all those IM messages you have on a daily basis

So you are IMing away typing up some pretty senstive info and because it's on IM and not on email the fact that you are giving away secrets to Fort Knox is fine because this is IM and not email right?

You do know that IM traffic can be sniffed... that it's going over in plain text. 

We were talking yesterday in a meeting how we need to take a concerted effort to “do the right thing” when it comes to computer security. 

Encryption is a HUGE right thing and it's still WAY too hard to do.  Like MSN IM.  Why doesn't it just include encryption that you can turn on natively?  You can add it on to your IM sessions but it's not built into the box.

Greg talks about what a pain it is to get people to understand let alone swap public keys to set up encrypted email.  WHY IS THAT?

Why shouldn't we try to ensure that communication is safe and secure ESPECIALLY when it comes to sensitive info, but on a regular basis I about fall out of my chair as to the number of documents that are merely emailed with no regard to sensitive information.

I mean why do I have to google to find the Verisign public key page?

It should be easier than this.  Right now I'm recommending that we at least use Adobe Acrobat and password protect/encrypt the file for the minimum of protection.

And pssst... Microsoft.... read this from the Verisign instructions...if AIM does it...why don't you?

The latest release of AIM (5.2 and up) allows you to send and receive encrypted instant messages using your Digital ID.

To use your new Digital ID with AIM, follow these directions.

You don't really have too much of an excuse do you?

During our tech meeting today, one of my fellow geeks was telling the story of how the firm that leased the space below her office moved out and they shut off the DSL.  When they did, they shut off her DSL and she realized how much she depended on high speed access.

Disaster Recovery.  Preparing for the worst.  It's a big issue.

And yet, even now, when we really have no excuse whatsoever, there are folks that come into the communities that don't have a backup.

Yo... walk over to the computer screen a little closer so I can wack you upside the head.

You have a backup wizard.

Heck, you can even backup to a usb harddrive.

What in the world are you thinking if you are not utilizing this?

I mean, come on, there's a web site that goes over backup and restoring SBS 2003, for heavens sake.

We were talking today about clients that think nothing of running their businesses on 7 year old hardware and have NO backup.  Now I'm not sure which I need to wack more.... the business owner who uses such old equipment that any day it will keel over and die.... or the small business owner who HAS A BACKUP WIZARD and still doesn't backup.

The minute you don't backup is the time that you'll need a backup.

Do it.

You have no excuse not to.

So am I really running beta code on a production machine?

So Graeme asks, am I running beta code of the Microsoft anti-spyware on a production workstation at the office to make sure that it goes out an egress filtering ISA server firewall? 

You bet your little bippy I am to make sure that the program runs as it should inside a firm.

I do wish there was a corporate version that would add a console view, but it's a very nice start to a spyware removal program.  One of my fellow geek guys David Cieslak said that they were looking at Giant before the purchase and was very impressed how it found stuff that the others didn't.

Hey you! You there! Mr. or Ms. Small Business person!

Yes, you know I'm talking to you!

You need a centralized place in your firm.  A meeting place the represents the meeting of the minds of the employees in your office.

You need a place to share data.  None of this mamby pamby peer to peer stuff.  YOU need a real network.

You need a way to share calendars ...to backup your mail database. 

YOU NEED A SERVER.

I use at home a mail client [Thunderbird] just because I don't want to pull into Exchange my truly gunky, icky, junk mail filled Pacbell account but I count on at least once a year that I orphan email and have to start over.  The standalone pst/pop kind of email just does not work.  Not for business.  You need Exchange.

You are a business.  Remember that.  And as a business owner, you need to get guidance and advice from someone who understands your needs, your wants and has guided businesses just like yours into setting up THEIR first servers.

[Okay so I know I'm preaching to the choir but I was reminded after a post to Joe Wilcox about how US small businesses still don't adopt servers as fast as other countries do, and that's a real shame.  I would guess that more technology is sold via word of mouth on golf courses than anyplace else.  Maybe it's because the computer stores don't showcase this?  Maybe there needs to be Saturday morning demos at Costco or something like there is at Lowe's?  Or maybe the USA marketplace is too filled with wacko DIYers like me?  Not sure, but I sure know that having a network means that small businesses are just way more flexible and agile because they have ALL [and then some] of the tools that their big brother businesses have]

SBS KBs of interest

I forsee scripting in your future, young Padawan

From the download center today

The sample scripts provided are likely to appear in the upcoming System Administration Scripting Guide (see More Information link), which will ship as part of the Windows Server 2003 Resource Kit. The sample scripts are not supported under any Microsoft standard support program or service

This help file contains all the scripts found in the TechNet Script Center (http://www.microsoft.com/technet/scriptcenter) as of November 5, 2004. Most of the scripts are designed to run with either Windows 2000, Windows XP, or Windows Server 2003, although many will also run on Windows NT 4.0 or Windows 98; in the latter two cases, however, you might need to install additional scripting technologies such as ADSI or WMI before the scripts will work. For more information about obtaining and installing ADSI, WMI, and the latest version of Windows Script Host (WSH 5.6), see the Script Center’s Scripting FAQ.

To subscribe to this free service (which is nothing more than periodic emails sent by the Scripitng Guys), send mail to scripter@microsoft.com, with the subject line Subscribe.

Yo, Joe? The average business owner doesn't WANT to do what I do.

In Wednesday's Joe Wilcox's Microsoft Monitor, he says “I'm dubious reseller support is necessary for every SBS 2003 installation, or even the majority. “

Yo, Joe, I have news for you, while easy to set up, this little box still needs a bit of TLC and most business owners want to pay someone to externally 'handle” this stuff.  Yo, Joe? You probably gas up your own car but do you change the oil, the brakes, and do maintenance on the engine yourself?  My guess is probably not. So while I'm a control freak, DIYer myself, I would argue that the average business owner may not want to deal with changing the oil and the breaks on their computer and may want to find a SBS consultant to handle this for him.  I mean, heck the average Joe [pun intended] needs to rely on their neighborhood geek to clean out the spyware and gunk from the average computer.  So why do you think that average SBS 2003 installations don't need reseller support?

Most of the gang I hang around with are Microsoft registered partners.  They carefully guide the business owner in their technology business decisions.  Joe, dear?  You ever try to figure out the right SKU code for a hardware firewall on the cdw.com site?  Ever try to get your SBS 2003 Software assurance order updated by yourself and figure out the right SKU code?  I first went through another vendor, and then found a true LICENSING specialist in Softwareone.com and I must say that once “I“ outsourced THAT function, I haven't been pulling my hair out and getting frustrated like I was in the past.

You think the average SBS owner knows what product or add-on is the best value?  To know what the best price is for Trend Micro antivirus?  To know what the best {free} spam add on to SBS 2003 is [Exchange IMF is in my opinion by the way]?  To know the proper way to apply patches?  To know that there are lots more patches besides Windows Update to be applied?  Even I as a DIYer apply patches to a test server AT HOME before I apply them to my server.  You think that business owner is going to watch the health and security of a box [or even know stupid stuff like the fact that Trend freaked us out last week with a false positive]? 

No, Joe, it's with a community viewpoint in mind that we ALL do well.  It's because a VAR/VAP is monitoring a bunch of like minded networks that he or she can see those patterns.  They can see the “normal-ness” and build a baseline.  I do it as a DIYer by watching the “pulse” of the newsgroups.  There's no way a normal business owner would want to do this.  And trust me, it doesn't matter which operating system you pick, THEY ALL NEED OIL CHANGES.  There's not a day that goes by that there isn't a patch for this or that in any software package.  

You have to have a VAR/VAP that sees the patterns.  It's only this “trusted consultant” the Outsourced CIO that can help the firm stay nimble.

No, Joe, I would argue that the best thing for a business owner to do is indeed get someone who montors a whole bunch of SBS boxes.  The more the merrier.  Because then they know that system inside and out better than anyone else and probably have already figures out solutions for their own home [or office] SBS networks that they can then just customize/tweak for all of their clients that they support.

That business owner needs someone who lives and breathes SBS, that knows what's the best for this little guy.  Yes, you can be a DIYer but when you can have instead the comfort of knowing that a person who oversees on average about 20 of these networks and knows what's the best, why wouldn't that business owner want to ensure that the outsourced CIO is the one keeping an eye on things and not him?

Yes, SBS reseller support is not necessary.  But since the folks that I know that install and support SBS are some of the most talented computer and technology folks around because they truly see and support the big picture, why wouldn't you want to hire someone who

• Has the resources of Microsoft in the Mssmallbiz Sharepoint, Listserve and blog
• Has the resources of the SBS community 24 hours a day, 7 days a week
• Has the resources of the SBS Motherships of Redmond, Texas and Shanghai
• Has the resources of SBS [partner] usergroups
• Has the resources of the Microsoft partner channel

I mean why wouldn't you want a Reseller that has that going for them?

Microsoft's Anti Spyware beta opens up today

Microsoft just opened up a public anti spyware beta today.  You can download the software here.

So far, nice interface, but I did already “beta bug” that I wanted a corporate console version, something that we could do just like the Trend console works.

And when I ran it on my system, it did find a few things [mainly security tools that it saw as possible issues]. 

Check it out, I think you might like it.  Check out the release notes as well.

The AICPA Top Technologies for 2005

Forgot to post the final “top 10” of the AICPA survey that identifies top technologies that either affect firms or their clientele in the next 12 months.  I always enjoy participating in that committee, it really makes you look at your own firm and review where you should be.  For SBS consultants, Document imaging --introducing a scanner/printer/copier and a document management system should be brought up with all your accounting and attorney clients.

Here's the list:

Okay so I'm not "quite" the geek I thought I was

Because I forgot that this evening was the live broadcast of Bill Gates at the Consumer Electronic Show.  Oh well, not to worry because it's online.

The friends I was staying with over the weekend, one of them is going to CES tomorrow.  He works with embedded systems and stuff as well.  And has two [yes, two] replay TVs at home. 

One of the things that the AICPA Top Technology committee [of which I'm the chair] identified as an “emerging tech” was the Digital home.  There's one guy on the committee who is like my friend in that he has all the latest gadgets at home.  Someone joked that instead of “digital home“ it should be just David Cieslak's house as the category.

Remember how we said that VOIP looked “hot” for the Small Business marketplace?  Looks like it's hot for the consumer space as well.

I bought something from Fry's that is a slight security issue

Went to Fry's Electronics over the weekend [it's kinda like an adult's Disneyland] and bought two 1 gig usb thumb drives.  Each gig cost $99US.  They even had a writing pen that held a usb pen drive. 

Now there are two things that go though my mind.

1.  Oh my, you would never know if sensitive data is being removed from your firm.

2.  Oh my, what if you loaned out that writing pen and then didn't get it back.  Now where's your data?

I think I need to stop watching Alias, I'm starting to get paranoid again.  But in the meantime I now can move 1 gig of data with ease. 

[They had a 2 gig on sale for $139 but they were sold out of them -- I'm not kidding....]

We had a little snow

 A bit off topic posting.....Coming home from Los Angeles today over the “Grapevine”, the name for the Interstate 5 roadway across the mountains, we had just a smidge of snow.  As we drove along, there was a Lookout point that all of the wacko Californians had pulled off the side of the road and were building small slushy Snowmen. 

We actually delayed coming back today because the Highway patrol closed down I5.  Now this time they closed it a bit earlier than last time 4 years ago so they didn't get folks stuck up there.

Back home and back on DSL.  I was using the Cell phone and my laptop along the way to check on weather and road conditions.

Yes, I'm such a geek.

Director of SBSLand, Eugene Ho and some other guy who works at Microsoft have an Executive Chat

Executive chat - Windows Small Business Server 2003 [January 18, 1:00 pm
Pacific, 4:00 pm Eastern]

Bob Muglia, Senior Vice President of the Windows Server Division, along with Eugene Ho, Director of Windows Small Business Server, discuss SBS 2003 in this January 18, 2005 TechNet chat. Windows Small Business Server is the comprehensive networking solution for small businesses--See how it can help simplify your daily activities and save you time and money.

Add to Calendar:
http://www.microsoft.com/technet/downloads/vcs/05_Jan18_Exec_SBS.ics

Chat room: http://www.microsoft.com/technet/community/chats/chatroom.aspx

1:00 – 2:00 P.M. Pacific Time

Okay, just kidding, Bob is obviously a bit higher up the ladder than Eugene [especially since I can't google and find a picture for Eugene like I can for Bob Muglia, but Bob, you see you don't have SBS in your title, so in my book, Eugene ranks higher in the SBSland rankings.  So therefore, I'm advertising this as a Eugene Ho chat rather than a Bob Muglia chat as Eugene will ALWAYS rank higher in SBSLand.  :-)

VOIP starting to get SBSized

Remember my Blog post that small businesses are starting to look at VOIP?  {I've seen this in my fellow geek accounting/technology firms starting to roll out or investigate this technology}  A couple of my geek friends down in LA use this in their business all the time. 

Heck, even Consumer Reports has an article on VOIP!

Well if you can't make the January Toronto event, here's another event that you can catch Harry Brelsford at!

Approximately 10-15% of your customer and prospects buy new phone systems annually.  The market for new phones systems is rapidly moving away from traditional, proprietary digital phone systems toward a new open systems approach, IP Telephony. Converging voice and data on a single network, IP Telephony eliminates the need for separate voice and data networks, reduces communications costs, improves employee productivity and eases system administration. It’s no surprise that this is one of the fastest growing technology segments today.  In fact, analysts are expecting worldwide IP Telephony revenues of $4 billion in 2004 – continuing to grow 35-40% annually for the foreseeable future.

As a Small Business VAR, now can you capitalize on this tremendous revenue opportunity with the Enterprise Interaction Center (EIC) from Vonexus.

Vonexus has developed the only 100% Microsoft-based IP solution exclusively for Windows Small Business Server 2003.  Combined with the Small Business Server platform, EIC delivers complete IP telephony functionality with out-of-the-box integrations to Windows Server 2003, Exchange Server 2003, Outlook® 2003, Business Contact Manager, and SQL Server.  Microsoft Small Business Server customers can now get a truly integrated voice and data solution for their entire enterprise - allowing your customers to enhance their investment in Microsoft SBS, while opening new revenue opportunities for your business.

Want to learn more about the Vonexus Partner Program? Register below to attend the Vonexus Connection Global Partner Conference in Las Vegas – absolutely FREE for SMB Nation Partners!

At the Vonexus Connection Conference you get answers to:

• What are the specific revenue opportunities for an SMB Nation Partner in the growing IP telephony market?
• How is Vonexus leveraging Small Business Server as the single platform for converged voice and data?
• What does Microsoft have to say about IP Telephony for Small Business server – and how will that translate to revenue for you?
• How can Vonexus help you leverage the marketing machines of Microsoft, Intel, HP and Polycom to drive new revenues?
• How can you get started - with no capital investment - in this exciting new business opportunity?

Vonexus Connection
Global Partner Conference
January 24 - 26, 2005

JW Marriott Las Vegas Resort, Spa & Golf
Las Vegas, Nevada

Register Now

Make sure you are fully PATCHED! UPDATED

HEADS UP!

Trend's latest update was giving a false alarm and was indicating that the systems were infected with this virus when they were NOT infected:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=HKTL_LSASSSBA.A&VSect=T

While it's STILL a good idea to be sure that you are patched, the fact is that this was a false positive on the part of Trend

Regarding your query, we have received reports that the current spyware pattern for HKTL_LSASSSBA.A also detects the normal file NETAPI32.DLL. It is the Microsoft LAN Manager DLL file which manages certain networking functions of Windows operating systems. Hence, the removal of this file from the system would affect the network connectivity of the machine. It may be possible that the said file is being detected by the HKTL_LSASSSBA.A pattern.

 We will be releasing Official Spyware Pattern Release 197 to reflect this change. We will also update you as soon as the said pattern is available.

Now why it was interfering with TS access into the systems is still a bit of a mystery but the fact is it was a FALSE POSITIVE.

So you want to be a SBS Consultant, Part II

So you have an idea about billing, preparing bids and what not but need to ask more technical questions, more questions about licensing, and perhaps questions about networks a bit larger than a SBS network?

Want to have a direct connection to Microsoft's Small Business channel?  Talk one on one with Licensing and Technical experts?

Want to get information about

• Sales tools
• Marketing opportunities
• Partner newsletters
• Hook into live meetings on technical and sales topics
• Webcasts
• Rebates, promotion and incentives

We have another resource JUST FOR YOU that are a SBS Consultant or are thinking about becoming a SBS consultant!

The Microsoft Small Business channel has three resources that any potential SBS consultant needs to log into, join and set up an RSS reader to follow

First off is the MSSmallBiz Sharepoint site which is chock full of information that you need to ensure you have maximized your clients return on investment. 

Next is the MSSmallbiz listserve.  This one is different than the Smallbizit listserve as like the sharepoint site it's more geared toward ROI and the bigger picture, you know what I mean?

Finally [and this is brand new], download a RSS reader like newsgator as there's a new MSSmallbiz blog!

Browse on over, log in, sign up and hook into the blog!

Make 2005 be the year of SBS!

So ya wanna be a SBS consultant, do you?

Question from the mailbox today is interesting in that it's not the first I've seen about someone making a change and interested in becoming an SBS consultant.

Some of the questions that typcially come up are things like....

• How much do I charge per hour?
• Do I flat fee or hourly bill?
• How do I get started?
• Do I or does the customer buy the computer equipment he or she needs?

And things like that.  I'll touch on these in this blog post, but remember, it's really best to talk with your peers on the smallbizit yahoolist as that's the “business side of SBS” listserve.

Here are some of the typcial responses I've seen on that list:

How much do I charge?

Well for that, look around and gauge what other consultants are charging and what other “maintenance” style services are charging.  You certainly are not in the league of the highest priced Attorney in the world, but don't undercharge your services.  If you know SBS and truly know your stuff, you are a valuable member of that firm.  Usually the range for fees is around the $75 to $150 mark, but regional variations should be taken into account.

Do I flat fee or hourly bill?

Many are beginning to “flat fee” the base install of SBS and then hourly bill customizations and desktops and what not.  People like to know how much things cost.  So proper bidding is important for everyone.

How do I get started?

This is the toughie... because I would argue that word of mouth is the best advertisement.  People ask me "should I hire a MCP/MCSE to install my SBS server?” and I usually tell people that they need to ask “How many SBS installs have you done?  You want someone is an SBSer and not just someone with a certification.  There is currenly a SBS specific exam and that would actually more indicate their interest in SBS better than anything else.  It may not be a “perfect” exam, but it's at least an exam that recognizes the small business world.

Who buys the equipment?

Many consultants use Ingram for suppliers but most do recommend that the customer buys the hardware.  I would also recommen going through Softwareone.com for any licensing issues and when you sell Software Assurance that YOU not the client manages the licenses.

So if you are getting started in a new venture that surrounds SBS, welcome to the community! Join the SmallbizIT group and ask how others got started.  Many in that group do standardized installs to make it easier to control and manage their installs.

Who protects the Internet?

Back from our New Year's trip to Disneyland.

We survived the Tower of Terror ride [well the adults barely survived, the 10 year old we were with wanted to go again].

While in the park we noticed two cool technology items.  Once was at the Test Pilots grill where we were able to order our food from a touch screen menu order taking system.  We also checked into the hotel using a similar technology.

At dinner in Downtown Disney, the 10 year old asked “Who is in charge of the Internet?” and we had to explain to him that there are many organizations that provide the backbone of the Internet.  From phone companies and what not, and we explained how the Internet came into being.

Then the 10 year old asked “Who protects the Internet?”

Hmmm... good question from a 10 year old.

I would argue that we all do.

We do when we patch, when we make sure our antivirus is up to date.  When we don't open up emails automatically.  We also all protect the Internet when folks like those at www.incidents.org keep an eye on things and notify the necessary parties.

You know they are volunteers, don't you?

You know you can help out don't you?

It takes all of us, yes even little SBS networks to do their part to make the Internet safe.  We're all on this highway together.

So keep an eye out, will you? 

And remember, WE ALL help to protect the Internet.

We're checking out the technology of Disneyland...yeah that's the ticket!

Well I'm going to be checking out the technology of Disneyland and California Adventure today and tomorrow [don't laugh, you should see the RJ45 wall jacks in California Adventure that we've seen on past trips].  So blogging will be light.  Here's the day's events at the resort.

Right now I'm downloading Tablet PC power toys so that Nathan [my best friends' little boy] can play with the tablet in the Disneyland hotel while he waits for the adults to get ready.  We're raising a geek...[he's 10] what can I say!

Happy new year to all!