Norton needs an update for XP sp2

Internet Explorer patch out today!

 http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx

The long awaited patch for the issues of late.  Start testing and patching!

If you have XP sp2, your local zones are already in “protected” state and thus you do not need this.

Kewlamundo - Robert starts a blog

David Hibbeln pinged me this morning that Robert Hensing started a blog.  Who?  You ask?  Security Dude at Microsoft. That's who.  Good stuff.  Subscribed!  He does the Security Incident Response stuff at Microsoft.  Talk about a “been there, seen that” kind of job.

He starts off with passphrases and getting rid of LMhash.  Start reading... and then go change your password to a passphrase.

When Nathan grows up....

I'm down in Los Angeles visiting with my girlfriend and her nine year old little boy is demonstrating his UC Irvine Tech Camp project.  He worked on MAC computers to do digital photography and then worked on developing a game.  The camp runs about a week and each child does a project and then presents it on the final day.  We've come down to also go to a baby shower for another girlfriend, but will be going to the Tech Camp presentation tomorrow. 

When I was his age, we didn't have computer camps.... for that matter my first introduction to computers was in high school.  My goodness.. when Nathan grows up... can you imagine how much technology he will have absorbed as just “normal”. 

I had to laugh though.  On Michael Howard's blog he talked about how he was talking to game designers on how to code more securely in the gaming industry. That's one thing that hopefully will occur “as Nathan grows up”.  All developers will think about security.  For now, I'll let Nathan off the hook and just sit here amazed at what a 9 year old is being introduced to. 

My sister was talking to my Dad about our city's new natural gas/hybrid busses that have global positioning units on them so that they can track the bus locations at any point in time, have cameras on board to ensure that the driver is okay and electronically counts how many get on and get off the bus. 

Look what we now take for granted.... as I sit here typing on my laptop connected wirelessly to my friend's computer system....and replay/tivo TV in the living room. 

Here's to the next generation.  My hat's off to you Nathan.

Update - photos from the “Family presentation“ at IDTechCamp are online here.

Other SBS KBs of interest

327644 - How to configure licensing on an additional Windows server in an SBS network:
http://support.microsoft.com/default.aspx?scid=kb;en-us;327644

324958 - How To Block Open SMTP Relaying and Clean Up Exchange Server SMTP Queues on SBS:
http://support.microsoft.com/default.aspx?scid=kb;en-us;324958

838183 - How to turn on the Exchange writer for the Volume Shadow Copy service in Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=838183

 830360 - Default picklist value in an opportunity is not set if the opportunity is created from lead conversion in Microsoft Business Solutions CRM:
http://support.microsoft.com/?kbid=830360

832319 - Vertical scroll bar not visible when you add columns to a view in the Microsoft Business Solutions CRM version 1.0 Sales for Outlook client:
http://support.microsoft.com/?kbid=832319

If you are a beancounter... this KB makes your heart go pitter patter...

Office 2003 SP1 just out today

Office 2003 sp1 just hit the download site today

Office 2003 sp1 - http://www.microsoft.com/downloads/details.aspx?familyid=9c51d3a6-7cb1-4f61-837e-5f938254fc47

Visio - http://www.microsoft.com/downloads/details.aspx?familyid=afca0578-e1fb-4540-b0cc-ff83def61cc6

Outlook BCM - http://www.microsoft.com/downloads/details.aspx?familyid=d21f3d89-46ac-4a27-b4c7-be05723d53e5

Outlook Junk mail filter - http://www.microsoft.com/downloads/details.aspx?familyid=d8ded71e-89ed-4473-9640-13a2b799564e

Office update inventory tool - http://www.microsoft.com/downloads/details.aspx?familyid=37822f41-f749-4b7c-b4df-b052d255a1b8

Infopath toolkit - http://www.microsoft.com/downloads/details.aspx?familyid=7e9ebc57-e115-4cac-9986-a712e22879bb

Office 2003 - Office web components - http://www.microsoft.com/downloads/details.aspx?familyid=7287252c-402e-4f72-97a5-e0fd290d4b76

Project Server - http://www.microsoft.com/downloads/details.aspx?familyid=5dea5862-d534-4f17-ab08-7c9b790c5b15

OneNote - http://www.microsoft.com/downloads/details.aspx?familyid=07408348-26c9-43bb-9e7e-6151cf15d415

Do we use the /3 switch or not?

Does your server have 4 gig of RAM?

Today a poster asked if we SBSers need to follow this KB or not:

823440 - You Must Use the /3GB Switch When You Install Exchange Server 2003 on a Windows Server 2003-Based System: http://support.microsoft.com/default.aspx?kbid=823440

The recommendation is if you have a server with 4 gig of ram to follow that KB.

THIS HAS NOTHING TO DO WITH SBS

I saw that they announced the name of the next Star Wars movie “Revenge of the Sith”.  Just putting everyone on notice now.  I will be in Newport Beach at the Big Newport movie theater with a bunch of my friends next May.  Oh and I should also warn you that I'm known for making folks that go with our group wear matching shirts.  This photo of me was taken in line at the Big Newport before Star Wars I and beleive it or not, someone else there brought that Yoda.  For the record I wasn't the only one who took my picture with him.  ;-)

If you know me, you'll know that I quote Yoda when talking about the Small Business Server platform. 

"Size matters not. Look at me. Judge me by my size, do you?"

"Try not. Do. Or do not. There is no try."

Personally, I think there's a little green guy inside every SBS box.

[now back to your regularly scheduled SBS blog]
P.S.  Click on the link for Multimedia on the Big Newport link to see some photos of the “tent city” that crops up before each Star Wars showing.  I'd also recommend that you try to watch it on an IMAX screen but NOT the domed one in San Jose... find a flat IMAX instead like the one in Las Vegas in the Luxor Hotel

Everyone wanted to make sure I wasn't hyperventilating.....

...with Google being affected by the Mydoom virus.  Must have Google... can't live without google.... can't newsgroup without google.... can't GOOGLE without google!!

While last weeks bagel was a real “stupid computer user” virus [like a normal paranoid computer user couldn't look at the bagel emails that had no body message, a stupid subject line and an attachment that SCREAMED “I'm a virus!  Stupid Computer User click here” and STILL click that attachment and get themselves infected, today's MyDoom was way more believable of an email.

This Mydoom one of today was a lot more into social engineering.  I got an email this morning from my ISP that said my account had been sending out a lot of spam this weekend and that I'd better check my system with the attached file... yeah... right...I said... fat chance.  But it was still enough to trick possibly most not so paranoid folk.

This is why proactively BLOCKING these attachments is key.  The virus companies were scrambling to get the dat files out.  Don't even let these files into your network, either using the SBS file attachment blocking wizard or using Trend [or your Antivirus] to block these.

Also on a paranoid note...I was in Macy's tonight [a department store in my city] and I honestly do much of my shopping online and have not been in the store in a long time.  So it was pretty obvious that they were updating their database when they swiped in my Macy's card, asked to see my Driver's License [swiped it in], wanted my address, phone number.. and get this... asked me to enter my Social Security number on the sign-on-the-screen thingamabob.  As I entered in the Social Security number, the numbers were in plain view on the screen of the device that normally you just sign your name on. 

Okay ... I think I'm getting paranoid because entering in the Social Security number freaked me out especially the fact that it was not even blocked on the screen while I was entering it.....I mean HIPAA rules are there to protect my privacy and electronic health information but what about my rights on my personal data.  I just gave Macy's and their IT department, my credit card number, my signature image, my address, my phone number AND my Social Security number.  I have no idea if their network system is patched, scanned, and if that transmission of my Social Security number is encrypted while in transmission...I assume it is... but I really don't know, do I?   Okay so maybe being a little too geeky and a little too paranoid is not a good thing?  ;-)  

Oh THAT's why OWA did that...

The other day I posted in a link to a SBS chat coming up in August and initially the link had extra “stuff” in the html that I didn't realize.  Now I know why.  Once again, the EHLO blog explains why when I copied the html code that I got extra “stuff” that I later had to edit off. 

That's good to know. And good to know to watch out for that in the future.

XP Service Pack 2 - get ready to play

I write articles for my local business journal as well as for the AICPA Infotech newsletter and they needed an article for the September/October edition.  PERFECT TIMING!  Unless you've been living under a rock, you know that XP Service Pack 2 will be out in the month of August and I'd strongly recommend that consultants and admins review the document located on the web that details out what specific setting you can do with the firewall.  Remember that in the SBS 2003 network, we will get a specific group policy that will enable it inside the network but we can even edit it MORE than they have and do our own adjustments.  There's settings in there that can limit the settings to just certain IP addresses, to just the local network or to the entire Internet. 

Start with the base and then start to “play” to better protect your clients.  My guess is that you will find you'll build on top of the rules that the SBS 2003 team has built to customize it for your clients.

I was out surfing and found this web site that talked about some of the things they didn't like in XP sp2.  It's an interesting site that talks about some of the concerns that some of us have been discussing on a listserve.  Will end users just blindly approve applications to go out the firewall without understanding what they are approving?  I do think that the IE scripting limitations, the pop up blocker and the firewall action will need end user education.  In my office where we have the RC2 installed on four production workstations, it already has needed some explanation for those folks running it.  But that's good.  The more we educate, the better we are protected.

So, I'm looking forward to it... August... come on August!

If they ever ask for my Amazon.com book purchases....

If they ever ask to see my Amazon.com book purchases they are going to see hacker books, computer books, and my latest purchases... a bunch of Sharepoint books.  I just finished an online training class and definitely my interest was peaked and definitely demanded that money be spent at the “book store”.

Remember that the SBS sharepoint [aka companyweb] is pretty much the same as “normal“ Windows Sharepoint Server with the following exceptions:

SBS sets up the WSS, it sets up the virtual server, configures the sites, add the users automagically.

It has custom lists, content unique to SBS -- for example -- it has Help Desk and Vacation calendar as a custom list

It has an import file wizard that allows bulk import of folder structures.

It has a part that works with MS fax server that can auto route incoming faxes to a WSS fax document library.

That's about it folks.... other than that the technology of WSS inside SBS is the same as "normal" WSS.

So the books I ordered are:

Amazon.com: Books: Microsoft SharePoint 2003 Unleashed (Unleashed):
http://www.amazon.com/exec/obidos/tg/detail/-/0672326167/102-6920567-9875324?%5Fencoding=UTF8&v=glance
Amazon.com: Books: Microsoft SharePoint: Building Office 2003 Solutions:
http://www.amazon.com/exec/obidos/tg/detail/-/1590593383/102-6920567-9875324?%5Fencoding=UTF8&v=glance
Amazon.com: Books: Microsoft SharePoint Products and Technologies Resource Kit (Pro - Resource Kit):
http://www.amazon.com/exec/obidos/tg/detail/-/073561881X/102-6920567-9875324?%5Fencoding=UTF8&v=glance

Tavis reminds me that LookOut add in is on the download site

http://www.microsoft.com/downloads/details.aspx?familyid=09b835ee-16e5-4961-91b8-2200ba31ea37

An addin to Outlook to quickly search all of your email, contacts, calendar, and filesystem.

And I added TAZ's blog link at the bottom of my page.  He reminded me that hit the download site.  It a supersearcher add in for Outlook.  Microsoft bought them and already it's a free download on the Microsoft web site.

Got Quickbooks? Shut off the autodisconnect.

A buddy of mine called me the other day saying that he kept losing connection to the server and “Quickbooks” would barf on him and was there anything he could do about it.  Oh yeah.  As part of my “three things I always do on a server” shutting off the autodisconnect is very high on my list.  Gordon in the blog comments alerted me to a new KB that is on point discussing how to tweak this setting.

Hmmmm wonder if I should put that down as a SBS “hack”.  I just take it for granted that everyone does that.

Okay, filed in the SBS "hack" section in anticipation of the SMBNation conference in Seattle September 10-13.  If you happen to be going, start getting sleep now.  I just saw the tentative schedule.... you'll need it.

If you missed the Scripting webcast week... all is not lost

Scripting webcast week

So Scoble  says that his wife's new job as a MSDN webcast host, they hosted over 4,000 in attendance at the Scripting webcasts.  Wow.  One of my fellow MVPs attended [Steven Teiger [no “h”] and got this email back in response.

Remember that this webcasts are always available ON DEMAND!

Thank you for your interest in our TechNet Webcast
Scripting Files and Folders Makes Me Happy - Level 200.
Here are some related resources that you might find valuable.
            
                                    
Try Your Own Script Writing With a FREE TechNet Virtual Lab!
The best way to learn scripting is by writing scripts. That’s good advice,
but how does it help a newcomer looking to get started in the world of 
system administration scripting? Here is your answer! Try our 
FREE hands-on lab that walks you through the script writing 
process by clicking here. 
 
Script Center | Files and Folders
Lots of sample scripts that extend the themes of the webcast. Click here
 
Review the on-demand version of this webcast and other resources
Available 48 hours after the live webcast.  Click here
 
Microsoft Skills Assessment for Windows Server 2003 
Click here   
 
Microsoft Windows Server 2003 Books for IT Professionals
Click here   
 
Microsoft Windows Server 2003 Deployment Kit
Click here   
We hope you find this information useful.
 
Your feedback is important and helps us improve our program.
If you attended the event and have not already completed 
a survey, please click here  . 
 
Thank you again.
 
Sincerely, 
 
Your TechNet Team
 
So anyway... besides Scripting webcasts they also have Security webcasts [my passion]
and TechNet Radio now and Channel 9 videos and then there are Technet Chats  [don't forget the SBS End user
chat on August 5th]
 
So what's scripting about anyway?
 
You are building a script to run a task that might normally in a gui screen take longer.
 
For example changing the local admin password via script is done like this...
 
strComputer = "MyComputer"
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator, user")
objUser.SetPassword "testpassword"
objUser.SetInfo
Obviously change the name of the computer from “MyComptuer” to whatever the name is and change “testpassword”
to whatever you like but copy and paste that to notepad, save as a vbs file and voila, you have a script.

My way is better... no MY way is better

“One nic [network card] is better than two nics“

“A hardware firewall is better than a software firewall“

I was reminded by these “mine is better than yours” by a post by Rory.  He starts out by relating the story of Nike and how he thought if he only had the “swoosh” on his side, he'd be better, stronger, he'd be just ... just more.  Well he found out that shoes do not make the man.  He uses it as an analogy over “language wars”.

The same can be said in SBS land.  I'm guilty in the newsgroups of posting in a “pompous manner' oh don't do it with a one nic, always do it with two nics, but you know what?  I'm second guessing that consultant who [if they've done what they are supposed to do], analyzed the client, looked at the issues they face and determined the best solution.  At the same time, for all those folks that recommend one nic, don't blame me for liking and recommending two network cards.  I like having the separation and feeling like I'm doing it like the big boys. I'll paraphrase Rory's question but in the case of SBSland where we can do things in many many ways.....

1) Can it do the job well?

2) Can it do the job in a way which pleases you?

If you can answer "yes" to these two questions, then you have the right bloody “technology“, and don't let anybody tell you otherwise.

As long as both methods work, keep the networks safe, and provide that company with what they need, does it matter how you do it?  It provides a solution.  So let's get past arguing what is the “best practice“ as what is “best“ for you might not be “best“ for me.  The “best“ solution is one where the consultant has set up “the“ firewall [whatever brand], in a manner that it is controlled, auditable, confirmed to only have those ports open what is it was intended to have open, configurable only by those who are authorized to configure it, and without known vulnerabilities. As long as whatever technology is in place protects and defends that network exactly when it needs it, who cares what is used?

The SBS Newsgroups Posting FAQ

<< The SBS Newsgroups Posting FAQ >>

The following tips are designed to help you get the fastest
and most appropriate answer to your questions.

Following these tips will help us to help you.

===================================================
- Post to the appropriate newsgroup -

For SBS 4/4.5: microsoft.public.backoffice.smallbiz
For SBS 2000 : microsoft.public.backoffice.smallbiz2000
For SBS 2003 : microsoft.public.windows.server.sbs

Microsoft News Server: news.microsoft.com

The SBS Newsgroups provide a free forum for threaded discussion
and peer support on issues related to Small Business Server by
users, service providers and interested parties.

Please remember when posting that non Microsoft people don't get
paid to be here, and MVPs are -not- Microsoft employees.

- Who are the Microsoft MVPs ? -
Frequently asked Questions about the Microsoft MVP Program

Everyone here is giving generously and freely of their time, experience
and expertise to enhance the Small Business Server Community.

Join it, support it, respect it and enjoy it. - SBS Rocks !
 
===================================================
- A Web interface to the SBS 2003 newsgroup is at -

http://support.microsoft.com/newsgroups/?pr=newsgsbs2003

You'll find the Rules of conduct on the Microsoft Website at:
Welcome to Microsoft Discussion Groups

===================================================
- Do some advanced research for previously posted solutions -

( It's most likely been posted and solved before. )

Advanced Google Search:
http://www.google.com/advanced_search
Domains: microsoft.com,  experts-exchange.com

Advanced Google Groups Search of the Usenet archives:
http://groups.google.com/advanced_group_search

Advanced Microsoft Search
http://search.microsoft.com/search/search.aspx?st=a&View=en-us
Note: You can also just enter a KB Number , Q Number or Error Number

Search via an Error Event ID
http://www.eventid.net
http://search.microsoft.com

Your Public Interface:
http://www.dnsreport.com
http://www.dnsstuff.com

View your network settings on Servers and Workstations:
Start > Run > cmd : ipconfig /all

View your Ports Status:
Start > Run > cmd : netstat -an

===================================================
- Post with a meaningful subject line so those with expertise or interest
in the topic can find it quickly.
Posting with a purely attention seeking topic such as "DISASTER"
or "No-One Ever Responds to Me" may get you noticed -once-
but is likely to get you ignored or dropped in future.

Remember: -everyone's- issue is important to them, so queue jumping
certainly won't enhance anyone's opinion of you within the newsgroup,
and you may need their help again sometime.

===================================================
- If posting a Question, post with sufficient information for a complete
stranger to understand your SBS version, environment; your issue, what you
have tried and what failed. You're not cutting down on the typing as you'll
be asked anyway, and it can only enhance the speed to diagnosis and resolution.

Please state all messages and IDs in failure notices and/or in the event viewers.
Also what may have been installed/changed/updated prior to or during the issue.

A secondary benefit to this is that in correctly framing the question,
the resolution often presents itself.

Note:
Stating your SBS version ( 4, 4.5, 2000, 2003 ) is particularly important as is
whether your SBS 2003 is Standard or Premium and whether you have ISA installed.

===================================================
- Posting In capitals on is considered SHOUTING! ...Please don't.

===================================================
- Don't overlook or discount Paid Support.
If the Issue is urgent or complex, the time you spend searching for a "free"
solution. ...and cost factors such as Worker Downtime, Customer Irritation,
Lost Productivity, and Hair Replacement costs will likely far outweigh the
cost of a support call to Microsoft PSS (Product Support Services ) or a
local IT Support Professional with experience in Small Business Server.

Note: Hot-fixes are free of charge. Just ask for the specific Hot-fix.

===================================================
- It's difficult to convey human emotions on Usenet (Humour, Pathos,
Sarcasm, Tongue-In-Cheek ) so use of emoticons and/or acronym tags is advised.
.... and no; you -don't- have to be serious all the time.
It's a community. Enjoy !

===================================================
- There are many paths to a solution and as many experiences in getting
there as there are posters.

Sometimes the paths are well worn, tried and true. Sometimes paths diverge,
sometimes converge and sometimes new trails are blazed. Understand and respect
that and use what suits you and your particular situation.

Posting back the solution that helped you will help others
with similar scenarios and issues and add to the overall knowledgebase.

===================================================
- People are different, but people are people -  you should be nice to them.
This is a technical newsgroup and not a place for Egos or Flame Wars.
As a community we try to leave them at the door and respect each other.
What you post here is archived and available to anyone, anytime.

Remember: ...."Please don't feed the Trolls!"

===================================================
- Newsgroups are not your only source of Information / Help.

Many of the members of the Small Business Server Community
provide support via Websites, Lists and Blogs such as:

http://www.sbslinks.com ( Susan's Links to all things SBS)
http://www.smallbizserver.net ( Mariette's SBS Website and Forum )
http://www.sbs-rocks.com/articles.htm ( Andy's SBS Articles & Resources )
http://www.sbsfaq.com ( Wayne's Website )

Small Business Server Groups on Yahoo.
sbs2k@yahoogroups.com ( SBS Forum on Yahoo )

Blogs by: Chad, Charlie, Kevin, Susan
http://www.msmvps.com/cgross
http://blogs.msdn.com/canthe
http://www.msmvps.com/kwsupport
http://www.msmvps.com/bradley

The Microsoft SBS Websites:
Small Business Server Homepage for all sorts of Information,
Demos, Whitepapers Upgrades, Migrations Events and Training
http://www.microsoft.com/sbs

Small Business Community Sharepoint Site:
http://sbcomm.sts.winisp.net

===================================================
- Don't be shy about posting a Question ....or an Answer.
SBS encompasses a lot and has been known to make even corporate
SysAdmins Cringe and MCSEs cry. None of us knows all the answers.

We were all "Newbies" once and none of us has experience with every
permutation, combination, setup and environment SBS is deployed in,
so there are -no- stupid or dumb questions. That's the domain of
answers that imply that there are.

If you're asking a question and know the answer to another one on the
page, muck in and post it. The poster may get a faster resolution than they
would have, and an additional member may get a response
they wouldn't have otherwise

Your solution may be a something that we can all learn from.
- What goes around, comes around.-

===================================================
- It's not only Break/Fix. Anecdotes, Wishlists, Insights and Brickbats
are all grist to the mill of SBS Topics and all on-topic for the community.

===================================================
- Don't Multi-post*.
( * the same Posting within different newsgroups or within the same thread.)

If you must post to several newsgroups, Cross-post to just the relevant ones.
A response in one will then show up in the others and all can follow the thread.

===================================================
- Be patient.
Newsgroups are not Instant Messaging, and people aren't on-line just waiting
for you to post. If the situation -is- that urgent, then Paid Support will pay
for itself. Remember: No-one owes you a response.

===================================================
- Things get missed.
Things do get lost or missed, or someone with the appropriate skills
or experience may not be available, so if you haven't had a response
after 3 Days or so, post again, perhaps with more detail and things
you've tried in the interim.

============================================
- Lastly, -enjoy- and remember, SBS Rocks !

For and on behalf of the SBS Community.
SBS FAQ Poster

ISA Server 2000 ... to reinstall SP2 or not to reinstall SP2 ...that is the question....

Just a reminder to folks running with ISA Server 2000....

You must reinstall ISA Server SP2 after you do any of the following:

·       Add or remove ISA Server components
·       Install ISA Server Feature Pack 1
·       Change ISA Server installation mode

The upgrades to ISA Server Feature pack 1 will only get “smooshed“ on there if you reapply SP2 afterwards.  So don't forget to reapply SP2 when installing that feature pack.

ONLINE CHAT - SBS 2003 End User Experience

SBS 2003 End User Experience
Join Microsoft experts on August 5, 2004 to discuss tips, techniques, and best practices for the SBS 2003 End User Experience. The topics include Remote Web Workplace, SBS intranet (Windows SharePoint Services) and Office Outlook 2003 running on SBS clients.

Date: 10:00-11:00 am Pacific Time, 1:00-2:00 Eastern Time on August 5, 2004.

Enter Chat Room

Add to Calendar

So go find some “Ends” that are “users” and drag them to this ;-) 

Seriously, the integration that SBS has right in it's pocket is amazing.  We DON'T take advantage of what we have.

Oh WOW - I didn't know THAT about Exchange 2003 sp1!

“In Exchange 2003 sp1, out of the box, we do not write any badmails”  WOW.  In today's EHLO blog posting, Philip Chan indicates a change in the way that Exchange 2003 sp1 operates.  As it stands now I personally just dump the bad mail folder every now and then on my 2k box.  Man, will that be a nice change in 2k3.

Badmail folder is 99.999% junk anyway and if it was a good mail, they'd just try again anyway, so this change is REALLY good.

Getting Ready for XP sp2......

Noticed the following two KBs come out in advance of XP sp2.  Kewl.  Vendors who are stepping up to the bat before XP sp2 hits the streets.  In a listserve I'm on a guy says “once you step outside the business world and start talking to residential users, they don't know what spyware is or don't care“.  I guess I must hang around with folks that surf a lot because comments always come back to me about pop ups and slow Internet experiences.  Many of these folks have kids that download music and are on Kazaa.

Sorry but I DO perceive it to be an issue to home users.

870906 - McAfee Virusscan Professional version 6.0 quits unexpectedly after you install it on a Windows XP Service Pack 2-based computer:
http://support.microsoft.com/?kbid=870906

870907 - NetZero closes unexpectedly when you start it in Windows XP SP2:
http://support.microsoft.com/?kbid=870907

Upgrading to XP sp2 is going to be sooooo horrific....

...or so it seems to most of the Tech writers out there.  Well I know that I'm planning to have a traning session at the office once it releases to show people how to use the pop up windows stopper, add web sites to it, show how to web sites to trusted zones, but I'm sorry, these folks who consider things “difficult” should wake up and realize how “easy” it is these days for any browser to be gunked up with this stuff.

Difficulties are in the eye of the beholder.  Is it difficult to put on a seatbelt? Was the first time we did it, now it's second nature.  In fact our cars remind us when we haven't put it on.

I don't consider it "difficult" to do what I can to ensure that my client's personal and confidential data stays that way inside my firm.

At home, I've got account numbers and other personal info on that system.  Again, call me stupid for wanting to ensure that browser hijacks don't occur anymore.  It's MY system, it's MY computer and I didn't give them the right to make THEIR search engine take the place of MY choice.

Those spybots are breaking and entering into MY property.  XP sp2 is the bulldog that I just bought, the alarms for the door and the security lighting on the side.

If folks only understood what was happening to their systems they be DEMANDING it, not considering it "difficult".

Another interesting RSS add on to a public folder this time

RSS.  Unless you are living under a rock you've heard about RSS.  Today I spotted this....

Glen's Exchange Dev Blog: Public folder RSS Feed Event sink:
http://gsexdev.blogspot.com/2004/06/public-folder-rss-feed-event-sink.html

Definitely will need to include that one in my SBS “Hacks” section which is in anticipation of my presentation at SMBnation in September, which is going to come sooner than I think!

SBS KBs of interest

SBS

843539 - You cannot use Outlook Web Access with forms-based authentication and you receive a Store.exe e-mail alert message:
http://support.microsoft.com/?kbid=843539

839499 - You cannot open file shares or Group Policy snap-ins when you disable SMB signing for the Workstation or Server service on a domain controller:
http://support.microsoft.com/?kbid=839499

Windows

873018 - Download.Ject Payload Detection and Removal Tool:
http://support.microsoft.com/?kbid=873018
871242 - After you install Security Update 839645, you may experience sharing violations and increased network traffic under Windows XP:
http://support.microsoft.com/?kbid=871242

Server issues

824905 - Event ID 677 and event ID 673 audit failure messages are repeatedly logged to the security log of Windows 2000 and Windows Server 2003 domain controllers:
http://support.microsoft.com/?kbid=824905

840655 - You are logged off a Remote Desktop session when you have an NVIDIA video card installed in Windows Server 2003:
http://support.microsoft.com/?kbid=840655

SBS Live Chat - This Tuesday

The Power of Feedback

SBS Release Manager Charles Anthe posts in his blog to “ feel free to post comments/questions if you like” and that “I'd like to think of this as an opportunity for dialogue with people who are interested in SBS “  The ability to add comments to the blog postings really do make it more of a tool for feedback than people may think. So I'd strongly recommend to folks that are SBSers to post on over to his blog and let him know what you like, what you don't like, what you'd like to see changed.

You can also visit the Public newsgroups or the Yahoogroup groups to give feedback as well.  I have a really funky, funny story about feedback.  I had to do a quick trip over to Las Vegas Thursday night and flew through Phoenix on my way to Vegas.  My plane was a bit late getting there from Fresno so by the time I landed in Phoenix in the farthest gate on the B-terminal, I had to catch my next flight in the farthest gate in the A-terminal.  I didn't pack any luggage so I was carting along my laptop bag with my purse and a backpack with makeup and the bare minimum of change of clothes.  As I walked to the gate as fast as I could, I swear the laptop bag got heavier along the way.  Long story short I finally arrived just in the nick of time at the gate, they took my ticket and I was the last one to board the plane.  I'm strongly breathing [more like huffing and puffing] and walk to the back of the plane where my seat is.  Well of course, someone was sitting there so the stewardess directed me towards an empty seat in the back.  The stewardess helped me to find a empty upper bin to stash my backpack [and these bags are carryon sized people?  These are HUGE] and I stashed my laptop under my seat and sat down.  I sighed “I need to start exercising, I made it“ and the guy next said “Just relax now.”  Then the steward came to our row and said “Sir, may I talk to you back here?”.  Me and my sick sense of humor ... I jokingly said to him “Troublemaker, eh?”.  As he passed by me the fragrance of a little too much liquor made it a bit obvious that my joke was a bit in poor taste.

The steward took him around the corner in the back of the plane and it was very obvious that he was very drunk.  He was asked what his final destination was and he said “Baltimore” [the final destination of the flight].  Fortunately he made no fuss when he was asked to leave the plane.

So the point of this story?  Feedback.  The family in front of me alerted the cabin crew that the gentlemen was intoxicated and was swearing quietly.  The stewardess later came back and thanked the family and said that they sometimes don't “catch“ these types of issues until it's too late.  FAA regulations allow the airlines to remove problem passengers.  She thanked them for the feedback that they gave that made the flight safer.

The power of feedback.  All of us have the power to do something similar out here.  Tell what we like, what we don't like, feedback. 

It's a powerful thing.

NEWSGROUPS

http://www.microsoft.com/WindowsServer2003/sbs/community/newsgroups/dgbrowser/en-us/default.mspx?dg=microsoft.public.windows.server.sbs

LISTSERVES

sbs2k-subscribe[at]yahoogroups.com - This listserve is for technical issues with SBS 2k3

smallbizit-subscribe[at]yahoogroups.com - This listserve is for more marketing and business matters with SBS 2k3

mscrm_smb[at]yahoogroups.com - This listserve is for the combo of CRM+SBS [Scott Colson ROCKS!]

123 Protect your Server - Firewall, Antivirus and Patching

The room service bacon burger at the Bellagio is still better....

Driving in the taxi from the Airport, I drove by the Alexis Park Hotel and Resort.  So THAT's what it looks like 'eh?  So why is that of interest to me?  Because Alexis Park is the venue for Defcon the annual Hacker convention.  HD Moore will be there, among others.  FX the guy who has the database of default passwords, will be running a presentation on “The goal is that you walk out with your own 0day already developing in your mind.”  Oh, cool.... but it's still interesting to scroll down and see what “stuff“ is going to be presented.

Oh, and the room service bacon burger at the Bellagio is still the best room service bacon burger that I've eaten in hotel rooms.....

Remind me..

To stick that IE shortcut toolbar on my laptop.  I'm in the Fresno Air Terminal [yes, it's called FAT] for a weekend business trip [but not a geek trip] to Las Vegas so I can't type long as the Plane just arrived.

Note to self, email the wireless access vendor and FYI and tell them they are going to have to add info to their logon page to add their site to the trusted zone in IE on XP sp2 to get the purchase wireless for a day to work.

I don't have the toolbar that I blogged about earlier on this laptop and it's a bit of a bother to add sites to trusted sites without it.  Unfortunately I didn't beta bug that until extremely late in the beta process so I doubt anything like it is going to be native to XPsp2.  In the meantime that old add in works just peachy.

...and hey it's a jet to Phoenix and then Vegas....not a puddle jumper!  ;-)

So "not supported" isn't enough of an argument, 'eh?

So an SBSer asked in the newsgroups tonight for some arguments as to why 98 is more secure than XP as telling the client “it's not supported for certain security patches“ wasn't cutting it anymore with the client.....

Oh stand back folks... here goes the soapbox......

98 isn't secure, wasn't ever secure, won't ever be secure.  Boot that sucker and hit cancel and that box spills it's guts to you without even a whimper.  You can't control them, can't remotely manage, can't do remote web workplace, don't have the rock solid operating system that doesn't BSOD....

Now that said, technically speaking 98's do get patches, only that they only get the critical ones via Windows update, the rest you have to call Microsoft [it's a free call but still a pain]

 1.  When logging on ... hit cancel.  You still can get into that workstation right?  Got any sensitive documents on that machine?

2.  Lanmanhash.  98 based machines require a lower authentication protocol to connect to a network.  This lower authentication leaves behind a "hash" of the passwords on a place on the server.  Take LC4 or John the Ripper program and run in on a network that runs 98's and it can break that hash... less than 7 character password that is a dictionary word gets broken my lc4 faster than I can find the icon on the desktop.

3.  User mode.  XP/2k have three levels of security.  User mode, Power users mode, Local administrator.  98s has one level.  Local admin.  That means that your employees can load on that machine ANYTHING they want.

4.  Going to Windows 2000/XP is considered by my friends who work in the defense contractor industry to be a downgrade.  Why?  Because of 3 above.

5.  Services running as different levels.  Even in windows 2000 versus 2003 you can see the impact of security.. many of the patches released today didn't affect Windows 2003, or there is mitigating factors.

6.  Hold onto your hats because right around the corner and within 90 days in the OEM channel XP sp2 will be released in August. XP sp2 is very solid.  All of the recent attacks affecting IE ... are all fully protected in XP sp2.  It's almost like a new OS, it's that good.

7.  Group policy.  Oh man this is where is really gets good.  You want to control the interior firewall on the XP sp2 machines INSIDE your network, well get ready to.  SBS2003 will be getting an update to our Group policy to adjust so that the firewall is on inside our networks better protecting us.

8.  Group policy.  If you have 98's you have no idea of the power you can from that server.  From locking down the screen saver to controlling what programs are loaded, one of the advantage we SBSers have is we are already on Active Directory.

9.  98's have no security.  That's an oxymoron.  It doesn't exist.

10.  No blue screens of death.  I honestly have never had one, don't know what they look like on XP

11.  System restore, load a driver that would normally BSOD a 98, and you can easily recover on XP

12.  SUS or Shavlik.  You can't do a Patch management program on a 98. You need XP....

How many more do you want?

C S R C - Systems Administration:
http://csrc.nist.gov/itsec/guidance_WinXP.html

See that?  You can't do anything like that on 98s.

So what other reasons do YOU have for getting rid of those 98s?

SBSers get ready to feel the power of group policy just a little bit more..

Charlie Anthe posts today that they are planning to put the SBSized adjustment to the group policy on Windows Update and the plan is to push it out around the release of XP sp2.  Remember of prior blog where we indicated that Xp sp2 should be out in August?  Remember how our SBS boxes currently block the application of the firewall inside the network?  Well they are going to change that and turn it on and will be pushing out a fix to adjust that.

Security bulletins today - only one restart and it's not for SBS 2003!

Of the security bulletins today, only one states for certain that it needs a restart the others are “may not“

The one that needs a restart is SBS 4.5.

Today 13 July 2004, Microsoft is releasing 7 security updates for newly discovered vulnerabilities in Microsoft Windows.

 - One Microsoft Security Bulletin affecting Microsoft Windows with a maximum severity of Moderate, MS04-018
 - One Microsoft Security Bulletin affecting Microsoft Windows with a maximum severity of Important, MS04-019
 - One Microsoft Security Bulletin affecting Microsoft Windows with a maximum severity of Important, MS04-020
 - One Microsoft Security Bulletin affecting Microsoft Windows with a maximum severity of Important, MS04-021
 - One Microsoft Security Bulletin affecting Microsoft Windows with a maximum severity of Critical, MS04-022
 - One Microsoft Security Bulletin affecting Microsoft Windows with a maximum severity of Critical, MS04-023
 - One Microsoft Security Bulletin affecting Microsoft Windows with a maximum severity of Important, MS04-024

Per Incidents.org web site, they are kicking up the Criticality of 04-024 [the shell patch] because of “public availability of the exploit“

Summaries for these new bulletins may be found at the following page:
 - http://www.microsoft.com/technet/security/bulletin/ms04-jul.mspx

Customers are advised to review the information in the bulletins, test
and deploy the updates immediately in their environments, if applicable.

Microsoft will host a webcast tomorrow to address customer questions on
these bulletins. For more information on this webcast please see below:
 - Information about Microsoft's July Security Bulletins
 - Wednesday, July 14, 2004 10:00 AM - Wednesday, July 14, 2004 11:00 AM
(GMT-08:00) Pacific Time (US & Canada)  
 - http://go.microsoft.com/fwlink/?LinkId=30865

 - The on-demand version of the webcast will be available 24 hours after
the live webcast at: 
 - http://go.microsoft.com/fwlink/?LinkId=30865

MS04-018

Title:  Cumulative Security Update for Outlook Express (823353)

Affected Software: 
 - Microsoft Windows NT Workstation 4.0 Service Pack 6a
 - Microsoft Windows NT Server 4.0 Service Pack 6a 
 - Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 
 - Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
Pack 3, Microsoft Windows 2000 Service Pack 4 
 - Microsoft Windows XP and Microsoft Windows XP Service Pack 1 
 - Microsoft Windows XP 64-Bit Edition Service Pack 1 
 - Microsoft Windows XP 64-Bit Edition Version 2003 
 - Microsoft Windows Server 2003 
 - Microsoft Windows Server 2003 64-Bit Edition 
 - Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (Me) - Review the FAQ section of
this bulletin for details about these operating systems.

Affected Components: 
 - Microsoft Outlook Express 5.5 Service Pack 2
 - Microsoft Outlook Express 6
 - Microsoft Outlook Express 6 Service Pack 1
 - Microsoft Outlook Express 6 Service Pack 1 (64 bit Edition)
 - Microsoft Outlook Express 6 on Windows Server 2003
 - Microsoft Outlook Express 6 on Windows Server 2003 (64 bit edition)

Impact of Vulnerability:  Denial of Service

Maximum Severity Rating:  Moderate

Restart required:  In some cases, this update does not require a
restart. The installer stops the required services, applies the update,
and then restarts the services. However, if the required services cannot
be stopped for any reason or if required files are in use, this update
will require a restart. If this occurs, a message appears that advises
you to restart.

Update can be uninstalled: Yes

More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-018.mspx
**********************************************************************

MS04-019

Title:  Vulnerability in Utility Manager Could Allow Code Execution
(842526)

Affected Software: 
 - Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
Pack 3, Microsoft Windows 2000 Service Pack 4

Impact of Vulnerability: Local Elevation of Privilege

Maximum Severity Rating: Important

Restart required:  In some cases, this update does not require a
restart. The installer stops the required services, applies the update,
and then restarts the services. However, if the required services cannot
be stopped for any reason or if required files are in use, this update
will require a restart. If this occurs, a message appears that advises
you to restart.

Update can be uninstalled:  Yes

More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-019.mspx
**********************************************************************

MS04-020

Title:  Vulnerability in POSIX Could Allow Code Execution (841872)

Affected Software: 
 - Microsoft Windows NT Workstation 4.0 Service Pack 6a
 - Microsoft Windows NT Server 4.0 Service Pack 6a 
 - Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack
6
 - Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
Pack 3, Microsoft Windows 2000 Service Pack 4

Impact of Vulnerability: Local Elevation of Privilege

Maximum Severity Rating: Important

Restart required: In some cases, this update does not require a restart.
The installer stops the required services, applies the update, and then
restarts the services. However, if the required services cannot be
stopped for any reason or if required files are in use, this update will
require a restart. If this occurs, a message appears that advises you to
restart.

Update can be uninstalled: Yes

More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-020.mspx
**********************************************************************

MS04-021

Title:  Security Update for IIS 4.0 (841373)

Affected Software: 
 - Microsoft Windows NT Workstation 4.0 Service Pack 6a
 - Microsoft Windows NT Server 4.0 Service Pack 6a

Affected Components: 
 - Microsoft Internet Information Server (IIS) 4.0

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Important

Restart required:  Yes

Update can be uninstalled:  Yes

More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-021.mspx
**********************************************************************

MS04-022

Title:  Vulnerability in Task Scheduler Could Allow Code Execution
(841873)

Affected Software: 
 - Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
Pack 3, Microsoft Windows 2000 Service Pack 4
 - Microsoft Windows XP and Microsoft Windows XP Service Pack 1
 - Microsoft Windows XP 64-Bit Edition Service Pack 1

Affected Components: 
 - Internet Explorer 6 when installed on Windows NT 4.0 SP6a
(Workstation, Server, or Terminal Server Edition)

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Restart required: In some cases, this update does not require a restart.
The installer stops the required services, applies the update, and then
restarts the services. However, if the required services cannot be
stopped for any reason or if required files are in use, this update will
require a restart. If this occurs, a message appears that advises you to
restart.

Update can be uninstalled:  Yes

More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx
**********************************************************************

MS04-023

Title:  Vulnerability in HTML Help Could Allow Code Execution (840315)

Affected Software: 
 - Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
Pack 3, Microsoft Windows 2000 Service Pack 4 
 - Microsoft Windows XP and Microsoft Windows XP Service Pack 1
 - Microsoft Windows XP 64-Bit Edition Service Pack 1 
 - Microsoft Windows XP 64-Bit Edition Version 2003
 - Microsoft Windows Server 2003
 - Microsoft Windows Server 2003 64-Bit Edition
 - Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME) - Review the FAQ section of
this bulletin for details about these operating systems.

Affected Components: 
 - Internet Explorer 6.0 Service Pack 1 when installed on Windows NT 4.0
SP6a (Workstation, Server, or Terminal Server Edition)

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Restart required: In some cases, this update does not require a restart.
The installer stops the required services, applies the update, and then
restarts the services. However, if the required services cannot be
stopped for any reason or if required files are in use, this update will
require a restart. If this occurs, a message appears that advises you to
restart.

Update can be uninstalled: Yes

More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-023.mspx
**********************************************************************

MS04-024

Title:  Vulnerability in Windows Shell Could Allow Remote Code Execution
(839645)

Affected Software: 
 - Microsoft Windows NT(r) Workstation 4.0 Service Pack 6a
 - Microsoft Windows NT Server 4.0 Service Pack 6a
 - Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack
6
 - Microsoft Windows NT(r) Workstation 4.0 Service Pack 6a with Active
Desktop
 - Microsoft Windows NT Server 4.0 Service Pack 6a with Active Desktop
 - Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack
6 with Active Desktop
 - Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
Pack 3, Microsoft Windows 2000 Service Pack 4 
 - Microsoft Windows XP and Microsoft Windows XP Service Pack 1
 - Microsoft Windows XP 64-Bit Edition Service Pack 1
 - Microsoft Windows XP 64-Bit Edition Version 2003
 - Microsoft Windows Server 2003
 - Microsoft Windows Server 2003 64-Bit Edition
 - Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME) - Review the FAQ section of
this bulletin for details about these operating systems.

Impact of Vulnerability:  Remote Code Execution

Maximum Severity Rating:  Important

Restart required:  In some cases, this update does not require a
restart. The installer stops the required services, applies the update,
and then restarts the services. However, if the required services cannot
be stopped for any reason or if required files are in use, this update
will require a restart. If this occurs, a message appears that advises
you to restart.

Update can be uninstalled: Yes

More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-024.mspx
**********************************************************************

PLEASE VISIT http://www.microsoft.com/technet/security FOR THE MOST
CURRENT INFORMATION ON THESE ALERTS.

The "Messaging Backupe and Restore" case study is online...

The "Messaging Backup and Restore at Microsoft" technical case study is available

Microsoft has released a technical case study of a messaging backup and restore solution that used Microsoft Exchange Server 2003. The Operations and Technology Group (OTG) at Microsoft implemented a two-step backup solution to improve server performance and to support many more mailboxes per server. OTG also implemented the Recovery Storage Group (RSG) feature. The RSG feature minimizes user downtime during a database recovery. The new solution supports server consolidation with high availability and provides flexibility in backup and restore operations.

To view this case study, visit the following Microsoft Web site:

http://www.microsoft.com/technet/itsolutions/msit/operations/msgbrtcs.mspx

Gavin pointed this one out ...interesting case study  .....

If you are on SBS 2000 with ISA 2000 with sp2 and want to do an inplace upgrade...

Download details: ISA Server 2000: Required Updates for Windows Server 2003: 
http://www.microsoft.com/downloads/details.aspx?familyid=77d89f87-5205-4779-b1ab-fc338283b2d9&displaylang=en

So what's a person to do if they need Modem sharing?

Third party solutions!

http://www.pcmicro.com/dialoutserver/

http://www.spartacom.com/

Remember though the reason they took it out is that it's a Security issue to have modem sharing in a server...remember Secure by Design, Secure by Default, Secure by Deployment... yeah the same Security push that took out Terminal Server in application mode on our domain controllers, took out Modem Sharing. 

So just remember .... you are adding a security threat back in.

Assessing Network Security

Well I got a pleasant surprise today to find that Amazon.com shipped the book “Assessing Network Security” by Kevin Lam, David LeBlanc and Ben Smith.

Very nice book on network security, auditing.  One that, while not exactly SBSized, is still a good read.

Amazon.com: Books: Assessing Network Security (Pro-One-Offs):
http://www.amazon.com/exec/obidos/tg/detail/-/0735620334/qid=1089683811/sr=1-1/ref=sr_1_1/002-3699926-3815259?v=glance&s=books

XP sp2 - release in August - WUS - not released this year

Get ready folks, XP sp2 is coming soon.  Mary Jo Foley and the rest of the press indicates that XP sp2 will be coming out in August.  Remember for the SBS 2003 platform, there is currently in place a group policy that shuts off the internal firewall capabilities of the firewall, however this will be adjusted with a SBS group policy tweak to enable it once the xp sp2 has been released.

I've got XP sp2 RC2 on three machines in the office and all are working very nicely.

But this doesn't look to good for us SBSers - per the news report below, the nearly all in one patch platform called Windows Update Service or MUS or WUS or whatever, has been pushed back until next year.  Ouch.  We need this.  We need an all in one patch tool and right now we rely on the kindness of the folks at Shavlik.com to patch everything on our servers including ISA Server.  Even the MBSA tool does not identify the patches needed for our ISA server.  There is no Microsoft tool to scan the patches needed for ISA server that I know of.  And there should be.

Sorry but this just doesn't cut it anymore in my book.  CNN's Money indicated that the analysts are happy with what is going on with Microsoft, citing Steve Ballmer's cost cutting memo as one example, but they called Microsoft the 500 pound elephant.

Well I think the 500 elephant need to strap on Roller Skates.  We need that patching tool and we need ISA server to be able to be patch scanned.

MICROSOFT further delays patching product, service
InfoWorld - San Mateo,CA,USA
... a result of the additional delays, "Microsoft Update," the planned
successor to the current Windows Update service, and Windows Update Services
(WUS), formerly ...

Microsoft Monitor's Joe Wilcox reports from the Partner conference in Toronto

 Once again all the folks that are at WWPC are all having fun and not reporting back ... so in their absence here are some blog posts of interest --

Joe Wilcox talks about the kick off

Sonjay Parthasarathy on Smart Client

Simon Witts on “Enterprise Opportunity”

Kevin Johnston on the theme of “Velocity”

Partner program announcements

Integration strategies with Paul Flessner

XP SP2 and media center changes

Business Solutions Roadmap

Jeff Raikes on Office

I just have one question...

MICROSOFT Tries To Buddy Up To ISVs
Information Week - USA
... To entice its employees to participate in the program, Microsoft is
handing out bobble-head dolls of senior VP Eric Rudder, the executive
in charge of the ...
<http://www.informationweek.com/story/showArticle.jhtml?articleID=22104671>

SBS/Exchange KBs of Interest

Exchange

843363 - List of bugs that are fixed in Exchange Server 2003 Service Pack 1:
http://support.microsoft.com/?kbid=843363
841995 - The Always-up-to-date Notifications feature may not work with mobile devices in Exchange Server 2003 SP1:
http://support.microsoft.com/?kbid=841995
867628 - Monitoring programs report that the Store.exe process consumes additional memory after you install Exchange Server 2003 SP1:
http://support.microsoft.com/?kbid=867628
867626 - New error correcting code is included in Exchange Server 2003 SP1:
http://support.microsoft.com/?kbid=867626

Small Business Server

840685 - An event ID 1000 error message is logged to the application event log when you restart Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=840685
827601 - Cannot send external mail when your smart host server is different from the ISP server where your e-mail is stored in Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=827601
838429 - The "My Company's Internal Web Site" link on the default Web site Welcome page does not work when you connect to the site over the Internet in Windows SBS 2003:
http://support.microsoft.com/?kbid=838429
838431 - You receive an error message when you try to join your computer to a Windows Small Business Server 2003 domain:
http://support.microsoft.com/?kbid=838431
842612 - You receive a "403 Forbidden" message when you try to connect to a Web site that is on Small Business Server 2003:
http://support.microsoft.com/?kbid=842612
836413 - You receive an "unexpected error occurred" error message when you try to access resources on a Windows-based network from your Macintosh computer:
http://support.microsoft.com/?kbid=836413
837365 - You cannot expand the public folders list in Exchange System Manager on a Windows Small Business Server 2003-based computer:
http://support.microsoft.com/?kbid=837365

If I were in charge of the Universe.... part two:

Yesterday I blogged about RSS and Exchange and at the end of the post I talked about how the 16 gig limit on Exchange should be lifted.  Today I'm adding on to my “in charge of the Universe” wish list.....

One stop patch page for SBS.  A Super Windows Update that would let me know of every single patch both Security and non Security [QFEs] needed for my system.  Last October, Steve Ballmer talked about the new version of Software Update Service at the Worldwide Partner Conference and much to my dismay it's still not out yet.  Right now both SUS and MBSA aren't good enough, in my opinion.

But even SUS and MBSA only do security patches.  How does the “average“ SBSer keep aware of the “rest“ of the SBS specific patches?

Yes, I know that SBS has a page that tracks the QFEs, but that's not good enough in my opinion. That page should AT LEAST have RSS feeds on that to let me know when new stuff has come out.  I want RSS feeds of the Knowledge base articles that affect SBS 2003 [and while kbalertz.com does have this... honestly... it's not that good in tracking SBS KBs.  It will include stuff that I don't see how it's SBS related at all].  Yeah it's better than it was, but like the movie “Oliver“, I'm standing here with my empty bowl saying “I want more“.

So I'll ask you... how do you stay up to date on Small Business Server?  Include your resources in the comments!

Oooh... is that the smell of RSS in the air?

Catching up a bit on RSS feeds tonight [remind me to set up that feature in Newsgator that allows you to sync feeds] and KC Lemson points to the Exchange page getting ready for RSS feeds and points to the Community page who points to the new Blog home which also points me to the MSDNWebcast blog page with reminds me that I forgot to blog about that page the other day.  [See how blogs work like a “six degrees of Kevin Bacon” where one blog points you to another and then another and then ....]

Man do I see the change in the air on this.. RSS all over the place...but Microsoft still needs to totally support RSS feeds in Outlook.  Not Outlook Express, but Outlook.  Just buy Newsgator.com will you and be done with it?  Just stick the dang thing inside of Outlook.

If I were ruler of the universe, what would I do?  RSS enable the Web/newsgroups.  Enable Outlook to support RSS.  Have a post back to newsgroups/Web tool from Outlook [like the post to blog or post to nntp that Newsgator has].  And then, to finish off my wish list... I'd remove the 16 gig limitation on the Exchange server.

Think about that... Microsoft hasn't budged the maximum size that Exchange “standard“ [read normal business] platform can support in email since ....forever....16 gigs is just not big enough these days... and especially not these days with regulatory email retention being required in some industries.  Heck, I haven't installed a 20 gig harddrive in probably 3 years.  My workstations get 80 gig drives as “normal“ drives these days.

Exchange folks up in Redmond?  Get rid of that limit.  It's soooooo 90's.  It's not up to today's realistic needs for email.

Worldwide Partner Conference in Toronto...

Starting Sunday some of my pals will be in Toronto for the Worldwide Partner Conference. 

If your are in the neighborhood look for some SBS MVPs who will probably be at these events.....if you see anyone wearing a SBS MVP polo shirt... tell them Susan told you to say “Hi!“

AN7
Optimizing Small Business Opportunities with Windows Small Business Server 2003
Windows Small Business Server 2003 (SBS 2003) is one of Microsoft’s fastest growing products. Attend this session to learn about new product benefits integrated into SBS 2003 and the product roadmap for 2004. Walk away from this session equipped with an understanding of how to build a profitable services business around SBS 2003 in the small business market. Learn how the SBS first server deployments and NT4 upgrades provide platform for value-added services such as Sharepoint, Exchange, mobile access, remote support and more.

SE8
Anatomy of a Network Hack: How to Get Your Network Hacked in 10 Easy Steps
Do you think all hackers use the same techniques to break into your network? Do you think they all guess your passwords? Do you think that an unpatched vulnerability is the only way to compromise your domain controllers? In this session, learn about the 10 (actually 14) things that very successful hackers will do to compromise your network. Learn how hackers use these techniques, and how to prevent them. The techniques may surprise you, but your network health will improve greatly once you understand them.

Security Business and Technology Unit Update with Mike Nash
At our partner’s request, Mike Nash, Microsoft Corporate VP of the SBTU, will take time to update partners on Microsoft's security vision and learnings since the 2003 Worldwide Partner Conference.

Things I notice about Beancounters versus Geeks....

Went to Continuing Education class today and the class was excellent.  It was a CPE course on auditing and I threw out some comments about fraud and Benford's Analysis which is a process whereby you can do data analysis on a series of numbers and you can spot fraud by numbers that fall “outside” the patterns.  Gosh, we beancounters need to work smarter and not harder and we soooo do not use technology like we should. Like how about automatic Benford law tests in accounting applications that would alert you to possible fraudulent activities?

Anyway, I noticed something interesting at lunch.  Get a bunch of geeks together at lunch and gosh we practically can't shut up about the latest technology, geek toy, technology issue, bottom line geeks talk shop.  Get a bunch of beancounters together at lunch and the topics were... Baseball.  Pacbell Park.  San Diego.  We didn't “talk shop” at all.

Just kinda an interesting observation......

Microsoft isn't focused on Security.

"We must also work to change a number of customer perceptions, including the views that older versions of Office and Windows are good enough, and that Microsoft is not sufficiently focused on security," Ballmer wrote in a wide-ranging memo to employees, a missive that has become something of an annual tradition as Microsoft starts its new fiscal year.

Today in my blog comments Allen is complaining about how we can't do Terminal Server in application mode on our Domain Controllers wrote “ If anyone is using microsoft products they are not concerned about security anyway.“ 

Oh, Allen.  Look at the changes that have been made in Windows 2003, in XP sp2.  Look at what we can do with EXISTING settings to harden a server or workstation.  Check out the guidance at www.cisecurity.org.  We have all the ways to secure ourselves now and we don't do it.  I love to use the movie “A Few Good Men” with Tom Cruise and Jack Nicholson as an analogy.  Imagine Jack growling to Tom “You can't handle security!”.  Well we can't handle security.

Stop blaming our issues on Microsoft when WE have the power already to be secure.  No operating system in the world as long as they allow human interaction with it will be secure. 

We're living in the “hood” in the Internet and we're not taking the necessary steps that we would do in real life. 

Office 2003 has been wonderful for saving files when I've accidentally blasted off the program.  It's been wonderful for saving backups for me.  The redesigned Outlook is easier to track projects.  And yet folks still say “I can't see any compelling reason to upgrade”. 

I think we aren't looking hard enough.  Granted, Microsoft needs to do a better job of telling me [besides the stupid Great Moments in Office ads], but there are many advantages I have on the versions that I didn't have before. 

And better security is just one of the advantages. 

..if you haven't checked out the Secunia.com web site..

The Secunia.com web site is an excellent resource for Vulnerability and patch information by product.  Nice search engine, nice graphics, cool information.  There's still a need for a place, a product that will patch EVERYTHING on the Small Business Server box.

Windows Update does not patch everything on the server.

SUS does not patch everything on the server.

Shavlik's HFnetchkPro only covers security related patches.

This site lists the SBS specific patches.

But there isn't one page, one site that I can send people to for ALL the patches they might need for a SBS box.

It still needs to be easier to maintain a SBS box out here.

Front Page Extensions on SBS?

Knowledge base articles of interest

SBS

838429 - The "My Company's Internal Web Site" link on the default Web site Welcome page does not work when you connect to the site over the Internet in Windows SBS 2003:
http://support.microsoft.com/?kbid=838429
838431 - You receive an error message when you try to join your computer to a Windows Small Business Server 2003 domain:
http://support.microsoft.com/?kbid=838431
842612 - You receive a "403 Forbidden" message when you try to connect to a Web site that is on Small Business Server 2003:
http://support.microsoft.com/?kbid=842612

XP
840654 - Your VPN connection is disconnected after several minutes in Windows XP:
http://support.microsoft.com/?kbid=840654

Hey do you know about all the options for support?

In the Small Business Server world.. let's face it.... we're cheap.  Okay I'll admit it.  Even though I've gotten the credit card out myself and paid for the $245 PSS support call, the first time I did it, it was like $245?  For a phone call?  But trust me... it's not just a phone call.

First off, there's a living breathing human being on the other end of that call.  You call into PSS and say that you are a SBSer and you'll get routed to what I affectionately refer to as “Mothership Charlotte and Los Colinas”.  I've been amazed sometimes when I call in at 5 or 6 p.m Pacific time that I'll get someone in Charlotte, North Carolina on the phone on the late shift [to their 1 a.m].  With that phone call I'll get someone who practically lives and breathes SBS, who has several VMware SBS machines at their desktops, and think about it.... while other support folks only worry about one platform, just like you, they are supporting practically the entire “fleet” of server products. 

They will then have the ability to remote into your system either using a Terminal Server [remote desktop] connection or Placeware sharing desktop connection.... or as I call it “You want to drive?” method. 

When I say they “look out for us“, they truly do.  I still remember the story of one Microsoft Engineer who was the Supervisor on deck when all of a sudden about 4 phone calls came in with SBS 4.5 boxes having issues.  As he was helping the Engineers on the phones diagnose the problems [RRAS not firing up], he noticed all of the boxes had recently done one thing, patched with Security bulletin 03-029.  That patch was causing the issue.  And because all the calls came into the one location, he was quickly able to see the pattern, diagnose the problem and kick it up the ladder for resolution.

That brings up another topic... those calls... would be free calls.  Why?  Because the issue was caused by a security patch.  Remember, calls for hotfixes are free [rattle off the KB number, free call], calls with issues caused by security patch or viruses, free.  Don't forget that.

Our next line of support options is to do a $99 email method.  Go online, put in your credit card and type up your question and get a support representative to send you a very detailed email back.  Be very detailed in your original email for the best results.

Last and certainly not least, you also have the newsgroups.  The Small Business Server Newsgroup is the “first line“ if you will.  Sign in and register as a SBS owner and you'll probably get a response from a MS Engineer within 48 to 72 hours.  You'll probably, however, get an answer long before then from a SBS community member.  The “BTDT“ crowd... “been there, done that“ folks.

Well I guess I should really say, very last and very not least is “Google groups” and “Google”.  Put in the EXACT error that you are getting and search in both google and google groups and you would be amazed and the number of resolutions you can find. 

So I hope this has helped to let you know about all the options you have for help and support.....

So we should stop using Internet Explorer, right?

The news is buzzing out the US-CERT/Department of Homeland Security said to stop using Internet Explorer. 

Hello?  It's like the last option at the bottom of the recommended page....

http://www.kb.cert.org/vuls/id/713878

The rest of the suggestions, like run with IE in High Security, ensure A/V is up to date is way more reasonable than trying to get Firefox on a bunch of users used to Internet Explorer [not to mention business web sites that want IE].

Also, does everyone realize that there's a TON of browsers out there that are just as “loosey goosey“ as IE is?

The Secunia web site at http://secunia.com/advisories/11978/ lists the following as vulnerable....

Software:	Internet Explorer 5.x for Mac Konqueror 3.x Mozilla 0.x Mozilla 1.0 Mozilla 1.1 Mozilla 1.2 Mozilla 1.3 Mozilla 1.4 Mozilla 1.5 Mozilla 1.6 Mozilla Firefox 0.x Netscape 6.x Netscape 7.x Opera 5.x Opera 6.x Opera 7.x Safari 1.x

Is there any web browser left?  [actually there's like 3 that aren't on this list]....but the point is we let our web browsers do WAY WAY WAY too much.

Lock down these desktops people, run as User like Aaron Margosis is preaching folks.  Amen brother.  We have GOT to take back the rights and not let these programs do stuff.  I started a web site a bit back to help others whack the registry of their Windows machines when programs refuse to run correctly in User mode.  If you have any suggestions to the “hall of fame”, feel free to forward them over.

My web site is located at http://www.threatcode.com

And yes, right now, Internet Explorer IS listed on that site.  Guess I should put those other browsers too, 'eh?  ;-)

Newbie Question number one - how do I buy licenses for SBS?

A question that comes up in the newsgroup is how do you buy licenses for the Small Business Server 2003?

Well first off, understand that the Server package itself, either 4 cdroms if SBS 2003 Standard or six cdroms if Premium [includes the ISA/SQL disk and Front page] includes 5 client licenses already in the system.  Then you need to add additional licenses either user or device CALs as they are called.  User licenses are for firms like mine where I have less users than I have computers because I have a laptop, a Pocket PC AND a desktop.  Device licenses are for firms that are shift work based that have less devices/computers than users. 

The original  base 5 are either depending user or devices [don't ask.. just consider them one or the other it doesn't matter even though when I bought Software assurance I had to specify what the base was...long story... way too complicated to get into here].  Then I bought CALs which license me for EVERYTHING on the box, Outlook, Exchange, the server, ISA and SQL.

Front page you are only allowed to install on one location. 

So just remember, don't worry about Server CALs, Exchange CALs, etc, just get SBS CALs and you can't go wrong.

You might get a bit frustrated buying software assurance but that's another post for another day.....

For anyone else who uses the Shavlik HFnetchkPro product to scan their machines....

Instructions for scanning and deploying the recently announced ADODB.stream patch 877069 

Microsoft has released a critical update to protect systems against a recent Internet 
threat. Adodb.stream provides a method for reading and writing files on a hard 
drive. This by-design functionality is sometimes used by web applications. However, 
when combined with known security vulnerabilities in Microsoft Internet Explorer, 
it could allow an internet web site to execute script from the Local Machine Zone 
(LMZ). This occurs because the ADODB.Stream object allows access to the hard drive 
when hosted within Internet Explorer.

Because this patch was not released as part of a security bulletin, this patch is 
not included as part of the default Shavlik HFNetChkPro assessment XML file. 
However, Shavlik has created an optional XML file that will specifically scan for 
and deploy this patch. To enable support for this patch download 
https://xml.shavlik.com/optional.zip and expand this package to a well-known 
location on your Shavlik HFNetChkPro console. Next, create a scan template that 
points to the enclosed optional.xml file. Scans performed with this template will 
provide assessment results and deployment capabilities for this specific issue. 
Please note: you must be running Shavlik HFNetChkPro version 4.3 or later to use 
this optional XML file. 

For more information on this patch, including known issues and caveats, please 
see Microsoft Knowledge Base article 870669.
- The Shavlik XML Team

Fix for Exchange 2003 SP1 issues - SBS's download 'em

ADO kill bit for Internet Explorer posted on Windows Update.....

If you are curious about what this configuration change might be, it is a
registry entry that sets the killbit on the ADODB.Stream ActiveX object. There
is a Knowledge Base article detailing how to manually implement this change and
there is a Critical Update available for download that accomplishes the same.

How to disable the ADODB.Stream object from Internet Explorer
http://support.microsoft.com/?kbid=870669

Critical Update for Microsoft Data Access Components - Disable ADODB.Stream
object from Internet Explorer (KB870669)
http://www.microsoft.com/downloads/details.aspx?FamilyID=4D056748-C538-46F6-B7C8-2FBFD0D237E3&DisplayLang=en

What You Should Know About Download.Ject
http://www.microsoft.com/security/incident/download_ject.mspx



Regards

How to Cheat at what?

So Wayne spotted a new book coming out in September.  “How to Cheat at Managing Small Business Server 2003”

It's billed as

If running a Windows Small Business Server 2003 network is just one of your many job responsibilities, this book is for you. It applies the tried and true "80/20" rule to this incredibly complex operating system, providing you with exactly the information you need to install, configure, and troubleshoot the W2K3 features most likely to ruin your day (such as setting user permissions, restoring lost data, and sharing hardware) without having to wade through material you don't need.

Guess I'm weird.. I'd rather NOT lose the data in the first place ;-)  but catchy title anyway.....

Are we? Or Aren't we? I think we are!

Javier pointed out that we apparently are now “legal” for getting Entourage with our SBS 2003.

 http://www.microsoft.com/windowsserver2003/sbs/howtobuy/pricing.mspx

"Microsoft Entourage 2004 for Mac is not shipped with Windows Small Business
Server, however, you can obtain a copy at no cost (handling and shipping
charges will apply). Volume license program members (for example, the Open
NL license) can order by calling (800) 248-0655. Retail customers can order
by calling (800) 360-7561."

Eriq has the full details about Entourage on his web site

Death of the DMZ?

J. Wright has an interesting blog post that I'm reading from the TechEdBloggers site.  It's about ISA 2004 and how the death of the DMZ in ISA 2004 ~

“Death of the DMZ is a debate evangelised by Steve Riley which basically implies that firewalls as we know them today will not be part of the security solution of the future. The concept is that we should let networks do what they are good at, shift data from point ‘a’ to point ‘b’, security cant be controlled by a single appliance with a single method. Platforms and application are being designed and built today to exists in a ‘hostile environment’ each node is therefore secure or secure enough. The analogy is streets, our roads are public, people can walk down the streets where we live however each house is responsible for its own security, places of high value have better security the standard house has standard security. Note Microsoft.com is not behind a firewall! Because no firewall exists that is capable. I cant do this subject justice but imagine this, if all your nodes on your network are secure, can authenticate to each other, by domain membership are patched have anti virus and have a good group policy deployed etc etc, do you need a corporate network? What is wrong with the biggest most resilient network in the world (the internet).  The corporate network boundaries are becoming grey WiFi, VPN’s, extranets etc, the internal network is no longer trusted, so how are firewalls really helping?“

Well it's certainly in line with my rants of late that my security issues are not the fact that I have my firewall on my domain controller, it's the fact that I DON'T have good group policy deployed that is my security weakness.

Bill sends out an email.....

If you didn't get your copy - here's the link to the annual review of Microsoft's spam actions -

Executive E-Mail: Preserving and Enhancing the Benefits of Email — A Progress Report:
http://www.microsoft.com/mscorp/execmail/2004/06-28antispam.asp

“According to some surveys, email traffic now consists of nearly four spam messages for every legitimate one“

Windows XP Security guidance from NIST

NIST has completed the draft NIST Special Publication 800-68, Guidance for
Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security
Configuration Checklist.  NIST Special Publication 800-68 has been created to
assist IT professionals, in particularly Windows XP system administrators and
information security personnel, in effectively securing Windows XP systems. It
discusses Windows XP and various application security settings in technical
detail. The guide provides insight into the threats and security controls that
are relevant for various operational environments, such as for a large
enterprise or a home office. It describes the need to document, implement, and
test security controls, as well as to monitor and maintain systems on an ongoing
basis. It presents an overview of the security components offered by Windows XP
and provides guidance on installing, backing up, and patching Windows XP
systems. It discusses security policy configuration, provides an overview of the
settings in the accompanying NIST security templates, and discusses how to apply
additional security settings that are not included in the NIST security
templates. It demonstrates securing popular office productivity applications,
Web browsers, e-mail clients, personal firewalls, antivirus software, and
spyware detection and removal utilities on Windows XP systems to provide
protection against viruses, worms, Trojan horses, and other types of malicious
code.  NIST requests comments by August 3, 2004.  Comments should be addressed
to itsec@nist.gov.

<http://csrc.nist.gov/itsec/guidance_WinXP.html>