E-Bitz - SBS MVP the Official Blog of the SBS "Diva"

Ray... you were doing so good until that last part....

If you are setting up a network of up to 75 users, one of the more
economical choices available is Windows Small Business Server (SBS)
2003.  The price of the operating system (say for 10 users) is around
$1,800.  While that does not sound significantly less than the
"full-blown" Windows Server 2003, the cost is significantly less if you
consider everything that ships with SBS at no additional cost.  The
basic version of SBS includes SharePoint, Exchange Server and Outlook,
while the Premium version includes SQL Server and ISA Server.  In
addition to this, if you purchase a good backup software solution like
Veritas Backup Exec, the Small Business Version of the backup software
includes an agent for Exchange Server and ends up costing you (if you
use Exchange Server) less than 1/2 the cost of Backup Exec for Windows
2003 Server since the Exchange Server license must be purchased
separately for that version and costs more than the basic backup
software itself.

In addition to cost, SBS is almost entirely installed via wizards and
this simplifies the installation process and prevents a lot of the
configuration errors that often occur during an integrated Windows
Server installation.  The various parts of the puzzle are far more
easily installed in SBS than in Windows Server.  Chances are, once the
installation is finished, all the parts will "talk well" to one another
and the conflicts should be relatively few and easy to resolve.
 

That's the good news.

The bad news is that SBS expects to be the SOLE master of your network.
The documentation explains that your SBS server must be the Domain
Controller and must be installed at the "root of the forest".  So, if
you decide a few years down the road (for whatever reason) that you wish
to transfer a part of you network load to another server, SBS is REALLY
reluctant to share the sandbox with another server.  In theory, of
course, anything is possible.  The reality is that the very simplicity
of your original install created a pretty "closed" system and migration
of DNS and Active Directory and other issues which is relatively simple
between two Windows Servers becomes a bit of a nightmare when one of the
servers is a SBS.

This is not necessarily a reason for avoiding Small Business Server.
If, however, you decide to expand your network down the road, you might
be looking at scrapping your investment in your Small Business Server.

Ray

'

So Les Connor was sharing with me this email from a Canadian listserve...and the first part of the post ...man it is warming my heart...but then we get to that "bad news" part.

Man oh man... how wrong can Ray be.

Ray... I have not ONE but two servers in my network and I have some file storage and live communication server on the second one.  And in fact in the R2 era we will be able to easily and cheaply add a Windows Server, an Exchange server or a SQL 2005 workgroup for the price of that server OS.. with no cal cost.  THEN comes the kicker.. Ray, Ray, Ray...once a SBS box hits that 75 user limit or whatever thing that you need to be big server land for ...like trusts and what not... you just go through the Transition pack.  You don't scrap anything.  You keep your investment.

The only thing unique about SBS is that it must hold all the FSMO roles and be the primary domain controller...that doesn't mean that it can't share the wealth and have addiitonal servers.  No you can't put Exchange on another box, or the parts that come with SBS but that doesn't mean you can't add additional servers. And honestly... get good hardware and I don't need additional servers. 

And for those folks that argue "well but you have all your eggs in one basket in SBS" to that I argue... yeah but it's one well looked after and monitored basket.  And honestly I find this ironic when everyone else in big server land are doing virtualization ...that they are sticking like 10 servers on one physical machine and folks think what we do in SBSland is crazy.

How can it be..how many years after SBS 2003 shipped that folks can get it so wrong?  What marketing information are they reading?  Where are they getting this stuff?  Why is the message not getting to the marketplace? 

It just amazes me how people get SBS so wrong. 

So let's recap class..... additional domain controllers.. CAN DO... additional servers... CAN DO.... grow into big server land parts if needed... CAN DO..... Remote Web workplace that NO ONE ELSE HAS..... HAVE THAT.

Come on marketing.... get that message out there of what SBS is...because people out here are not getting the message of what SBS truly and really is.. it does not limit me or my firm AT ALL.

Sometimes I feel like Nicole Kidman...

There are times when it comes to Software Assurance I feel like Nicole Kidman... no.. seriously... I'm Nicole... and Microsoft is Tom Cruise over there... got a new girlfriend/future wife... new baby ...and where does that leave me?  I'm the original one who believed in Software Assurance...bought into it... got the Koolaid from the initial day, got the two year, and then the three year... and now it looks like my SA reward for my three year period...the "upgrade" I'll get is the SBS 2003 R2 upgrade.  I mean yeah I'm a patchaholic and all that.... and the green check in the daily email is very cool....but ..uh... um....kinda a Nicole moment here 'eh?

 "SA is a hard sell"

It is isn't it?

True statement by a Var/Vap about Software assurance...that he had a hard time selling it...

In my industry I'm used to subscription models, but it's a guarantee that every year or month or quarter I'll get a new update (law changes and what not), as there were changes needed for that ..but not necessarily function changes.  And support under this model was built in.  But for other industries... where the upgrade story isn't as obvious, it's a tough sell...

But what if you are the "Katie" in this view of looking at Software Assurance... you know that if you buy OEM right now you get the R2 Technology upgrade program that guarantees you the green check.  You know that if you buy OEM you are stuck with that software on that box, it CANNOT be moved to new hardware....but ... you know if you buy software assurance to add to that OEM within 90 days you "can" move that operating system off that box and get the 64 bit SBS upgrades in the next Longhorn cycle..which... looks somewhat reasonable to hit within the three year period.... and if you do go three years you get the one support call, the media sent to you (which, I'll admit, as the "Nicole" here.. is nice to have as I don't have to go digging up the media it comes to me). And there are even some monthly installment payment plans you can do these days.  So from looking at Software assurance as a "Katie", it's something that looks reasonable.. ensures you WILL get on that 64 bit SBS platform.  And all my AD guru guys says that AD and Exchange just has to go on the 64 bit to get that good stuff.  32 bit was a total drag on our boxes... on all boxes.

But there's another thing the "Katie's" have... one of the var/vaps the other day said that they actually were better able to sell a solution the other day with the "managed service"/Software assurance.  The client really LIKED the proactive stance that the consultant gave because the SA gave them planned 'forward thinking'. This was a firm that "got IT" and knew it was a part of their strategic overall plans.  As a "Katie" they totally got Software assurance was part of their strategic overall plans and goals for that firm.  Interesting viewpoint isn't it.... especially as folks are moving to the "managed services" viewpoint.  "Katie" wanted software assurance because she was mapping out her technology future and wanted to ensure that it included an investment in technology.

The fact is for me, the "Nicole" here is that I did get a good SA deal in the SBS 2000 era.. I got Live Communication Server (which I still argue they need to code up a SBS lite version of LCS, but I digress), so my disappointment of being "Nicole" in the R2 era is tempered with my gains in the past. 

For those of you that have clients that are "Katie's", think about the forward looking view... that 64 bit coming down the road.... those that have managed services clients... something to think about isn't it ...to position that Software Assurance as an "investment"

But Microsoft... just make sure that in the future both the "Katie" and us "Nicole's" feel like we're treated well... you know what I mean?

So what about you?  You find that it's easy to sell software assurance... or it's a hard sell?

The body count

All returns out the door....

Many more returns efiled this year than last.....

One band-aided workstation that died on Friday....

One workstation that has a non functional mouse (ever try to drive a Windows workstation these days with no mouse?  It's not pretty... not sure what's up with that one.... the mouse just died or something)

Quite a few times where we needed to get tax information to a client who had no access to a fax machine.  So we took our copiers/scanner/printer and scanned in the tax info, went into Adobe Acrobat, secured/encrypted it, sent it via email, ensuring that we verbally gave the password to the client.

Earlier this year I was on a online committee that wanted to set baseline minimum standards for protecting data and one of the points that someone made was that a workstation that had identity information on it shouldnt' be attached to the Internet for surfing.  But look at all the ways that I needed the Internet today....

I needed the Internet to efile tax returns....

I needed the Internet to efile extensions....

I needed the Internet to email information... to receive information.....

I needed the Internet to research information.....

I needed the Internet to make online payments at www.offiicalpayments.com to pay tax due via credit card for clients.

We're a connected world.... so how do you help your clients stay connected? 

And by the way..just a heads up folks... maybe not tomorrow.. but the day after that... go call that CPA or that Accountant in the USA still running those 98 Peer to Peer networks and tell them to sign up for the www.microsoft.com/accountant program where he can sign up for the Action Pack.  There's no excuse for a CPA to be still on Windows 98.  There's no line of business application that you SHOULD still be on that can only run on 98.  I haven't met a DOS program yet that couldn't run on 98 ...but then again... I don't WANT to meet DOS programs anymore.  They have better alteratives.... change is good and we in the accounting industry need to realize that a DOS accounting application probably means that it was written with lousy security build in.

A Windows 98  machine in your network lowers the secure-ability of your entire network, forcing you to make adjustments to your network to get those 98s' to work.

June 30, 98, 98SEs and MEs are no longer going to get security updates.

After that date..they'll be your body counts...

OEM good versus OEM bad

There are times it's funny to look at the sales channels of Microsoft.  It's like they are competing with one another... on one hand you have (and rightfully so) Eric "Mr. Licensing" Ligman giving us the details of how limiting OEM is to our clients... the fact that the server OS is tied to the hardware, that if something happens to that system, or you want to move it to a new box, you are totally stuck and need to rebuy the software.  So it would seem that on one hand it would be wise to stay away from OEM when it comes to servers right?

OEM is bad.  Right?

Well ... not so fast... because over here in this corner is the Technology upgrade program that if you currently buy SBS 2003 SP from March 31 2006 forward, and you buy it from an OEM or System builder you will get the R2 upgrade.  Okay so now.. we WANT to drive people to buy the OEM version because it would mean that they'd automagically get R2 when it releases.

OEM is good.  Right?

Not so fast...with OEM we're also out of luck trying to get slipstream media for that system, and trying to even get a copy of Entourage is like searching for the Holy Grail.

Okay.. so lets say we buy retail ... which is better than OEM in that it can be moved from one hardware to another and thus is more flexible for that small business.  Do they get the ability to get the upgrade to R2 if they buy right now? 

Absolutely if within 90 days they add software assurance to their purchase!

Hang on class.. does anyone else see the problem here?  So the only way that someone going to Office Depot let's say and buying a copy of Small Business Server 2003 right now will be able to get the R2 technology upgrade is that if they pay 'more' money via software assurance?

But wait.. doesn't Microsoft also indicate that most small businesses 'don't' buy software assurance?  (Unless they are insane folks like I am, that is).

So if on one hand, we've been taught by Microsoft in our Partner channel that OEM is less flexible and forgiving for our clients so don't buy it, but on the other hand, at least until SBS 2003 R2 comes out anyway, I'd say to this beancounter, it looks like OEM "is" more flexible.  Granted you are still stuck with the lousy fact that if the server dies, so dies the software, but faced between the fact that you get a free OS going via OEM channels... and faced with rebuying the operating systems via the retail or Open License way.... it's rock and a hard place time for someone deciding the best way to license an operating system for their client.

...but then .. if most of the sales are going through the OEM channels... Microsoft answer this to me.. why is your documentation for these OEM machines lightweight?  Why is it that on the Dell support web site that SBS 2003 doesn't even have it's own support forum?  That all the SBS 2003 issues are mangled in with the Windows 2003 Server ones?  If the bulk of your sales is that OEM channel, why is it that for example Gateway OEM server folks that accidentially lose their software are stuck rebuying it if they don't order it in 90 days? 

So if OEM is such an important marketplace why not treat them better in more ways than just this upgrade program?  The number of times a SBS owner comes in and doesn't know what Remote Web Workplace is..well it's just insane.  And here it is the best thing about SBS 2003 (other than the daily email)

But what's a partner to do?  Buy an OEM operating system, tying that customer to that hardware so that if the hardware dies, there goes the server?  Unless of course you can somehow convince the customer to SA that server within 90 days to 'free up' the OS to be moved to another server.  Or right now buy retail or open value and attempt to talk them into a Software Assurance package?

...so what are you doing with your SBS sales right now?  Holding off?  Buying OEM for your client?  Even considered this right now?   

Man you could tell this was a Friday...

"Ntoskrnl.exe is missing or corrupt"

Ugh...

That's how my morning started and it went down hill from there...but it's partially my fault.  I'm not doing what I should be doing for my firm to monitor the event logs on the workstations as much as I do on my server.  I bet if I had gotten around to installing the monitoring software I'm thinking of installing I would have spotted that workstations harddrive starting to fail on me.  Instead I was faced with trying to take an extra workstation and make it "good enough" for a temporary workstation...and boy..when you are spoiled with two matching 19inch monitors...going back to one... is not easy.  So I tried first to just extract over ntoskrnl...but no go... so finally I had to practically lay down a new OS.  And THANK GOODNESS I have some rightful access to true XP sp2 real media, because otherwise I would not be able to try all these 'repair install techniques that I was attempting to do.

Man that is still the one thing in the OEM marketplace..and sorry folks...us here in small biz is just not going to see the value in buying Open Value or Software assurance for Desktops unless they are as wacko as I am and plan on using that bitlocker/drive encryption software that you can only get with the SA Vista (assuming that the Vista ships one of these years).

Take the time to think about the ..even minor disaster plan you have for your office...what's the Dell Tag code on that system so you don't have to crawl on the floor with the dustbunnies to tickle your nose...bottom line I cost my firm time... money... we didn't have today...because I wasn't pro-active 'enough' with my network.  I was still "break/fix" and this time, today ..that break/fix mentality of the workstations meant that I was doing something that shouldn't have been done in a manner in which I was doing it, without planning, without thought.  And all because I hadn't gotten around to including my workstations health in that pro-active stance I have in my network.

Come next week... guess what's first on my personal to-do list.

Yup.. get way more aware of what my workstations are doing so I can spot the 'coming storm' and deal with in on my timetable..not on a Friday when I didn't really have time for this today....

My firm cannot afford me to be in a break/fix mentality.  They need me to be proactive and one step ahead of the game. 

I wasn't today....

I plan... I hope.. to be next time....

..and yes, there will be a next time... I'm planning for it..and not just waiting for it to happen...

7 minutes and 42 seconds....

7 minutes and 42 seconds....

That's the exact time it took me to finally get through the maze of the voice mail system at the California Department of Insurance today just so I could be placed in a phone queue and hear annoying music....

14 minutes and 22 seconds later....

That's the exact time it took listening to the music to finally get to a human being to answer my question....

30 seconds later.....

That's the exact time it took to ask my question and get the answer I needed.....

http://gethuman.com/us/ Unfortunately the California Department of Insurance isn't on that listing...

There are times that voice mail systems are very effective...and there are times that they are just downright annoying.

We're losing the war

It's obviously big business.

Someone clicks.

The have a reason to do it.

...to do THIS... and as Donna points out it's getting worse and worse all the time.

But we have to do something out this...because it's they are truly winning the war...

When do you flatten a box, revisited

When a SBS box is set up by someone... well.. who hasn't a clue... is it better to keep that box and fight with whatever strange and weirdness the prior consultant did?  Or is it better to consider it almost like an "intrusion" event, where you nuke and pave and start over.

The other day when I blogged about how you should not flatten at the drop of a hat, the post was made with the assumption that you had history with that box.  You'd set it up.  It was under your wing.  The box I was working with the other day was obviously redeemable.

But what if you come into a disaster of a SBS network where not only did they not read any book or manual, but you can't even tell what the heck they did?

Do you nuke and pave everything? Keep the AD structure if it's reasonable?

Totally start over?  Jeff Middleton has some of these concepts in his www.sbsmigration.com kit .. especially the domain audit guide.

Personally I think we need to get a better diagnostic tool for when you come into a bad setup so you can figure out sooner versus later to cut your losses... but then again.. sometimes.. it's pretty obvious isn't it?

Flattening a box

If you are considering flatting a server and restarting because things "just aren't right" and you think that reinstalling will magically fix things.... guess again.  There's only two times you need to flatten a server and start over

1. If you've installed the box and that initial install doesn't go right (we say install it three times anyway)
2. If you've been stupid with that server, haven't protected it and gotten it nailed with a rootkit or something nasty

Then and only then should you flatten... otherwise just because someone else couldn't get a server working...and you think flattening and tearing out the active directory and Exchange in a network is somehow less disruptive than calling Customer Support and having an engineer look over that system, guess again.  Even when a system is seemingly a "sick server", it's better to get to the underlying issue causing the "sickness" than to reinstall the server, install everything back again, and possibly get yourself right back into the same position.

Just like in health care, get the proper diagnoses...and that means going to the "SBS Doctors" for your patient.  For those that are installing SBS boxes for customers, sign up at www.microsoft.com/partner for your access to support.

Dear Mr. Vendor:

When you install software on my system, please keep in mind that I just might decide your software doesn't work and thus may want to uninstall it.

Thus.. I should not have to load up regedit to dig into my servers innards and rip out one line item at a time... just to get out your software out so that we can get a server back in good working order.

If you are smart enough to install on my system.. I shouldn't have to go to through the registry to get you back out...

(Tonight's rant was brought to you by Panda Antivirus, we now return you to your regularly scheduled blog)

If the vendor supports Windows 2003 ..but not SBS...

If you come to a web site and the vendor states specifically that they do not support SBS 2003 ...but they do support Windows 2003.... don't just accept that these days.  Especially if the application just plugs into active directory, there is (should not be) any technical reason why the application cannot be installed and supported on SBS 2003.

What normally happens is that the vendor doesn't take the time to test it SBS as a platform and then hears conflicting information from customers that have attempted it.  What you need to do is to dig up an email address on their web site and email them.  In today's marketplace they just might want to take a second look at that statement and do their due diligence in the matter.

... oh and feel free to cc me at sbradcpa-at-pacbell.net when you write a vendor who says they don't support SBS.... I just LOVE those kind of emails....

The Partner problem

Karl was at SMBnation Amsterdam and posted some comments into the smallbizit yahoogroup and one of the posts was this:

 Q: How do you deal with a botched install by a lousy partner?
-- The conferee is only one year in the business and has come across a totally messed up install by a gold certified partner. How do you deal with the client?
-- Marina told the story of her first such incident. Major point: If you look at the logs, you can see EVERYTHING that was done.
-- Jeff: This is a common occurrence. Asked to see who had experienced this. Nearly 100%. Recommends having another technician (from your user group) go into the client and verify your conclusion.

And it saddens me that how many years later we still have "certified partners" that haven't a clue about SBS installs and SCREW THEM UP.

Shame on you.. I know that those of you reading this aren't in this category...but I truly want to go to each and everyone one of these partners that end up HURTING small businesses because they don't take the time to get the information they need.

These days these partners have NO excuse not to read, learn, listen.

I know I'm not yelling at the right people .. but shame on you Mr. Partner for not doing your job.  Small Businesses deserve at least a good job and not a screw up.

Issues that are not normal

Too many times in the newsgroup I see a poster come in and say "Our SBS has been crashing regularly since we set it up...."

Uh.. folks...that's not normal.  SBS doesn't crash....and allocated memory alerts.. while an annoyance.... shouldn't be the cause for such crashes, freeze ups, etc.

Typically I'd say that the issue is one of hardware not software.... and folks.. it's something that you shouldn't just live with, it needs to be investigated and dealt with.  Start with testing memory... and then watch those hardrives.. call PSS(*) for some perf mon help... but get to the bottom of it....

...because it's not normal at all...

(*)  PSS or CSS as it's called now is Product Support Services/Customer Support Services... phone numbers for it are here...

Little things that annoy....

• Email messages from vendors that have brief subject lines and CRM:00490444 in them.... I mean does EVERYONE have to use CRM software these days?  Is everyone tracking everything?
• Knowledge base articles that appear to be exactly on point but aren't on the web site when you click on the link to them "The KB article you requested does not appear...."  ...well it appeared at some point in time otherwise how could there be a title?
• Certain help web sites that because you google and click on them STILL launch a popup window from a vendor even with XP sp2 popup blocker, google toolbar AND Windows Live toolbar
• I still say the Small Business Specialist logo looks crooked....
• News Reporters that go overboard ....."hijacking hundreds of thousands of PCs before Microsoft made a patch...."... more like hundreds of thousands of security experts that went overboard.....
• My Pentel mechanical pencils (yes there are times I still use pencils) who's tips get bent from being in my purse so the lead gets stuck....
• Folks who think SBS shouldn't be set up using the wizards......
• People who've had SBS for a while and don't know about Remote Web Workplace......
• People who knee jerk think that VPN is automagically more secure.....
• Technology wars, including but not limited to..... one nic versus two, ISA versus (fill in the blank hardware firewall), .local versus .com, Windows versus Mac/and/or Linux, Big server mentality versus Small server agility

Okay that's enough annoyances for tonight.... what little things annoy you?

..and thank you Vlad... I needed that  

-------- Original Message --------

Subject:	It's okay CRM:00020006
Date:	Wed, 5 Apr 2006 23:26:20 -0400
From:	Vlad Mazek <vlad ownwebnow.com>
To:	Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] sbradcpa@ pacbell.net

ExchangeDefender Message Security: Check Authenticity

Is there a RWW equivalent in big server land?

Indy asks if there's a Remote Web Workplace equivalent in big server land....

<insert evil cackle here>

No, silly you, it's SBS's and only SBS's.

And I'll point you back to Tristan's post about RWW

Blog du Tristank : Ninja Feature: Remote Web Workplace in SBS2003:
http://blogs.technet.com/tristank/archive/2004/10/14/242211.aspx

He had posted up some instructions to hack up some web pages... but RWW is way more elegant.

..but yeah.. I think we SBSers should share out that feature with our big brother servers....but for now.. we gotta keep something they are jealous over, right?

Pop quiz - do you see a problem?

Pop quiz... do you see a problem with this image?

..come on... see it yet?

Not yet?

Look very carefully.....

It's about a "zone".....

Yup...this is another of my newer OEMs that do not pick up the proper time zone unless you untick and retick the "automatically adjust daylight savings time"..thus if the end user would be booking appointment s in standard time zone... the Secretary is on daylight savings time zone and thus is an hour off.

You might want to check and make sure your machines are picking up the zone properly.  It seems like every time I get a new machine.. I end up with a rogue time zone because it hasn't picked up the daylight savings factor.

Brand trust

CRN | IT Brands | Dell, Apple Lead In Brand Trust, Microsoft Dead Last:
http://www.crn.com/nl/crndailynews/showArticle.jhtml?articleId=184425736

...okay I can understand Apple leading in brand trust.. but Dell?

You have to be kidding?  I still think that the OEM channel is the one destroying that Brand Trust... or at least strongly pushing it in that direction....Do you trust Dell as a brand?

Let's not isolate ourselves too much....

Subtitled... okay MBSA 2.0 is closer...but I STILL cannot consistently scan my domain worth a darn.....

Okay so we already heard from a poster that he used a dll exclusion in the firewall...

So we went back into our Small business server firewall settings... and clicked on "define program exceptions"

And then on "Show" and added an exclusion exactly like this:  %WINDIR%\SYSTEM32\dllhost.exe:10.0.0.2:Enabled:WSUS Port so that it ended up looking like that:

(Remember I'm still on that old fashioned SBS IP addressing that we used to use in the 4.0 days)  And now... on those workstations that are checking into the MBSA console..they are properly scanning the patch status... but I still do not have a consistent scan-ability of the network.  Even when I added the extra RPC connectivity allowance like Level Platforms needs.

I'm still getting way too much of this error on some of the workstations...an  then I'll scan again and won't get it for those same workstations.... I am scanning by netbios domain name... so why isn't this still working?  Or I should say...consistently working?

Why am I seeing error "Could not resolve the computer name: name. Please specify computer name, domain\computer, or an IP address."?

A.

This error is common when scanning based on an IP address range. This is because MBSA will convert the range into a list of specific IP addresses for that range and attempt to resolve each IP address into the associated NetBIOS computer name. When that name resolution cannot be performed because the computer is switched off, or the IP address is not in use, this error will be returned. The error can also happen when using a domain name of domain members are not accessible on the network, such as a laptop computer roaming outside the wireless network, or a desktop computer that has been shut down. If you specify a DNS fully qualified domain name (FQDN) as the domain to be scanned, you will also see these errors. In that case, you need to use the NetBIOS compatible domain name.

But I'm not.. I DID put in the netbios based domain name.... and I kid you not.. many of the people I talk to say that they tried MBSA 2.0... couldn't get consistent scanning results... got frustrated and dropped using it.... because they too couldn't get it to scan through the firewall.

But this reminds me of an email thread I had today with a guy about keeping "some" network goo... as a balance between security and that managability that I need to have ....as while Dr. Jesper Johansson is talking about Server and Domain Isolation techniques... I'm sitting here poking holes in the firewall and knocking off the Strict RPC compliance in ISA server because I want.... no... I NEED to have managability of the network.  I NEED to have a foundational bit of 'goo' that runs throughout my entire network so that I can scan them and get assurances that they have protections in place... I mean yeah... scan my SBS box and it says I have "Severe risks" ...but right now.. the fact that I can't scan my entire network... I think ..means I have a bigger risk.  I mean I know I can't do the Server and Domain isolation stuff the big server guys have to do... but it sure would be nice if I could scan the network with MBSA....

Stay tuned.... we're getting closer.....

Okay big server land people.....

Okay big server land people.....why isn't there an 'edit' key in the Group Policy Object Editor?

In the group policy...you type these GUID thingys in by hand?

I mean ...really... you never make mistakes when setting up group policy settings or something?  So why no edit button? You guys think typing this stuff in by hand builds character or something?  I mean look at the gunk I need to type in there... and for the record... when giving us SBSers instructions on group policy..don't assume that all of us have been in there enough to know that when typing in a new key we will truncate the "HKEY_LOCAL part and just need "MACHINE" up there.....


HKEY_LOCAL_MACHINE\Software\Classes\AppID\
{B366DEBE-645B-43A5-B865-DDD82 C345492}
\Endpoints REG_MULTI_SZ "ncacn_ip_tcp,0,n"

Yuck .. I have to manually type in MACHINE..wack... Software.. wack... yadda yadda

2. Configure Windows Update Agent to use this static custom port by setting a registry key as follows: HKEY_LOCAL_MACHINE\Software\Classes\AppID\
{B366DEBE-645B-43A5-B865-DDD82 C345492}\
Endpoints REG_MULTI_SZ "ncacn_ip_tcp,0,n"
(where n is the port number you have decided to use.) You may also configure the endpoint using the Component Services application in Control Panel. The Windows Update Agent - Remote Access endpoint is located under the path Component Services\Computers\My Computer\DCOM Config. Right-click and select Properties, then use the Endpoints tab on the Properties page to configure the static port.

And why do instructions like this assume that once we get to Component Services section.... in the control panel...that we'll even have a clue of what to do when we get there? I mean like look at this:

Okay.. I see the static endpoint in the Dcom protocol ...but.. now what.. do I need a protocol sequence of connection-oriented TCP/IP?  I guess so but the instructions don't say to mess with that....but gang....don't assume that we've been under the hood before and when giving instructions.. be specific...because if there's anything else in there... we're going to ask and wonder if we need to select anything....

P.S... skip the GUI?  Edit the text file?  Import them from the command line?  Are you insane?  ...excuse me... what do you think I am.... a big server person?

Like DUH folks - MCE has rapid sales

Chris Lanier's Blog : Microsoft Sees Rapid Media Center Sales:
http://msmvps.com/blogs/chrisl/archive/2006/03/21/87204.aspx

Yes, there is rapid sales because of the two retail software that our Small Business folks can buy at a retail store, at LEAST Media Center can be hacked to join a domain is why.

This has got to be one of the stupidiest stats I've seen..... go into a retail store and see what is being offered in there.  Home and MCE...and MCE is even being placed on laptops.

Does Bill or Steve know how many times my fellow SBSers walk into a firm and they are stuck with XP home or MCE as the operating system that the owner bought because that was the ONLY thing at Best Buy they could get?

Small Business Server hardening guidance

On the Security 360 webcast that was on earlier today, the topic was on "browser hardening".  And the VERY first question was about Small Businesses and they were looking for guidance on hardening.. and the question included hardening of the SBS box.  I tell ya... us SBSers are EVERYWHERE aren't they? 

Here is the guidance I would highly recommend as guidance for locking down a SBS box.

1. Walk to the server.
2. Turn around.
3. Yes, I said turn around.
4. I really mean, you need to turn around.
5. Walk to the nearest workstation that has a user working on it.
6. Shove the user aside (nicely of course, but you want to be in front of that user's workstation using their session).
7. Click on the date and time in the corner.

Got that?

So why is that a hardening step for locking down a SBS box?

Because I would strongly argue that your biggest threats on a SBS network is the end users.  End that have local administrator rights.  End users that can download and click.  And if you can click on that date and time and it comes up and allows you to modify it, that user most definitely has the right to introduce risks into your system.  So lets talk about how we can harden the workstations, shall we?

Want to harden a SBS server and network?  Start by hardening the user. 

• You don't surf at the server
• You don't use the server as a workstation
• You educate your users that "download here for free" translates into "yes, you really do want malware on your box, don't you?"
• You have an acceptable use policy that says "yes, this is okay to do" and "no, this isn't appropriate for our firm" - check with the sans.org policy site to set up an acceptable use policy.

So that that you have that education task out of the way... you harden the desktop.  Here's the hard part... you need to check with the applications that are poorly written and won't work under these conditions.  Some of these things are not for all..but it will take YOU some time to do, so play first on your own boxes before rolling this out to your clients.

• Get more control using Group policy - Consider IE active X browser filtering using this KB by Nick "the naked MVP" Whittome -
  • Outlook Web Access and Small Business Server Remote Web Workplace do not function if XP Service Pack 2 Add-on Blocking is enabled via group policy:
    http://support.microsoft.com/kb/555235/en-us
  • I honestly do not think that we do enough in group policy in SBS.  We have the GPMC tool right under the hood and all it takes is us to get up to speed.  GRAB A BOOK.  And read this spreadsheet to see all the potential for things you can control.
• Use ISA 2004 (only in premium) or your firewall software to block sites
  • We had this the other day... mysite.com is not for business and thus sites like those should not be used in the office.  Bad sites introduce risk. 
• Get those workstations down to "normal" user mode.
  • Sit down with that client/customer and see what key line of business applications they have.  If they are "designed for XP" they will natively run under this 'normal' user mode or LUA.  If they are not logo'd, come out to the newsgroups, communitities and google on ways to get that app down to 'normal user' mode.  Yell at the vendor. 
  • So many of the latest security vulnerabilities will launch things in the 'context' of the user, so the lower rights you have, the better you are
  • Review Aaron's blog about these issues
• Get patches on those boxes/Get on the latest software.
  • When SBS 2k3 R2 comes out, the "green check" of updates will be there to help keep that system up to date.  You don't have to wait until then or buy it if you don't want to.  Download WSUS now.
  • IF YOU DO NOTHING ELSE, FLIP YOUR SYSTEMS OVER TO MICROSOFT UPDATE.  Yes, I know I'm yelling, but we truly now, with Microsoft update, have the ability to patch our entire system (YES even ISA Server 2004 - which hasn't needed a patch yet), so all the way from the workstations to the server can now be done by MU.  If you have not, all you have to do is go to Windows Update and on the right hand side is the place to click to "flip the bits" over to Microsoft Update.
• Install the same sort of security at home that you do at the office
  • We buy Trend pccillian for all home pcs (especially those that remotely connect back to the network)
  • We require that they have XP sp2, firewalls and all the normal stuff I have here at the office.
• Follow some of the information and guidance on Dana's blog.  He had a webcast on Compliance at the SBsummit..

But even with all of this... what's the best way to harden a SBS server and a network?

You start by hardening ME.  Me the business owner.  Me the onsite admin.  You harden me, you get me to understand that you can't just harden the server, that "I" have to change.  I can't download things like I used to.  I can't surf like I used to. I have to be a little less trusting.  A little more aware.  A little more paranoid.  Accepting of the balance between security and business that I need.  We need to work on this together.  You need me to understand that there's no easy fix.  No one button that I can point you to.

You don't get it by downloading a guide.

You start by hardening ME.

Only then will you have a hardened Small Business Server network.

Real server hardware

See that ... that's a sign that I've got troubles... but you see... I shouldn't be freaking.  If this was a "REAL" server and not my OEM version, I'd be going...okay ...let's deal with this but don't freak because you have a RAID array, good quality hardware and a real server.

On my OEM, this is not real server hardware, and I have no RAID, so no fault tolerance of drives.  Heck I'm soooo non best practices on this OEM test box I don't even have a backup of this.

Do I do this at home where I do have a server that I somewhat care about?  Nope.  I back it up with a LACIE harddrive.  Do I have RAID at home, honestly not, but it is a slightly better server.  Do I do this here at the office where it really is important?  Heck no.  I have RAID, I have server quality hardware, I have backups.

But keep an eye on those daily logs... as just like this, they will give you a heads up that something needs to be done....

(running a chkdsk now as a matter of fact)

P.S. note to self.. when the box has to reboot to do a better checkdisk and the OEM server is headless...keep in mind that you can't see when it's asking for input... gotta go drag it next to a spare keyboard and monitor...

Dear people who code at Intuit:

If you can't get access to this link, let me know.  There is a document newly released on the web that is the "logo" requirements for Windows Vista.  You might need to take a look at this when coding your Quickbooks 2007 version... you remember..the one that was stated will run with normal user rights?  Since you are going to be changing your software ...since it can't do that now... you might as well make sure it fits the guidelines for Vista while you are under the hood fixing things.

Just holler if you can't download it... I'll make sure you get a copy.  Just send and email to sbradcpa -at- pacbell.net

Here.. lemme make it a little easier for you....just make sure you pay attention to this section:

1.1     Follow User Account Protection Guidelines

A user’s Windows experience is more secure when applications run with only the permissions they need.  Unless an application is designed to be run only by system administrators, it should run with least privilege.

Every application must have an embedded manifest to define its execution level:

<requestedExecutionLevel level="asInvoker|highestAvailable|requireAdministrator" uiAccess="true|false"/>

Most applications should have level=asInvoker (leastPrivilege in Beta 1).  Applications that are designed to be run by system administrators may define a higher execution level, and the justification must be documented.

Most applications should run with uiAccess=false.  Applications that need to drive input to the UI of another window may set uiAccess=true, and the justification must be documented.

How many have you installed? Revisited.

The other day I posted about how customers should ask the var/vap how many SBS boxes they've installed ...and I got a follow up question of how do you "jump" into the market when you've only installed them for yourself.

... well you just did didn't you?

That's one. 

Install it at home.  Set up a domain.  Dynamic IP resolution to DNS.  MX redirect and the whole thing.  Install it like you would for a client that didn't have a static IP but wanted everything else.

There ya go.  That's one.  And that's better than the guy that says "oh yeah, we do SBS in our office, it's just like Windows... and we don't use the wizards". 

We typically say it takes three times to install it correctly anyway.  Once to really screw it up, once while reading the manual, and finally when you 'get it'.

Just never be ashamed to reach out for help or call Support.  Calling support doesn't make you look stupid in front of a client.  More like a savvy user of resources.

Steven ..honey.. I know that was a demo..but MAN was that a sucky password

So in the very first webcast of the SBsummit (that is recorded and available for viewing now) Steven is demo'ing RWW at the Small Business Summit and he says one thing...and does another that raises the hair on the back of my neck....

http://www.sbsummit.com/home/

He first says "accessing the date remotely from a Kiosk computer" and then he used like a three character password to demo/log into Remote Web Workplace.  Dude... first off I don't use Kiosk computers...I hand folks a laptop.  I don't have control of that Kiosk computer, I don't 'vet' it for security issues.  But laptops are cheap folks.  Get a refurb'd one.  Then you know it's secure and doesn't introduce rootkits or keyloggers or anything like that.  It's MINE and thus goes though all the same security checks that all the other computers do.

And Steven.. passPHRASES... try something a little bit longer of a password next time... that's ONE SUCKY password.....

Looking professional

On the smallbizit listserve today, the discussion was about renting office space and if it helped getting clients because you looked more professional.

Let's take that one step back shall we?  Go to the Small Business site on the Microsoft.com page.  And now search for a Small Business Specialist in your zip code.  I want you to compare yourself to your competitors.  Forget about the "professionalism" of a shared office space versus a home office, look what your web site and email says about you. 

One of the advantages of a server with Exchange is that you can have a professional email address..and not @yahoo.com. 

Now I need to ask something of you... do you find when getting services that you like to get contact information specifically about a person, rather than a generic sales@firm.com?  Or is hiding the fact that you are a one person shop why you want to do this?  Just not sure if folks want to see a more personable contact address or they don't mind the blind contacts. 

Just keep in mind that while you can sign up for a shared "condo" office space and look more professional, you might want to start with how you look to you customers in other ways as well.

Paul on R2 and Best Buy

In today's Windows IT Pro newsletter, Paul Thurrot writes....

" The R2 version of SBS 2003 adds all the technology from the mainstream Windows Server 2003 R2 release, along with several unique additions. "

and

" In a bid to make it easier for small businesses to purchase SBS, Microsoft is for the first time opening up Microsoft Financing to smaller purchases. In the past, customers wanting to finance purchases through Microsoft had to buy at least $10,000 worth of merchandise. But this amount was prohibitively expensive for some small businesses, many of which are cash strapped and on month-to-month budgets. To help these businesses, Microsoft is lowering the minimum purchase amount to $3000. So even small business customers can spread payments out over time--
typically 36 months--and pay for the technology as they're using it. Microsoft Financing is currently offering a 12.5 percent interest rate, according to the company.
Finally, Microsoft is working with Best Buy to provide training for that company's Geek Squad, which was previously focused only on supporting client-side technologies. Now, Geek Squad members will be qualified to install, service, and support SBS 2003 R2 and other server products, allowing small businesses to use the local electronics superstore for technology purchases and support. "

First off, repeat after me, SBS 2003 R2, does not now, nor ever have "all the technology from mainstream Windows Server 2003 R2 release"... we don't get the second cdrom at all of the "mainstream Windows Server 2003 R2 release".  I don't know where you are getting your information Paul, but that part is dead wrong.  Now lets not go down the argument again of why we don't get "it" on our "IT", okay?  Let's not start that again as I'm pooped over that issue.

Now as to the Best Buy issue... this has been a bit of a concern for some in the small vap/var marketplace as they try to get their customer from break/fix to managed services.  Vlad posts about it here as well.

Is this a good thing?  Well for one it will get the Small business product out front and center of those small business customers.

Is it a bad thing?  Well.. as a customer of the SBS product.. I want to make sure my fellow customers get a Var/Vap/whatever geek squad person that knows SBS, that understands SBS.. and that Geek Squad person.... or even a var/vap should not be installing SBS for the first time for your business.

I would urge every small business customer to ask that consultant "how many SBS boxes have you installed"... if they hem and haw... or say "oh my firm does"... you say "no, how many have YOU installed".  If the answer is "uh..none..yet", then give them this link to the SBS trial software page and go ask for another consultant. 

As a small business you deserve someone dedicated to the small business marketplace.

But the good news indeed is that financing plan for small businesses.  I think that will indeed be a very good thing.

An open letter to the "Do it yourself-ers"

We were recording a bit for the mid week SBSShow (with Susanne back in the adding class to Vlad and Chris role) and I said something about "being a representative of the DIY crowd" because quite honestly, I still feel that way as that's my roots and I feel that is some small way that I try to give that voice to the conversation when needed.  Even though I've moved from that position, I can say that I feel like I can relate still to that DIYer who gets a server and sees the potential in a SBS box for their firm.

Well to all of my fellow current DIYers and potential DIYers... I have a message for you.. and please understand that I give it with a great deal of compassion for where you are at.  I understand what you are facing. You are probably the "geekiest" person at your office, and someone read all of the literature of how easy computers are and servers and someone shoved this box in your hands and said "you do the workstations around here, it can't be that hard!".  Or you are the Linux guy or the web developer or someone who's really good at technology and this fell into your lap. 

Now I'm not going to say that your journey from where you are now, to a comfort level with SBS which is where you want to be is not impossible... It definitely is indeed possible.  But you are sure not going to get there if you don't do some basics.  You are honestly not doing your firm any favors if you don't start this process with the understanding that you are setting up the security parameter of your firm, the fortress of your data, so you'd better approach this better than we normally approach technology.

And the first thing... above all other things.. is to put down the mouse and READ.

Start here.. RIGHT HERE and download each and every one of these documents (okay so you can skip the Small Business Accounting one if you don't have that) but you should spend some time on this page... in particular this document.

When I decided to move from geeky DIYer to "okay I'm seriously going to be the onsite network administrator for my firm" in the SBS 2000 era, I ordered a SBS trial kit and install it at home.  Three times.  And then I read.  Books from Harry Brelsford.  Books from Charlie Russel.  And these days I'd add books by Eriq Neale (with the disclosure that I wrote two chapters in that one, and one in Harry's book).  And then I found a hands on lab course that taught a person about SBS.  And these days you don't even have to leave your office.

...but

I did ALL OF THIS before I even considered installing it 'for real'.  And even then, I was ready to hire a specialist if need be.  If I didn't feel that I could do this, secure it, to do the right thing for my firm, I would not have done it.  And I even interviewed Microsoft Partners, but back then there wasn't the Small Business Specialist designation so I didn't find an SBSer that I trusted.  Heck I didn't even find an SBSer.  The consultants I talked to tried to talk me out of SBS...they said "I'd outgrow it"  Uh huh..yeah...right... that's exactly what all of the consultants I interviewed said to me.  That they didn't like to install SBS as they found it too "limiting",they said.   Look where I am now... with SBS 2003 and RWW being EXACTLY what my firm needs.  I think I outgrew them.

And by that time I feel ready and had the resources I needed.  I had done the homework and knew what I was facing.  I was indeed ready to do it myself.

But do you get the idea that this wasn't a decision I took lightly?  That at any point in time that if I didn't think that I had the necessary information, and experience that I was ready to bail and hire someone to do this?  That I realized that I wasn't doing my firm any favors by setting up a network that housed the lifeblood of my firm if I wasn't prepared to do this?

So to all those facing the same thing...looking at a project that they are installing the backbone of your firm.... stop reading that marketing stuff that makes it sounds like all you need to do is add water and stir.  It's a smidge more complicated than that.  And think about that it just might be cheaper for your firm if you get help.  Yeah there's a lot more resources out there to help small businesses these days, but just remember, maybe it's cheaper, maybe it's better, maybe it's more secure, maybe it's better in the long run to READ FIRST and get training... or maybe...just maybe a little help to get you where that SBS box is just chugging, and you are just "admin'ing .  And these days, folks are quite proud to say they install SBS and recommend it to small firms.

Do it Yourself.. .sometimes means doing it with a little help.....

Customer Support Questionnaire

Customer Support Questionnaire

1.  Describe your problem:

2.  Now, describe the problem accurately:

3.  Speculate wildly about the cause of the problem:

4.  Problem Severity:

        A.  Minor__

        B.  Minor__

        C.  Minor__

        D. Trivial__

5.  Nature of the problem:

        A.  Locked Up__

        B.  Frozen__

        C.  Hung__

        D.  Strange Smell__

 6.  Is your computer plugged in?  Yes__ No__

 7.  Is it turned on?  Yes__ No__

 8.  Have you tried to fix it yourself?  Yes__ No__

 9.  Have you made it worse?  Yes__

10. Have you had "a friend" who  "Knows all about computers" try to fix it

for you?  Yes__  No__

11.  Did they make it even worse?  Yes__

12.  Have you read the manual?  Yes__ No__

13.  Are you sure you've read the manual?  Maybe__ No__

14.  Are you absolutely certain you've read the manual?   No__

15.  If you read the manual, do you think you understood it?  Yes__ No__

16.  If 'Yes' then explain why you can't fix the problem yourself.

17.  What were you doing with your computer at the time the problem

occurred?

l8.  If you answered 'nothing' then explain why you were logged in?

l9.  Are you sure you aren't imagining the problem?  Yes__ No__

20.  Does the clock on your home VCR blink 12:00?  Yes__ What's a VCR?__

21.  Do you have a copy of 'PCs for Dummies'?  Yes__ No__

22.  Do you have any independent witnesses to the problem?  Yes__ No__

23.  Do you have any electronics products that DO work?  Yes__ No__

24.  Is there anyone else you could blame this problem on?  Yes__ No__

25.  Have you given the machine a good whack on the top?  Yes__ No__

26.  Is the machine on fire?  Yes__ Not Yet__

27.  Can you do something else instead of bothering me?  Yes__

Thanks to Cheryl Wise MVP Front Page for passing this along

B - E - T - A does not mean "in production" or "on a box you care about"

I am running a beta of Vista at home...not that I really meant to...but I kinda loaded it up in a dual boot and it's been on the Vista side ever since...but at the office..in the real world where it counts.... I rarely run betas....the exception being the Microsoft Antispyware product.

I don't install IE 7 on any machine...and I don't like the fact that seemingly it's not being quite warned about on blogs and other sources as that it truly is a beta...heck there's even a patch in the optional section that refers to IE 7

• Authentication fails when you use Outlook or Outlook Express to try to log on to a HTTP-based mail server if you use Internet Explorer version 7.0:
  http://support.microsoft.com/default.aspx?scid=kb;en-us;904942

Then DO NOT install the ISA 2006 beta on a SBS 2003 box.  Remember that we are an integrated platform and we wait for our parts.  And I already saw a poster in the newsgroup do this. 

Repeat after me... you DO NOT install betas on computers that you care about.

The problem with translations

I hope he realizes......That I'll probably be running every post he does through a google translation tool...

One of the problems of being a world of languages is that we are a world of languages.... and the sad part is that things don't translate well sometimes... and especially not when it comes to technology trying to translate.

There are some things that have slang meanings, or just have a different meaning in different languages...or worse yet, with all the technology we have... just do not go through the machine translations well "at all".  I still remember someone asking for an example of a badly done machine translated KB article and the response was "pick any".  And the feedback was.."no can you give us examples..." and the person answered back "no, pick any of them, as they all have slight issues with translation".

I find myself in translation issues sometimes too.... Jeff Middleton and I were recently talking and we joked about how ....sometimes I'm just more blonde than I should be and I should have a "George Carlin"-like post of all the words that I just shouldn't use anymore in my posts...because quite frankly .. I thought of them as one thing...but in a different country ..even one that speaks English they didn't quite have the same meaning... or .. and this is more likely the case... the meaning "I" thought it was ... just wasn't what it was in reality when I went and looked it up in an urban dictionary ....

Okay I'll "out" myself on some.....one is "wack", another is "friggin" (hey, I didn't think it meant as bad as the word I was trying to avoid) and one lately.... uh... well.... lemme put it this way.... we're just not going to even post the word that I thought was another word for a smelly brown organic substance commonly seen in the farms near where I live...because on the urban dictionary... it didn't mean what I thought it meant AT ALL.... and we're just going to leave it at that....

Just put it down that sometimes.. some translations don't go well at all whether they are via machine....or via the blonde.

Would you live there?

I want you to think for a moment....

If your computer you use was a house would you live in it?

If your computer you use was a city, would you want to live there?

Just think about that for a moment... all of those items I asked you to think if you wanted to do with it... are all about trusting something.  Trusting the house to be safe and secure and liveable.  Trusting the city to be civil and a nice place to raise children and a good economy for jobs. 

Think of where your computer goes and what it does and what you do with it.  Do you trust it? 

Do you trust your network?  If your network was a city would you live there?  If your network was a State would you want to live in that State?

Now think of the Internet.  Think of what goes on in the Internet.  Do you trust it?  Do you feel that it's safe and secure? 

Think of it as a place to live.  A Country.  A city.  A house.  Where you would be, day in and day out.  It would be your home.  Would you want to live there unprotected?  Without a policeman?  Without a guarddog? Without the infrastructure of a 911 call system, and fireman, and doctors? 

So tell me... if you ...right now ... today... live in a house that you consider safe enough.  If you live in a city that you consider good enough to raise children and provide jobs.  If you live in a State or Country that you like to live in.  If you couldn't dream of living in a place that didn't have the basic infrasture of SECURITY as it's foundation.....you couldn't dream of living in a place where there isn't the assurances of fire protection, and emergency services, and protection, and medical attention that proactively ensures that you stay well and eat right and exercise and all of that.......

If that sounds like a really good way to live.....where you would want to be...

...then why do we do what we do to our computers?

...the very things that many of us depend on for our businesses?

...the very things that provide us with jobs?

....why do we not take care of them proactively... why do we instead spend money on the equivalent of the emergency room medical treatment....why do we not ensure we have adequate safety and protection so that we can minimize the risk....

...why do we with our computers and networks live in the equivalent of a crime infested neighborhood, not caring about cleaning up the crack houses and drug addicts, not caring about the drive by shootings and the muggings.  Not caring about our very lives.... why does it seem that if we "lived in our computers" it wouldn't be a good place to live at all....

so I want you to think about that....

If where your data lives.. is not where you'd like to live....

...why do you let your data live there and not protect it?

IT

You see I'm tired of the argument over "IT".  Yes I know we don't get "it" in '"IT", but sometimes, especially in a small business we don't always get exactly what we want.  And sometimes we have to come up with our own solutions.  These days business owners really don't care if the solution is from this vendor or that vendor.  It's your job to come up with a solution.

For the record if you want to know what of "it" you can do on "IT", you might want to check out this blog posting.

If you can't sell "IT" to your clients because it just because you already have a patch management in place and don't need SQL 2005 Workgroup?  More power to you.  Wonderful.  Fabulous.  You are ahead of 99% of the rest of the universe because most people I talk to don't have WSUS and a patch management/testing program/process in place.  And that's the gang that I'm beta testing "IT" for.  Because there are some firms that will want "IT", and as long as there are some customers out there that will be buying "IT", I'm beta testing for them.  I'm not walking away from "IT" just because it doesn't have "it", because there are still clients and customers that will be running "IT".

But gang... business owners don't care if "IT" has R2 bits or not.  They want you to listen to them and solve their needs with whatever tools are in your tool bag.  So if you need to use robocopy or Rsync... then do it.  And indeed post up the "how to" on a web site or wiki and share your solution with others.  Because the deed is done and every single time we argue about "IT" not having "it", it's not helping your client that doesn't care about "IT" or "it".  He just want you to handle your Information Technology needs.  You know.... the other IT in this argument. 

He or she hired you to propose a solution.  He or she doesn't really care where it comes from.  He or she just wants it to work.  And that's your job to pick based on his needs.  Just don't mess with his desktop or his Solitare game and just handle the server side and come up with something that works.  And if you stay on the "old" "IT" because your line of business apps won't upgrade to SQL 2005, that's do-able too.  Line of business apps do not upgrade to new databases quickly AT ALL and SQL 2005 is still a bit young for most LOB app developers.

So if you want to give feedback about what you think is wrong with "IT", a good spot might be steveb@microsoft.com, and can we all agree that "yes, it sucks, Microsoft, the Lawyer run Monopoly has got to be smokin' somethin' up there in Redmond with all of their SA/R2 stuff and man Longhorn better be good" and get back to solving real problems and not arguing over how dumb it is that we don't get "it" in "IT" and get on with providing real solutions to real clients?

One thing you have to remember about me.... at the end of the day I'm a business owner and look at things a little differently than most (besides the fact that I'm a Dew drinking female in a Tech/Geek world sort of adds to that wacko viewpoint too).  You see, I still see that there's still a lot of "drool" factor left in the Us Versus Them, even after I update it with the "it" versus "IT" stuff.

Because you see Remote Web Workplace and the 6 am email is still there.  And to me, the business owner, that's still the two killer apps of SBS along with the normal Email and sharing of calendars.  SBS isn't perfect.  And your job it to add to it to solve the needs for your clients.

You are the solution provider.

And if you noticed, I'm staying away from calling "IT" by it's real name.  For two reasons.. one I'm tired of the arguments over "IT", and for your clients, even calling "IT" as just plain SBS 2003 has some businesspeople (including my sister) asking "Isn't that out of date?  It's 2003?  Isn't there something newer?" 

So what would you like to call "IT"?  (We were calling it by something else but I found in the urban dictionary ...but what I thought it meant wasn't what the urban dictionary gave as the meaning....another blonde moment for Susan.... so I think I'm going to have to stop calling "IT" by what I was calling it.)

The trust factor

Define a "Managed network".

Got an idea?  Is it like Durf's ideal managed network?  http://smbmsp.wikispaces.com/Defining_Managed 

Yesterday someone was asking how do they get "into" the vertical market of Accountants and it reminded me that it's the same uphill battle the "managed" network folks face.

How do you become the "employee" they aren't paying with a W-2..  trusted..... part of the technology team?

Here are just some of my thoughts..... and first off with a caveat ....this is a very US centric post and these offers are not world wide.

• Build the trust.  While we beancounters are probably still running (or fondly looking back anyway) to Windows 98, there was one thing that would (and still does) drive me crazy.  When a consultant comes into a firm, ensure me that you treat access to my network in a secure manner.  Don't ask me for the Administrator password and then build yourself a "backdoor" admin account and don't tell me you did that.  Inform me what you did.  Ensure that you change that password if employees change.  Consider discussing remote access windows and adjusting the access time so that you can only have access to the network at certain times.  Don't ask me to email or fax you a list of my network passwords either (I've had this with printer/copier vendors). 
• Remind Accountants that they have client social security numbers on their systems and should take reasonable precautions in protecting that data.  Reasonable... quite frankly... doesn't include Windows 98.  Yes change is hard, but so is putting information back together again when your peer network that isn't properly backed up ...isn't being backed up.  They want and need shared calendars.  They need to send email (even though most of us are not encrypting it)
• Be knowledgable about restoring a SBS box.  One of the issues that comes up in "selling" SBS is the "ol" single points of failure.  All on one box and all that.  But be prepared by explaining that a proactively managed system along with quality hardware is the way to do this.
• Be prepared to deal with the "is it secure enough" discussions.  When even Vars/Vaps are not deploying Remote Web Workplace and instead use VPN, get a better understanding of the security of the technology and the real risk of that network.  Do a technology assessment with them.  Ask them about the last "incident" they had.
• Sign them up for the Microsoft Accountant's Program (www.microsoft.com/accountant ) This is the US centric part of the post as SBA 2006 hasn't released to all shores.  As a result this MPAN isn't offered world wide.  If the person who works in the field of accounting (bookeepers, CPAs, etc) signs up, they are eligible for the Action Pack software offer.  Now think about that... that's the normal software the registered MS partners get that you can then take to your Accountant client and sign them up for and get all of their computers on a solid network.
• And last but not least.... come up with a solution to get clients data from there....into here... now whether that solution is using a third party site or solution, or building something on that server (but quite honestly I'm scratching my head a bit about how you could do this with a SBS box with the user/device cals and the fact that you would always want that transmission to be over a SSL tunnel so they'd have to authenticate).  You may want to set them up with Logmein or I use Quickbooks Remote access which is a Webex 'invite' and 'approve' remote access solution.  Use the server for the data repository, but come up with a remote data transfer on approval solution for them.

Build the trust...fix the needs...

(just updated the post as I think they just redid their web site today on that RemoteAccounting link)

Buying software

Went to Office Depot tonight to buy Accounting software for a client who needed to update (old 2003 version ....yes... I bought Quickbooks... I think they will take my Security MVPdom away for that....) and I noticed that Small Business Accounting 2006 was no where to be found.  Oh sure, I could buy a SBS 2004 (three day shipment special order) but Microsoft SBA 2006? 

Nope. Not on the shelves.

Folks... Office Depot and Costco are where my small business clientele go to get software most of the time.

Be careful what you ask for - Part Two:

Subtitled.... "Does Susan blog too much?"

Earlier today I talked about the member of my SBS Partner group who said he was getting near information overload from all the various vendors and sources of Small Business Information.  My earlier post was asking us to brainstorm about the ways to make the various "official" web sites better. 

This post is about “What if you were in charge of the Universe” and could change anything you wanted to on the community listserves and newsgroups and blogs and web sites and podcasts and what not…..

It’s come up before that someone has asked us a few years ago that wouldn’t it be grand if we in the community could all come together and coordinate and work on the ultimate perfect SBS site/web/wiki/thingamabob in the world.  There’s one problem.  Because we all come from various places all over the world, and for most (if not all) of us, the things we work on are a labor of love and volunteerism so you’d better make it in a venue that we find “entertaining” while we volunteer on it, it’s hard to get coordination from a bunch of volunteers.  Add to that that most of us are control freaks, or that getting a collaborative site would probably mean that someone would have to sit down and understand licensing...and well.... this is why we sort of have all these places to go to for information.

So how do you harness this spirit to be able to make it easier for folks to find things with ensuring that the person in the community likes to do it and gets an “attaboy” for doing it?  Look at all the volunteer energy that folks give around here.

It’s not easy is it? 

I call SBSers “cockroaches”.  We’re little, small, indestructible… and we’re EVERYWHERE.  It seems like everytime I turn around there’s someone in some venue asking a question about SBS.  And sometimes I know it's hard to be aware of all of the venues and resources and web sites and links and.... just everything we've got around here. 

So let me ask this again…. So how do we as a community do better in helping you, the Var/Vap not get overloaded with information?  I was reading the book by Shel Israel and Robert Scoble and one of the things they said was to blog consistently.  Once a week, Once a month, Once a day.   But be consistent. 

The other day Jeff Middleton pointed out to me that I was about a three times a day blogger.  And I think he’s right.  A break at lunch.  And two at night before going to bed for relaxation.  But am I blogging too much?  Should this blog be more on just techy geeky stuff or do you mind the occasional introspective post… the every now and then (okay so it’s probably a bit more often than every  now and then) rant post?

What about our other communities?  Are the listserves getting too much into theory?  I think we’re not as patient in the listserves as we used to be….and I think we’re getting too much into theories and arguments and maybe a lot of folks are tuning out?  What do you think?

Grey Lancaster used to say "kill folks with kindness" and "be patient with newbies".  Now that "small business is big business" are we as patient with the newbies?  Should we be?  Or should we say "You know, if you are serious about small business, show it by buying a book, reading, and then come back."  Or should we follow Grey's leadership and welcome folks into SBSland and help them learn and grow in this profession?  Because all of us started just like that, with a kind word from Grey.  Including me.  When I was cleaning out my SBS 2000 notes and paperwork I found a bunch of newsgroup posts that Grey had done in the newsgroup that I had saved.

So how would you make the community listserves better?

How about the podcasts?  What topics aren't being covered that you'd like to see (not that I don't think Vlad and Chris and Suzanne and the SBSPodcast gang aren't picking fabulous topics...but since we're brainstorming...let's have some fun and see what we can come up with)

What about SBS Partner groups?  I know that SMBTN.org is doing mini conferences and emphasizing 'business' talks as well as tech ones.

Blogs?  Websites?

What other community resources could be made better and how?

Now I'm not promising that I can keep myself to one post a day...but let's just brainstorm on some ideas.  How can we make the community resources better than they are now?

So if you were in charge of the universe...what would you do?

Be careful what you ask for - Part One:

The other day in my SBS Partner group this topic came up…. Do we now have what we asked for …. And is it too much?

It was about how before in SBSland there was a veritable waste land of information.  We shared because we found that when we relied on each other we learned more, we shared the “been there and done that” information.  Even the Microsoft partner site was geared toward certified and bigger partners.  The comments I heard from folks that while it looked nice, it was hard to navigate around.

So here we are… about a year… year and half later and the comment was made that now, instead of the wasteland, we’re tripping over Small Business information all over the place.  To the point that we’re getting overloaded with stuff. 

I mean I was telling someone the other day about the resources and it was kinda silly… Podcasts over there….. webcasts here….. listserves… and web sites….. and are we getting too much information?  And are we getting the right kind of information that we need?  But at the same time are we not ensuring that once people have met a certain milestone that they have access to the right kind of information and someone or something is filtering out the noise so they can do a better job and they are rewarded for stepping up to the plate and being serious about Small Business.

Every now and then I like to do what I call “what if you were in charge of the Universe….what would you do?” and think about how we can do things better in SBSland.  It’s something that Jeff Middleton of SBSMigration.com once asked in the newsgroup.  I’m going to do a series of two posts… in this one I’m going to put you guys on the spot and ask how you think Microsoft could do a better job, and in the follow up one, I’ll ask you how you think the Community of SBS could do a better job (including me). 

Now I’m not promising that anything will happen because of these questions… but sometimes…just bringing stuff out in the open and hearing different ideas give us things to think about long term (and okay so I’m hoping folks in Redmond may just get an idea or two from the feedback posted, so it will be a fun experiment nonetheless).

So now I’ll turn it around to ask about the various community and partner sites in SBSland:

Right now there are three major landing places for SBSers and web site that are official from Microsoft…… the www.mssmallbiz.com site, the Microsoft.com/partners site and the new landing place inside of that that is unique for SBSCers.

If you were in charge of the perfect site(s) for SBS partners….both registered AND Small Business Specialist Certified.... what would you do to make it better?  Would you leave the www.mssmallbiz.com site just the way it is? Use it for a launching point to the Partner site?  Have all Microsoft information regarding SBS behind the Microsoft partner portal?

Here’s my two cents of why I like the www.mssmallbiz.com site just the way it is.  And this is just my opinion so I want you to think about your thoughts on these sites and post in the comments about what you think. It’s a little bit rough.  Unpolished.  Got some frayed edges on it.  It’s a Sharepoint site.  But it looks like something that a busy Small Business owner would put together.  It showcases the very technology that SBS has in it.  Sharepoint.  It sends me Alerts when there are new things.  It helps people join in the small business marketplace by putting out the welcome mat and letting people come in without having to register for anything right at first.  They can look around a bit before walking in the door.  A lot of stuff is in the window where you can take a look at it.  There are notifications and alerts. 

Now let’s look at the Small Business partner site behind the Microsoft portal and the SBSC partner portal.  You can only get there once you register.  It was funny but on a SBSC listserve someone asked if having that designation would “put your clients off” because they would perceive that you were not independent.  Let’s be honest with ourselves…..there is a definite lack of trust by both clients and Vars and Vaps of Microsoft.  But at the same time, for those folks that have stepped up to the plate and taken the certification and “paid the dues” you need to ensure that they have something special and unique that they get out of the certification.  But are there enough “push” technology from these sites?  RSS feeds?  What about the newsgroups?  One of the advantages of the Partner site is access to the managed newsgroups because you are guaranteed one on one Microsoft engineers.  But because I can’t search them as well as I can the public newsgroups via Google Groups, I’ll be honest and say that I tend to use the Public newsgroups as a resource, where as the Partner newsgroups are more for a one on one issue resolution venue.

Then there’s the issue of getting folks to sign up for the Partner site.  There’s many a time I have to urge a person installing SBS networks to sign up for the Microsoft partner site.  And then there’s the issue of “so can’t I look at what I get before I sign up for it?”

I’ve been involved in other organizations where a credential process has been underway and it seems like everyone struggles with this.  You have to have the bar for entry such that a ‘critical mass’ gets the credential.  But once this critical mass has been reached, you need to raise the bar so that the credential means something.  Then you need to ensure that there is information and value unique to that credential so that others will want to be part of the membership as well.

Coming from where we have been in SBSland, the historical place where we share everything to anyone…. to now where we honestly have to step back and say… you know …maybe we need to organize ourselves a bit more and start asking for things changed and let those who have ‘paid their dues’ have a little bit better space over there…but still keep a space over here as the Welcoming committee place.

So what do you think?  

If you were in charge of the Universe and could do anything you wanted to the Partner and SBSC sites, what would you do?  Do you use the www.mssmallbiz.com site?  What do you like?  What don’t you like?   How would you make the Microsoft Partner site for registered partners and SBSC ones better than it is now?

I think there should be more RSS feeds and push technology.  I know that I visit www.mssmallbiz.com a lot more than the SBSC site because stuff gets pushed to me.

So come on... let's brainstorm!  See what things we can come up with as ideas....and then we'll ask.  Hey, they can always say no, but you have to at least try to ask in the first place.

When dealing with technology, always leave yourself a backdoor

I was multi tasking a bit this weekend and the CTP build for Vista came out so I loaded that up last night as I went to bed in a dual boot manner.  So I've been flipping back and forth between Vista and XP when suddenly this evening the XP side of the world, dealing with the NIC card starts to freeze up the computer.  Then starts the fun stuff...the NIC loses connectivity. 

You know how hard it is to google up a resolution to a technology problem when your google can't google because of loss of tcp/ip connectivity?  And because of course I really didn't have a lot of time to be messing with fixing this...suddenly I became an Expert Vista user real fast. 

I still have to find the settings from Sandi that you can use in the registry to tell this blog that I'm not IE 7 but rather IE 6 so for now I'm on the wirelessly connected laptop typing up this warning about always leaving yourself a back door.

Whether that backdoor to the Internet is a wireless laptop...or... a Vista partition, make sure you have a way out to the Internet.  I can even get there via my Cingular Air Card these days.

Note to self... don't blog while under the influence of too much Dew...and well... um... sorta...in a mood...

I find it ironic..that my blog post ranting against marketing spin would be 'spun' in other locations and into different meanings.  It was a rant about marketing of both Linux and Microsoft and how marketing 'spun' things and didn't list facts especially to those that needed facts (like Vars/Vaps) and in fact Tony reminded me that I need to give facts about the new SBS 2003 R2 licensing that that platform includes.  I'll do that in a blog post after this one.

But there's a couple of things I like to bring back up about that post that some of the comments in there bring out.

• Open criticism of a Company that holds me in high regard.  Okay where in the playbook does it say that because a company has held me in some esteem that I can't point out when I think their marketing is being stupid?  That it needs to be fixed.  Here's something to think about folks...it's because I CARE that I wrote that post.  If I didn't, I'd be walking away and saying nothing.  When I say things, it's because I think things can be brought out in the open, refined, discussed, possible changes made, or better understanding at least.  If I didn't care, I'd be giving up.  Calling it a day, folding my tent and going home. 
• SBS shouldn't be used where there's a need for branch offices.  Okay where in the playbook does it say that you can't do Branch office stuff with SBS?  Where in the playbook does it say that small firms don't have branch offices?  Where in the playbook does is say that that branch office is in an office?  Sometimes these remote offices are home offices.  Some of these branch offices are Starbucks locations and on the road.  Who wouldn't want to do branch offices AND have the power of Remote Web Workplace (and if you are in the SBS marketspace and go Huh? when I say RWW or Remote Web Workplace SHAME ON YOU for not knowing about the TRULY killer app of SBS 2003!  Google it for heavens sake)

I think still the problem is there are two SBS marketplaces.....one is serviced by the Var/Vap.. and these are the firms that get technology and are mobile and agile....that are putting in more than one location, that are being agile....and then there are those that haven't yet gotten into SBS.  The ones that the Var/Vaps haven't touched yet.  The ones that still have to be convinced of a server...to move away from a Peer to Peer.

In the meantime, I'll still keep complaining when I think something is dumb and stupid.  Yeah, it's my opinion, and maybe I'll change my mind later (after all I am a woman and it comes with the territory) but if I yell, it's because I care.

Remember that. 

It's when I stop yelling at the gang up north of me is when Microsoft really should get concerned.

Anti Spin Cycle please?

When a washer is squeezing out the excess water, it runs a spin cycle.  There are some days I want an anti-spin cycle when it comes to marketing and white papers and what not to squeeze out the fluff and get down to the facts. 

My sister was talking about some software that was being demo'd to them...and it looked wonderful... it could do everything absolutely perfectly....there's only one catch.  Only the company demo'ing the software could afford all the modular parts that made the software do exactly what was being showcased.  No normal firm, especially these days, could afford all the parts that would make it all work.

There are times like today I get tired of the spin cycle.  Today I saw a Linux white paper that compares the TCO prices of Linux to Windows and in their comparison chart calls ISA 2004 a "web server" and includes it in the pricing comparisons.  Uh, nice guys, but ISA 2004 is a firewall and doesn't compare at all to an Apache/Jboss server.  Apache/Jboss normally goes 'behind' a firewall, which is what ISA Server 2004 Enterprise is.  Then on the SBS Faq site , today I noticed it said this in their faq about what's in SBS 2003 R2:  

"SBS 2003 R2 will only include one Windows Server 2003 R2 component and that component is Windows SharePoint Services Service Pack 2. "

Microsoft, come on, give me a break.  I get Windows Sharepoint Services Service Pack 2 on Microsoft Update for heavens sake.  When I can get it on a Sp1 box, and already have it there, call me wacko, but I don't consider that it's something special that's included from the Windows Server 2003 R2 parts.  Furthermore on this Windows 2003 R2 comparison page, it says that Windows 2003 sp1 gets it too.  You know why Linux is going to win the hearts, minds and pocketbooks of businesses?  Because we, John Q. Public are losing trust in you.  Truly, we are.  You are slowing eroding the trust.  And quite frankly stuff like this plays right into that. 

Want to have proof that the paranoia isn't just relegated to the Tinfoil folks?  This very statement was on a listserve the other day in regards to trusting Microsoft Defender Beta 2....

"If we relegate watching and protecting for malware, trojans, adware, spyware and the like to Microsoft, who will be watching them?"

Last summer I was in Chicago for Tech conference and the gentlemen giving the keynote (admittedly using a Mac to give his presentations) said that Microsoft was on the real verge of losing trust by it's customers.

Am I the only one that is getting tired of the spin that I see going on?  I mean there are marketing books on 'how to tell a story'.  Why can't facts sell?  Why don't companies see that facts can be just as powerful as fluff?

You know what John Q. Public really wants (or at least I think so anyway).  They really don't want to have to think about security, they really don't want to think about technology working at all.  They want a TV set or a toaster level of technology.  They don't want to be dependent on a family friend to get their printer working over a two weekend timeframe or be dependent on their 10 year old to take care of their computers.  But they still want to download that music and what not. 

So will a Linux distro or Microsoft be the maker of that TV set or toaster of the future?  The maker of that technology that just works? 

I really don't know.

Right now I'm not sure John Q. Public can trust either one.  Right now the Maytag spin cycle is working overtime in both camps.

...and then there are those times that technology works....

So...we revisted our problem computer with the printer error....and so we lifted up the XP Home to XP Pro and in the process it refreshed the bits so that when we added the printer 'this' time, the HP loaded up like a champ. 

We shared it out and now Son and Daughter can both print via secure wireless network to the printer attached to Mom and Dad's computer.

I felt like Zelda Rubeinstein in Poltergeist (the second time) pushing hair behind my ears and saying "this printer now works".

Who knew that the sound of an inkjet working could sound sooooo good.

Let's hope the technology poltergeists are really and truly cleaned out of that system.

Take that HP!

Okay Charlie Russel (of SBS admin companion book fame) has pointed me in the direction of a HP tool to "scrub" the machine of it's malfunctioning printer driver.

I'll keep you posted...so far the computer is winning the battle...

This computer safety announcement courtesy of Seagate

This public service computer safety announcement courtesy of Seagate, makers of fine (and heavy) harddrives.

It's recommended to not accidentially drop a harddrive on on your foot.

We now return you to your regularly scheduled blog reading....

"ouch!"... "Dang that hurts"

Can I get that without fries and google please?

Dear Mr.  Dell.....can you guys offer a "bundle free" version for us folks that don't want this stuff?

You guys in the big server world flatten these guys and reimage them to your specs.

We down here in SBSland do not.  We walk into a client and because of Dell and other OEM bundling and potentially deceptive advertising of computers labelled in the "Small Business" flyer as "small business computers" we have to deal with XP homes that can't join a domain, and these days Windows Media Center computers that we have to hack up and void the warranty to join a domain.

Mr. Dell you are affecting the security of every small business with your "bundles" and "advertisements" out there.  You do understand this?  How come you can't take some of this bundling revenue you are getting and preparing a small manual on how to keep all this stuff up to date and patched that you are bundling on my systems?

When I go to Taco Bell I want a lunch "bundle".  I don't want one with my computers. 

http://www.windowsitpro.com/Article/ArticleID/49338/49338.html

Dell Testing Google Software Package Install on New PCs

   by Paul Thurrott, thurrott@windowsitpro.com

"Yesterday, PC giant Dell admitted that it was testing a package of

Google software on its new PCs, setting the stage for a second round of

desktop competition for Microsoft. The first round came 2 years ago,

when the world's largest PC maker started offering Corel WordPerfect

products on its PCs. Since then, Corel has reported millions of new

users each year, thanks to PC bundles."

Exactly how many licenses do I have?

I have access to an MSDN license that gives me testing rights to an operating system

I have access to an Action pack license that gives me rights to run the IT side of my business

My firm has a Open Business/Value (whatever the 3 year software assurance is called) because at the time I signed up for it, there was not the MPAN program and since the majority of the firm's income is from consulting other than IT, I didn't feel that it was kosher to be running the firm on my "action pack" license.

I think I'm about as legal as you can get, as least I hope so.  A fellow CPA said to me that what they didn't like the most about Microsoft licensing was the 'wink wink' that seemingly occurs.  That he felt that Microsoft purposely turns a blind eye to the issue of illegal software sales. That oh sure... Bill Gates and make a big deal about it, say that it's going to take 10 years, annoy the heck out of us with Windows Genuine Advantage and Activation, but when push came to shove they needed to put their money where their mouth was and truly make and effort to show they were really and truly serious about piracy.

Two of Vlad's posts showcase this better than anything... first a vendor still selling NFRs and then a Doctor buys the Action pack.

Microsoft... if you want to walk the walk and talk the talk on piracy.... this is where the cliches' come to pass and you put your money where your mouth is.

You spend the Lawyers fees to shut down that vendor.

You train your staff to understand the difference between a Doctor of Medicine and a Implementer of Technology.

Patches protect you from viruses?

"Notice: To protect your system from viruses, Dell recommends that you download any recommended patches and hotfixes by visiting the Microsoft Support website at support.microsoft.com or by selecting Tools -- Windows Update in your Internet Explorer browser"

I have some issues with that statement... for one... viruses can be unleashed on fully patched systems and do damage, so the statement that patching alone protects you isn't good enough.  Secondly that statement is from page 7 of the "Setup and Installation Guide" of a Dell OEM SBS server.

• Where's the discussion of configuration of automatic patching and flipping to Microsoft Update (should you want to do that)?
• Where's the discussion of obtaining a desktop/server/email antivirus to protect all the methods of potential infection?
• Where's a discussion that patches come out once a month and therefore expect a possible reboot of the machine if you set up automatic patching?
• Where's a link or discussion of what Service packs are appropriate for a SBS box.
• Where's a discussion how you shouldn't even be using the Internet Explorer browser on your server

Yeah yeah... probably way over the head and in the next part of the server install set up from Dell..but I just though it funny that they define "viruses" as being preventable by patching.

Remember the 123 protect my PC:

• Firewall
• Antivirus
• Patching

So?

Okay so why does this page http://blogs.technet.com/ link to this page.... http://blogs.msdn.com but that page http://blogs.msdn.com doesn't have a link back to that page http://blogs.technet.com/?

Just wonderin.....

Dear Live Communication Server people:

Dear LCS people....just saw this blog on the demise of Netmeeting in Vista and just wanted to remind you folks that I do love your Live Meeting server that allows me to have internal only messaging in my firm, allows me to track who's in the office and who's not and allows me to integrate it with Sharepoint.  But I gotta level with you guys that I'm one of the wacko ones that got Software Assurance and caught the product somewhat reasonably priced ...and I even re-SA'd it to hang on to it. 

Harold talks about the Exchange and LCS being under the same business group...but I just want to put in my two cents once again for a lightweight, no VOIP, no hosting of streaming media...just plain old 'chat' inside the office for quick messages. 

Most of us in small business are using our own duct taped together solutions for an internal IM...but if you guys just happen to want to have another product to roll out...and yes, sorry, it's got to be cheap... a nice low feature internal only IM would be nice if you have some time.

Feedback worth listening to

I was reading a post on the coding horror blog and the post about "good bugs versus bad bugs" reminded me of a company that seemingly takes feedback and does nothing with it.  No, I'm not talking about Microsoft here...but rather one of my LOB apps CCH. 

They do something in their tax program that just is inconceivable to me.  You see there are times that we need to fill in a form called a "Power of Attorney" where we can talk to the IRS (taxing agency) directly.  And there are specific identification numbers that we use.  Unique to each partner in the firm.  So when we migrated from Lacerte to CCH you can imagine our surprise that the "supposedly" less robust Lacerte, who all along has this master firm database ability to quickly and easily pop in a partner listing of unique info that was global to the program has been able to do this all along, but when we got to the CCH program, it cannot do this. 

It's a database program mind you.... in reality...and a basic database function....the ability for the program to remember unique data for each partner without having to individually place it in each taxpayer... it's now a "feature request" that we've put in for three years.

Now I cannot imagine that larger firms don't see this as a feature request.  I cannot imagine that larger firms don't have umpteen times in a day that they need to fill out a power of attorney form.  And the fact that this process is so manual, and that I have to keep a document separately to keep track of this information absolutely boggles my mind.

Why does it take a number of customers to wake up to a fact that they are missing out on something only because they haven't compared the features of a competing vendor to realize that neither vendor seemingly designing the software in a manner that optimizes what is the basic function of the program.  A database... a gathering of data.  Not a word document that has to be opened each time to enter in a data, database.  But an all encompassing program that keeps track of everything that the user of the program might need to do their job?

There are times I really wonder if any of the app developers are listening to the right people. 

Are they listening too much to the bleeding edgers?  Are they listening too much to the folks that have been using the same tax software since 1913 and they haven't changes their technology ways one iota?  (Okay so I'm exaggerating, but I kid you not, people do not change and migrate to new ways of techology well at all).  But truly, are they listening to the users of this software?  Sometimes I wonder.

My guess is that many of you reading this blog are not "users" of SBS but Var/Vaps.  And you are not the "users" of the software.  Oh sure you use the admin consoles and what not, and you still have to from various third party apps like Level Platforms or MOM and what not cobble together the "Var/Vap" console that you'd love to have (and that I swear I was at a AICPA Technology conference a few years ago and Bcentral was supposed to do something similar in the accounting space, but I digress) but in reality, you aren't the users of SBS.  

There are times that I don't think the vendors out there listen to you guys the "Admins" of SBS.  But the problem is and will always be the marketplace of SBS.  We're cheap down here, let's face it.

A blog should not have email

The RSA Security Conference is coming up and if you remember last year's conference Bill Gates made two announcments.... one was that IE 7 was going to be released for Windows XP and the second was that Antispyware was to be free to individuals.  It will be interesting to see what keynotes there are this year.  Last year the major ones were webcast.  So I'm out on the site and they have a new "Security Exchange" that includes Blogs....well..let's just say it has "one" blog.  And here's the kicker that made me laugh.  When you go to the page where the blog content is, there isn't ...that I can see anyway... a RSS subscribe icon.  Instead there's a place to click to..... "Subscribe to receive emailed updates of new blog entries from Ira Winkler"

Uh... gang... there's this thing called RSS? You know it's where you have a RSS reader like Newsgator or RSS bandit and all your RSS feeds come to you...and they aren't jumbled in all with all that junk mail I already get?

It's bad enough that the Orange XML tag is "RSS" on some pages and "XML" on another...but can we have another standard?  A blog standard?  That it comes with a XML feed that can be sucked in?

Not emailed, thank you very much.

https://www.rsaconference.com/exchange/blog_view.aspx?id=3

Apparently paper competes?

I was in Office Depot and it's like every paper stock sold there is now whiter or brigher...but whiter doesn't mean brighter... so make sure you have your terms right.  Apparently there is guildelines...or competitive grades of paper... and North American papers are different than European.  I mean I always knew that the American 8.5 x 11 wasn't quite the European A4 grade.

I guess, though technically the A4 size is the true international size and we're the ones who need to change our paper in the United States.  But then again, I distintly remember learning the metric system in school and they said we'd be driving kilometers by now....

...last I checked... we're still measuring stuff in miles....

Changing things is hard.  Just ask my office were we have to make sure that all our "old" white paper is saved and used for non important projects so we don't mess it up with the "new" white paper.

Who knew white doesn't match white any more?

How do you get the Industry journalists to care?

Earlier today I was called by a journalist for my industry to ask some follow up questions about some statements I had made to an author... and it showcased to me just how far we need to go to get people to care about Computer Security.

---------------------------

Thanks for the follow up call regarding the article that was written for _my industry journal_.  I am concerned a bit that you stated that your reviewer of the article did not understand that running with administrator rights on our systems is a key factor of why we get malware and spyware on our machines.  By all means forward this email and my email address to him or her and I'd love to discuss this in greater detail.

In my own office I had a Secretary that was getting malware and spyware on her system and the antivirus and spyware tools would not stop them.  Remember that such software is always 'reactionary' and not proactive in defense.  Since I took the time to adjust her system to run without administrative rights, she can no longer surf to sites and download icons and emoticons that I have not authorized, she can no longer merely 'surf' to web sites that may infect her system.

Two actions can get malware on a system typically in my office.

1.  Clicking and downloading from web sites that are designed to 'trick' the user into installing spyware.
2.  Surfing to a site that injects the spyware into the system because it piggy backs on unpatched web browsers, Sun Java or other 'infection' means.

Now given that I keep my web browsers fully patched, the second risk is lessened, but unless we stop the end users from downloading and installing software that they are truly not authorized to install, we will always be one step behind the bad guys.

Moving to another web browser is not the answer in the fight against malware and spyware.

Let me point you to a couple of articles on this topic:

http://www.thechannelinsider.com/print_article2/0,1217,a=166172,00.asp

http://blogs.technet.com/jesper_johansson/archive/2005/11/30/415328.aspx

"Barring users from gaining administrative access—and thus restricting their ability to install such unwanted or malicious software—will automatically tighten security and will garner other benefits as well."

Spyware and Malware was voted number 10 of the Top Tech issues by the CITP and ISACA members in an AICPA poll recently.  Spyware and Malware is big business that includes Russian mobs and other criminal elements.  By not doing all we can to protect our weak links in our firms…the desktops… we are playing right into their hands.  Firewalls do not stop this activity.  Antivirus and Antispyware are always one step behind.  As long as we do not control our desktops and instead rely on the ability for our end users not be be 'tricked' and 'scammed' we cannot adequately protect our systems.  The average user doesn't want or need to be a geek, but we in business need to protect their systems accordingly.

http://www.crt.net.au/etopics/migmaf.htm

Vendors like Quickbooks that consistently require "Administrator" rights also impact our security decisions.  I built a web site to highlight these vendors www.threatcode.com They don't have to care about coding securely because we… the buying marketplace does not care.  We do not care because we do not know why running with administrator rights is dangerous.  It's a vicious cycle.  Because the marketplace doesn't care, the vendor won't change.

To give credit to Intuit, the maker of Quickbooks, they have stated that they will change the way the 2007 version of the software is built to be more secure.  But this was only after the SANS.org organization made them their first "Hall of Shame" vendor for coding in this manner:

http://www.sans.org/newsletters/newsbites/newsbites.php?vol=7&issue=59

Application Vendor Demands Unnecessary Administrative Privileges Violates Policy of Least Privilege

This new section allows the user community to share intelligence on applications that require users to lower their barriers to cyber attacks. Now that the US Air Force has established a minimum standard of due care, soon to be adopted by other government agencies, there is a standard against which to measure the application designers' security decisions.

The first inductee into the Application Security Hall of Shame is QuickBooks.

The latest release of Intuit's QuickBooks, widely used by accountants and businesses, negates the security attributes of the underlying operating system (e.g., Windows) on a computer using this Intuit product. Installation and operation of QuickBooks requires granting operating system "Administrative privileges" to the user, giving users complete control over the security features of the computer on which it is installed. In an enterprise setting, this hinders the organization's ability to ensure security policies are implemented appropriately for password control, user privileges, and other security disciplines for a computer with QuickBooks installed. This is an unfortunately perfect example of an application software product demolishing the security capabilities of the underlying operating system. Computers with unprotected operating systems are easy pickings for would-be intruders looking for personal identity and financial information in QuickBooks files.

In response to Newsbites' recognition, Brad Smith, senior vice president of QuickBooks, confirmed on December 2, 2005 that this problem will be fixed in the next major release (QuickBooks 2007), scheduled for delivery within 12 months.

--------------

Bottom line... as long as we don't know...don't understand.... we won't care.  We won't ask for vendors to make the software help us be more secure.  We and vendors both have to understand that that least privilege is an absolute minimun in this day and age of security issues.

So what's the ratio of Lawyers to Software Engineers these days?

An email was sent to some folks saying that they needed to ensure they were on a certain Office service pack.... and it looks like it's another case of Lawyers and Patents going overboard again....

Thanks to Mr. Amado, you can't link Access and Excel one way, you have to go back to Excel and change things.

From the PatchManagement.org listserve.... 

I believe this might stem from the Carlos Amado vs. Microsoft patent case
(http://www.siliconvalley.com/mld/siliconvalley/11829604.htm).  It's US
patent # 5,293,615 for those so inclined to read the volumes of legalese
abut it on uspto.gov.

Microsoft has KB article 904953 (http://support.microsoft.com/kb/904953/)
which is titled:

"You cannot change, add, or delete data in tables that are linked to an
Excel workbook in Office Access 2003 or in Access 2002"

This is the "More Information" section of that article:

"Because of legal issues, Microsoft has disabled the functionality in Access
2003 and in Access 2002 that let users change the data in linked tables that
point to a range in an Excel workbook. However, when you make changes
directly in the Excel workbook, the changes appear in the linked table in
Access."

So what do you want?

I want a SBS best practices tool.
I want a automatic GUI domain migration.
I want a ISA log that doesn't track the first 'unauthenticated and then authenticated' log in the log file.  Pick one,  I don't need both.
I want a tool that goes into a Spyware infested XP and can lift out all the good data and clear off the bad.
I want OEM systems to stop shipping with all the crud they do.
I want to have filtered audit logs that will warn me when only the bad stuff is occuring.
I want all error logs to be written in plain readable English and not require me to go first to www.eventid.net and then to google and then dig up something else.

I want all wizards to tell me proactively when I'm about to screw something up and didn't mean to do that....

I also want world peace and and end to world hunger and everyone getting along and virtual hugs to everyone and know that there's not enough money in the world to get ever everything I want out of either Microsoft or SBS or the rest of that list.

At the end of the day someone says "okay we can do this, we can't afford to do this".  It's called a budget.  It's something that we in Small Business tend not to do like our Big Server counterparts.  This is budget season where my sister works and the manuverings and stuff that goes on as they snip a bit from here... do a bit over there... and in the end no one gets everything they want.  It's a compromise.

In small business, our budget is typcially the checkbook or the credit card.  The ones I've seen never sit down with a plan at the beginning of the year and forecast revenues and expenses.  They don't set an 'expense goal' as it will for departments.  There isn't this end of the year, let's spend our budget because if we don't we won't get it allocated to us next year ridiculousness that large companies have. 

I'm also going to generalize and say that many small businesses are cheap.  Dirt cheap.  And what they don't realize that their manner of 'break/fix' computers is not only costing that firm more in the long run, it's placing them at much greater risk.  But that's the problem isn't it with small businesses.  They aren't used to the budget and plan method are they?  Rather then break it and panic and fix it.

So what do you want?  Because you can't get it all.  It's about choices and trade offs isn't it?

Just call it "Sam the SBS Server"

It's funny.... there are times I don't get marketing.....and there are times I don't get customers....

...take this for example... a guy complaining about the mailing about the "New" Small Business Server 2003.  It struck me funny for two reasons... for one there is a bit of a point to it that the consumer focuses on the 2003 and doesn't realize that there has been changes to the SBS platform since October of 2003 when it shipped.

Let's see what's different shall we?

For one... if you have Premium.. in the year 2006 you have the latest version of ISA Server 2004 that you didn't have in 2003.  We now have Exchange 2003 sp2 supported on SBS 2003 and thus can go up to 75 gigs of Exchange storage that we didn't have before. 

For two... since October of 2003, we've installed Windows 2003 sp1, Exchange 2003 sp1 and 2, Sharepoint sp1 and 2, MSDE and SQL Server sp4, Outlook sp2.. and every month I install new bits on my machine.  For that matter...every month I have a "New" SBS box as the bits I had the month before are not the same bits I have now.

You know what I would do if I were in charge of marketing?  Stop calling it by the year.  Instead just call it the "Latest SBS".

And when it comes down to it.... that business owner really doesn't care what you call it.  He's buying a solution, not a year. How about we stop worrying about the names of products and instead understand that what we're really selling here is a business process solution.  We're not just selling technology, we're here to help find a solution to a business need, fix a business pain, make something work, enable someone to do something.  The name of the technology solution is, quite frankly, irrelevant to the person writing the check.

They just want it to do when you said it would do.

So where's your media?

I sure hope Merv is wrong...but it sounds like he's not.

JRittley is stuck.. he can't find cdrom1 of his SBS 2003 media set that he got with the OEM Gateway server that he got. And what's the only way that he can get a replacement?

Buy an entire new Server OS.

Yes, you read that right, unless you order replacement cdroms within 90 days, Gateway says he has to rebuy the Server OS all over again in order to replace the missing cdrom.

You know.. I sure hope Microsoft realizes that all these stupid policies by the OEMs... no media and only the OS on a hidden partition replacement method, a 90 day replacement media policy... are affecting John Q. Public's view of Microsoft.

And me as a shareholder of Microsoft in my 401K is concerned about that...Dell or Gateway shouldn't have that much ability to impact the view of a software company in my book....

So ... you made a duplicate copy of your media and stuck it in a lockbox or something paranoid like that?  Me on Open License... I can get replacement media all the time for a nominal shipping charge.  I sure don't have to rebuy the server OS if I accidentally lose the disks.

Wow.

So?

Where's your media?  Got it in a safe place?  Got all your disks?

Ensure tinfoil is in place please?

Quick you may need this protection..... especially if you go and listen to the latest Steve Gibson podcast about the 'rogue developers of Microsoft' who placed 'an intentional back door' into the operating system.  In the meantime you may wish to also read the MSRC blog and their take on the same issue.

Now Steve says 'he's leaning toward Open Source because you can review what's in there'.  Oh.. really ...just like this vulnerability in Novell's SuSe Linux that just came out today and appears to already be under attack.  The vendor was notified on 11/15 and the fix out 1/13/2006.  "Remote exploitation of a heap overflow vulnerability in Novell Inc.'s Open Enterprise Server Remote Manager allows attackers to execute arbitrary code."  Why isn't that a 'back door built by rogue developers like the WMF exploit?

Tim says he's waiting for next week in his blog about this...and that's exactly what Steve wants.  Look at the 'buzz' this one podcast has gotten.  Talk about a very VERY unprofessional way to handle this.  First off... Mr. Gibson, I email secure@microsoft.com ALL THE TIME and seemingly even with the spam filters that tend to mark my pacbell.net as spam, I get responses from them.  Secondly, whether he cares or not, on the backchannels of security listserves, his podcast is being ...well quite frankly...laughed at.  Next...for him to say that he is the 'first' in this charge.....he was not the first to charge that WMF issue was a 'backdoor', on January 2nd to be exact, other bloggers and companies did.

If you are going to charge something like this, Mr. Gibson... first off don't charge something of this magnitude without contacting the company first, secondly .... to podcast something when you aren't even sure of all the facts?  That's just irresponsible in my book.

Enough with the tinfoil folk... get real....flaw yes.  Intentional backdoor by rogue developers?  Get reasonable Mr. Gibson.

Dear Tip Top Equities

If you think for one moment that I will even think of buying anything from you after you've spamming my Pacbell account for the last few hours.... guess again folks.  And why in the world would I want to buy a penny stock called HLV Capital anyway?

It amazes me that spam works.  Obviously it does enough otherwise it wouldn't be effective. Today I was asked if I could get rid of junk mail completely and I said "No."  Just like how junk snail mail pays for the rest of us to use regular postal mail, so much of what annoys us and bothers us, has a value to someone, a market. 

If there was only a way to get rid of the profit motive, this stuff would dry up.

So Mr. "Under the Radar Equity", "GrandSlam Stock", "Stock Radar", guess what....I'm not buying!

So I was on the MS Partner site...

And I was looking for SMB partners... so I started with the site how your clients would see you.... and I gotta say... now maybe this is Fresno or something... but have you truly looked at how professional you look to a client from that MS partner portal?

Some of you list no web sites, no email addresses, or your web sites are dead.... or better yet... the bio of your firm is .... well... if your only experience in computers came from after you yourself surfed to p_rn sites and you ended up having to clean up malware...that's not exactly professional in my book.

And folks?  Frontpage makes some better [admittedly boring] websites better than you guys do. 

Come on guys... look at what you look like to your customers and clients.  And quite frankly....some of you need to take a second look.

You'd think I'd learn by now

HA!

See that?

That's a Dell OEM with a Nvidia driver up in the "High Priority" patches.

I do not do video drivers via Microsoft update just because I've had bad personal luck with them... but I never get a video driver up there in high priority on a box that I've flattened...yeah yeah... I know... I should just flatten these guys and start again...you'd think I'd learn...

So I get the TechNet Magazine today...

....free subscription to US only [sorry about that check out www.technetmagsubs.com/zout] and on the cover is the ad for an article inside that says "Security Alert:  Disable your admin account" and I first thought...okay.... who's come up with that idea.... as do that on a SBS box and you'll find that when you apply Service Pack 1 the SBS part of the install won't work....

...so I flip to page 75 and .... oh...it's him.

Giving that he's now an honorary SBSer guess I'll cut him some slack now. 

:-)

When is free wifi not always a good thing...

Matt talks about an experience I've noticed as well... you get to an airport and you say "Hey, free wifi, that's so cool!" and then you realize that some ports are blocking and you can't do all the things you wanted to do in that time your plane is held over.  It gets back to that net neutrality again, where the pipe you log on to is able to allow you to do what you want it to do. 

I always carry my Cingular Wireless card for the PC so that no matter where I'm at, if it can get cell phone connection, I can get online...and if I'm at a place without cell phone coverage...man that is roughing it way too much for my level of comfort.

Mr. Murphy at work again

So I'm loading up a new Dell computer at the office and I connect it to the network via http://servername/connectcomputer as I've done so many times and I go to change the home page from being not http:\\companyweb [as it's a little slow to pop up and folks like msn.com anyway.... and wouldn't you know it.... I've been beating my head on this one screen for hours now.

DNS/DHCP is coming off the server, everyone else can log into companyweb just fine throughout the entire office, I can log into companyweb just fine using another profile on that one workstation..... it works just fine on the existing computer.......but not with THAT user account on THAT new workstation.

I've reset the permissions on that user account

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon account: user

Source Workstation: Annoying_computer_that_I'm_about_to_throw_through_the_window

Error Code: 0x0

And nothin...... it acts like the three login/permission on the entire web site issue...but the perms on the web site look good.

There are times that Mr. Murphy loves to play head games with us, doesn't he?  It would be the boss' new computer too wouldn't it?

...off to google... I'll let you know what the resolution was..if ...the computer survives that is....

Sometimes it's embarrassing to be an Accountant

Truly there are times that when I'm at geek events I drop the "CPA" credential because second only to Attorneys, my profession has a reputation of being behind on technology.

These days I'm embarrassed as well by the Accounting applications... between ones that won't support patches past a Security patch in 2004, to my favorite poster child of Quickbooks that to this day requires local adminiatrator access, for a profession that prides itself on Accountability and SOX and all that control stuff....we sure don't know how to code up an application worth beans.

So in addition to the information here on how to get Quickbooks to share data on a server, and here, Stefan reports on the smallbizit listserve that to get the program to share out properly, he had to give the Quickbooks service account full control of the directory where the data is residing.  Also he had to exclude the service account from the password policy and set it to 'password never expires'.  Then you had to stop and restart the service.

Okay so I don't know about you but the fact that with a $39.95 password cracker program from www.elcomsoft.com I can hack the passwords of Quickbooks in mere seconds, the fact that they still require local admin rights in the 2006 version, that they won't even address the local admin issue until 2007, doesn't give me all warm fuzzys that that application is sitting on my domain controller.

When is the backbone of business, the accounting application, going to step up to the 'secure coding' initiative here?

Guys, this is embarrassing when it's the accounting applications leading the pack here.

So I called and shut down two credit cards today

So as a result of my SB1386 notification, I called and shut down those two credit cards to ensure that they could not be used in any fraudulent transactions.  While there I was checking out some of their fraud protection stuff....

.... I can just see it now... 'Ms. Bradley... we're seeing expenses to Frys, NewEgg, CDW, Amazon, CompUSA and Sephora all one one day... and we think the Sephora has just got to be the fraudulent transaction as all the other vendors are pretty typical transactions.....'

Is McAfee [and other preloaded software] a virus?

So it's that time of the year that we look around and ensure our systems are up to date before busy season and get new computers if needed.  So I go and I buy the Dell Optiplex line, this time making sure that I bought the extra PS2 port option which isn't really 'extra' per se at all as it doesn't come standard with the box.

So I boot up, get it up to a workstation mode [before joining the domain] and there's my first lovely Red Mcafee window that hits me in the face.... well...says I.... let's get rid of that since I have the firm antivirus.....and I realize that there's no "x" in the corner to shut down this annoying configuration wizard.  You have to go through about four screens before you can finally get to a place to cancel.  Then to rip it off the box, you have to remove about three McAfee programs that are on the system....and I don't want McAfee in the first place!

The major insult to injury is the fact that in being installed on the Optiplex, it has with it's McAfee Security Center, taken over the duties of the XP sp2 Security Center.  Even though the a/v is out of date, there is no little red icon of Windows down in the system tray telling me "I'm screwed", instead there's the 'normal' McAfee red icon that tells me nothing.  So I uninstall that... reboot the machine...and the XP sp2 security center does not restart... I ended up having to restart the box 'again' to get the Red shield down there like I wanted it to be, being the indicator of the patches and the antivirus.  I still don't have my fully functioning antivirus that I want... and everyone that I tell this rant to said "oh just flatten the box, those preinstalled things are like a virus".  But how's the Mom and Pop non geek person going to handle this?  They don't need a McAfee security center... how are they going to follow Microsoft guidance for how Microsoft update and patching works when there's no shield in the corner?  No icon? 

Mr. Dell?  I bought this computer.. I didn't give you the right to shove the antivirus that you made a corporate deal with down my throat.  It's getting to the point that I'd pay more for a plain computer, because quite frankly I've had enough of this.

Solving all the needs

If you haven't seen it before a while back I did a "Us versus Them" page that compared SBS to 'normal' Server.  The other day another person posted in the newsgroup that they couldn't understand why the Server OS was the price it was and SBS...with all those other things on it... was so much cheaper.

Seeing a comment on the SBS blog talking about the SBS 2003 R2 choice of SQL 2005 Workgroup reminds me that the marketplace of SBS serves many people.  For me, and my industry, the very first time I've ever used SQL server was for Sharepoint in the SBS 2003 platform.  Prior to that I didn't even install it. 

The other day a consultant had a problem with a server and it majorly affected active directory.  When he came up for air long enough to reflect on his weekend, lack of sleep and pain to that customer, he asked for one thing...

"I have some concerns about Small Business Server", he said.  "Make it simplier"

So here on the one side of the marketplace is a Consultant who want less of the complexity, less of the glue, less 'stuff' to make it easy to recover, easy to backup, easy to ensure it's up and running.  And then on the other side is the Consultant that wants all the complexity, all the features, all of the functionality of the big database of the huge platform. 

Can't have it all, can we?  And you know what... I think the marketplace will understand the pricing of the platforms that small business can handle and they will choose what platforms they code on accordingly.

I am a small business.  And for now I am very happy to be on the SBS platform and you know what.... there are times that I won't get everything that I ever read about in a glossy brochure.  But you know what?  I know I can't afford a Rolls Royce.  I drive a Acura [it's like a Honda] and that's just fine for my needs. It's a comfortable mode of transportation and I'm quite comfortable in it.

So maybe I'll have to balance a bit of complexity of SBS with not getting a SQL that does an Oracle replication.  Because after all it's my applications that normally tell me what database they want, not me telling them what platform they need to code for.  I think they'll know that in my sized industry to pick the right database. 

But that's just what I think anyway....

Trend needed hotfix to send Perf reports out after V3

Wayne in the newsgroup reports that .....

FYI..There is a patch for Trend Micro V3 which corrects issues with SBS2003 Reports and other not being sent to external domains.

For more information read the thread Trend Micro V3 Issues 12/04/05

For  others who may have this issue you need; Client Server Messaging Security 3.0 - Messaging Security Agent Hot Fix - Build 1157

The zip file is; Smex_7.2_11571.zip

Which includes; csm_30_smex_72_win_en_hfb1157.exe

Which fixes:

"This hot fix corrects an issue that some MIME formats could cause    Message Module(TMMSG) to convert the original SMTP message into a wrong format. Converting the SMTP message into the wrong format  might cause Outlook Express to time out when retrieving email messages using the POP3 protocol."

Applies to SMTP too. Once the hotfix was applied SBS2003 Performance reports go straight out and Meeting Requests arrive intact.

Wayne

Okay I gotta rant... come on Trend "Request the smex70_win_en_hfb1157.exe file from TREND MICRO Technical Support.

Premium Support Program (PSP) clients can contact their Technical Account Manager (TAM) directly

No, Trend, you put a patch like that in a place that those of us who live in a 24/7 world work and live in can get to it.

[btw that wasn't Wayne ranting...that was me, Susan as usual!]

Sam the SBS Server is very upset today

I was going to interview Sam the SBS server for this ...but right now he's yelling and is so upset I can't calm him down enough for the Interview.  He's very upset that a year after he was deeply embarrassed by what he did that it happened again.  That people still have the original code on their systems and have not patched.

Server bug cripples Dublin law firms | The Register:
http://www.theregister.co.uk/2005/12/10/server_bug_cripples_dublin_law_firms/

He said that when this first happen it was Microsoft's fault.... now this is yours.

We now have this patch on the Microsoft update site.

You now have no excuse whatsoever to not have this patch on SBS 2003 boxes.  All you have to do is flip that server from Windows Update to Micrsoft update...which ... if you've ever WU'd that box it now recommend that you do so.

If these servers were installed by an IT Pro?  This is your job.  Both Sam and I cannot understand how the IT pros of the world not at LEAST know about Microsoft update, not trying to be learning WSUS, not be proactively helping your client to patch.  Want to know one of the ten ways to get your server hacked as per Johansson and Riley's book “Protecting your Windows Network“?

Don't patch it.

If this is a DIY setup, okay I'll cut you a little slack ...but even still... you don't even have to install WSUS... all you have to do is visit Microsoft Update as those SBS patches are now offered up.  I cannot believe that just as we reach the milestone of patches now being offered up on our boxes, that someone cannot find their way to Microsoft update... I cannot believe that they went this long without updating...that's RTM code of October of 2003 that hasn't been updated.

Let's review class of exactly how easy it is to visit Microsoft update.... start, click on Windows Update.

There?

Now on the right hand side, see that Microsoft Update box?  Click there and go through the process of installing it.  Download what it tells you to.

Heck, turn on autoupdates, because I'd rather you have unmanaged patches being installed on your box than none at all.

I'm sorry but I'm in a mood.... if you buy a computer READ THE INSTRUCTIONS.  It's our duty these days to patch.  It's our responsibility to learn the power of the technology we have.

Learn to patch.

Go to Microsoft Update.

Sam the SBS Server was ashamed of what he did the last time... today he's ashamed of us.   That we can't take the time to understand enough on how to keep him running.

If you don't have Microsoft Update 'flipped' to being the update mechanism on the server[s] you have and control, do it today. Make Sam the SBS Server proud of you and not embarrassed that you couldn't even keep him up to date.

We suck at communication

For the last couple of days I've had a project where I've had to read emails.  Emails that were not my own.  And I must say that email is damaging our business communcation.....

FOR SOME OF US WE CONSIDER THAT SHORT EMAILS IN ALL CAPS IS APPROPRIATE LEVELS OF COMMUNICATION

for others they consider that all lower case is the way to do email

4 sum its uzing shrt wrds

The sad thing is, much of what I'm looking at is business correspondence, and yet emails are treated like instant messages, with short comments that if you attempt to go back later on and review the conversations, much of the meaning is lost.  We don't need to put a Gettysburg address in email, or a Federalist paper dissertation, but I think we need to be a lot more professional in our business email correspondence.

What happened to the rules of letter writing?  And why has the “Instant Message“ method of email become the standard communication means?

It's made me look at my correspondence in a new light and make sure I'm not “IMing“ when I should be giving good business communication.

Dear Microsoft Licensing People

Dear Microsoft Licensing People...

When giving information to SBSers... make sure you are not giving them “Big Server Land” information.

It's Friday and I'm in the mood for a rant....

In the newsgroup today someone was trying to download a copy of a trial version as overseas they couldn't get the software through customs worth a darn, and so someone told them to buy SBS under Volume licensing and they said “oh yes that if you had Open value that they could get downloadable media..... they said... and I quote from the post...

'I have a confirmation from Microsoft that though it was not possible to download the media through eOpen, it is in fact possible to download licensed media through Open Value at the MVLS site. This is confirmed for US only.'

Well I AM an Open Value customer and I can confirm WITHOUT A SHRED OF DOUBT that it's not available for download.  Folks, this is why the media gets sent to me automagically because we need a product key.

See this download screen?

Do you see the fact that there is NO SBS 2003 on that listing? 

Folks when you talk to Microsoft in any way shape or form, especially when it comes to licensing, can you say to them “can you check and make sure your information that you are giving me pertains as well to SBS?”  And if they say there is no difference, don't believe them, because when it comes to Software Assurance and other small business licensing information, I can assure you that we are unique, we don't get all the benefits and for many folks that you call on Microsoft licensing, they really don't have a clue about the small business licensing.  Hands down the best resource for Smallbiz licensing is Eric Ligman and company on the Mssmallbiz site and the official Microsoft Mssmallbiz yahoogroup.

So ...want to know the real scoop of what I get with software assurance?  Check out this grid.

Okay let's review...since I have 2 servers and less than 50 desktops....

• For the Open Value that I have that doesn't go through the Eopen site but instead through MVLS site, I do get version upgrade rights.  So I'll be getting SBS 2003 Release 2 [WSUS, SQL server 2005 workgroup and Exchange 2003 sp2].
• I do get media for the server sent to me automatically [mainly because I can't download it]
• I will get Windows Vista uprade rights and a copy of Virtual PC Express edition for every Windows software assurance license I have.
• I don't have 50 Office licenses so I won't get training.
• I do get a cdrom called the Information Worker eLearning cdrom 
• I get a Windows eLearning cdrom
• I get a Server eLearning cdrom [it's not SBS specific though]
• Office gets home use rights
• Desktop - for every $200,000 of SA for Office and Windows I get one phone incident [translation... I get barely get one phone call at that conversion rate]
• Server for every $20,000 of SA I get one phone incident for servers.
• I get “cold server rights“.
• I get one user ID for Technet Managed newsgroups [I think I have enough newsgroup access :-) so I might pass on that one]

Someone said that Microsoft themselves internally should not necessarily pay for licenses but be required to track their compliance. 

Bottom line folks...whomever told that SBSer that we can 'download' a copy of SBS... is ...well... flat out wrong.

Upgrades to SBS 2003 R2?

Adam says he just talked to the MS Concierge and they said the only way to get R2 was to buy the 'whole' product again, as there were no upgrade options.

Adam?  Tell that Concierge-y person to go listen to the SBS weekly show where Guy Haycock 'aka the buck stops here' SBS Product Manager says there will be. 

Guy's post and that podcast should clear up any confusion.

One correction to Guy's post though.. he says that if you have SA for a nominal fee you'll get the media... for those of us on the three year SA plan it gets automagically sent to us.

And Adam?  The web site you were pointed to was Windows 2003 R2 pricing, not SBS pricing.  We don't have SBS pricing yet.

When standardization isn't a good thing

Sometimes standardization is good, and sometimes it's not....

Ed Foster's Gripelog || Dell Won't Recall Defective Motherboards:
http://www.gripe2ed.com/scoop/story/2005/8/30/0141/79530

Between the motherboard issue from the past, to a more recent issue we are tracking with fans going out on the Dell GX 280 CPUs.  When you start seeing a batch of hardware start acting flaky... ask around... you might not be alone and thus you might need to start looking a little closer at that system.

Declaration of Administrators and End Users for installation of software and patch standardization

Sun Microsystems:
http://www.sun.com/2005-1004/feature/
read that link regarding the Google toolbar being now included in runtime updates

I hereby put forth a Declaration of Administrators and End Users for installation of software and patch standardization.

If software companies can do End User License Agreements, I can have my own agreement and declaration of rights.

Dear Software Vendors.

When updating me, you will not bundle in technologies that I didn't realize you were partnering with.  You will not make it confusing to my Mom and Dad when keeping their computers safe.  This has got to stop.  You say that this is being done to support free and open source software and all it is doing is adding tool bars I don't want, software I don't need.

I refuse to install any Sun Java Runtime as long as you bundle software with it.

I don't want to have the Yahoo toolbar with Adobe reader either.  I don't want MSN desktop search with my MSN IM.  I don't want to have to constantly monitor every single application for options, uncheck boxes or any other ways I have to constantly monitor for unknown applications entering into my networks, my parent's computers.

As an administrator, as an end user, I demand that you do not make me have to ensure I read every screen, click every click to only get the software that I thought I was getting.

I agreed to install one application from one vendor.  I did not give you the right to insert a tool bar that gathers information from me.  I did not give you the right to precheck "yes" to installing additional software.

I want all of my vendors to start agreeing on a patch installation standard.  I want them to publish in a database their supported versions, where one can easily go to see in the registry what version one has, and other such standard procedures to audit the application of patches.  I want to be notified via email or rss feed when you are releasing patches for my applications.

You want my trust?  So that I'll buy products from you?  Use your software?  Then you be way more transparent and accountable to me.

I'm the user of your software only as long as I want to be.

Remember that.

Susan Bradley
Admin

Yeah I know... it's Friday... I'm in a mood.....so....anyone know the email address for Scott McNeally?

Knowing what you need

What if you heard a story about a person who had a laptop so infected that it needed to be flattened but they couldn't find the original cdroms to rebuild the machine?

What if you heard a story about a person who moved a file frome one machine to the office machine and ended up infecting the office network.

What if you heard a story about a computer guy who was supposed to write a database program, asked the business owner to buy a server from Dell, a Business server...and it sat around for like 60 days and when the programmer finally came in he said “you got the one with SQL right?” and the business owner said “I don't know?”

What if I told you that when they called in another person [a college student] to work on the server when the first guy walked off, no one knew the password so they had to use a cracking program to reset the admin password?

What if you heard a story about a person who was considering setting up only one machine in the network as the Internet machine because he didn't want to risk infecting all the rest of the machines?

What if I told you all these people..... are the same business owner?

The stuff I take for granted...most business owners don't know about.  They don't know that original cdroms should be kept for just this reason, but better yet they don't know the way to KEEP their systems from getting into this mess in the first place.  I make sure all email get scanned at a gateway before it comes into my office.  I buy antivirus for our employees at home to keep their machines clean.  And above all else, I would have hired the right person.  You get someone who has installed networks for small businesses.  Not someone who does this on the side.  Not someone who's a college student majoring in computer science [unless of course they have indeed installed SBS boxes before], you get someone that knows SBS boxes.

You don't need someone who has worked in large enterprises, you need to have someone who has handled the issues of a small firm before.

Mr. Business owner?  You go to an appropriate professional when you get services done, right?  A doctor for medical needs.  A mechanic for car needs.  Why do you feel that 'anyone' can work on computers?

Don't change the way you set up your computers, change the way you hire your computer specialists.  You set up your network to be your defender not your infector.  You get someone who understands the needs of a small business.

You get a professional.

I got my backup wizard back

If you remember from the other day my backup wizard wasn't working ... well got it all fixed up.  Now I'm not going to tell you what was done to fix it for two reasons....

one... the chances that a real nicely maintained and well cared for SBS box is ever going to see what I did to my box is very very slim to none....this issue was on my old, beat up, beta bugged, so many betas that it permanently has “build number“ in the corner box.

for two... this isn't a fix that was found lightly.  A debugger had to be set up on my system to figure out what had gone wrong on it... needless to say it was a registry key that ..once gone.... kinda screwed a few things up.

The moral for this story is?

No amount of googling, newsgroup posting, searching would have solved this.  I could not have solved this.  This took someone to set up a debugger on this box to determine the underlying cause.  I needed Microsoft product support services on this.

Furthermore, this was an issue that was worth every penny of a support call.  If this had been a real box, this was one sick little puppy on our hands.  As it was I opened up the case because it was a stumper of a case.  Folks that say “I can't afford to call product support“ ... I'm sorry but if you business is like mine and it depends on technology, you can afford a reasonable amount of maintenance.  People will put gas, change the oil, get their car tuned at the mechanic but consider calling support something they don't do.

Well it's time you made sure you include Product support in your toolbag.  Notice as messed up as this little guy is we didn't reinstall it, we didn't flatten it.  Even as messed up as it was, it was not bad enough to force a reinstall.  Those who say “I come into installations not knowing the issues so I just reinstall“, take the issues one at a time.  Look in the event logs,  Google up the obvious errors, go to www.eventid.net for the harder ones, ask in the newsgroup.  But when you can tell from your googling that you are hitting a brick wall, you call.

Only 6

I was at yesterday's TS2 presentation and only 6 people in attendance were using WSUS.  Remember SBS 2003 in the R2 era will have WSUS inside the box.

Now I will still honestly tell you I vastly prefer Shavlik's push, patch, done versus WSUS's setup, tinker, approve, review reports....but gang... you need to download WSUS on your own systems and start playing with it now. 

To me WSUS isn't just a patching program, this is risk management for that firm.  And if you are not helping that firm deploy patches, service packs...why not?\

Want to stay safe and secure?  You patch.  To me it's just a natural part of the computing process.  And as long as I've built in the processes to ensure I have a easy way to recover on the rare remote chance something might occur, patching is not an issue.

Today in the newsgroup someone said “I have an old backup”...I'm sorry but with USB harddrives as cheap as they are, given that you can hang one off a shared drive off a workstation, you have NO excuse not to have a backup.  As easy as the SBS wizard is.....shame on you for not doing what you can to protect your business.  You have a responsibility to yourself, your family, your employees families this Christmas time to keep your business operational.

Patching and Backups.  Two EASY ways to keep yourself in business.

Man if you aren't a partner after this....

So I met Stephen today... Stephen Cracknell at the local TS2 presentation.  And at the end of the four hours, after all the offers, links, invitations to email him, to cc' him, to ensure we gave him feedback, I think the about the only thing he didn't do was invite us over to his house for Christmas Dinner.

You know you get out of things what you put into it.  And there's a lot of offerings out there [yes, many of these have US only or are US centric but yo... I live in the USA so cut me a little slack, but do check with your local Microsoft office and community]

So what did the TS2 presentation go over?

• Build your pipeline by becoming a Small Business Specialist.
• Attend TS2 seminars on the web
• SBS hands on labs
• Get the 70-282 exam prep book [for the Small Biz Specialist]
• The action pack as of April has had virtual pc demos in there.
• Set up a partner event and have Microsoft deal with the invites [and even some organizing for a fee]
• Book a mobile event [but read Happy Fun Boy's blog series first on how to do it right]
• Free presales Tech support to help you close the deal
• Are you ready for SBA and BCM?
• Point of Sale
• Partner smallbiz site
• Partner resources
• Partner newsgroups
• Discounts
• ...and tons more....

But do you get it that all of this stuff starts with YOU becoming a Microsoft partner and better yet YOU becoming a Small Business Specialist?

Ready to Learn

Okay if you are reading this you aren't the person I'm going to be ranting about.

You are here because you've gotten plugged in.  You've stepped up to the plate.  You are a person I would not mind sending a Small Business client to. 

And I apologize in advance to those of you this rant is intended for ...the ones that won't even been reading this.....but I think your technology customer deserves better.  You aren't listening enough.  You aren't taking the time to learn.  You aren't open for new ideas.

Have you noticed lately that many of you have been competing with a person that I'm not sure I would call an “IT Pro”?  A person that this is a side job, that it's not a career or a profession?  A person who idea it is that computers and servers are 'throwaway items'?  That in all the spin of “technology is easy” we've not realized that the only way for technology to get easier for the end user is to make it harder under the hood.  Yet there are folks I've seen posting in the newsgroup that I have to remember Grey's words to be more patient and kind to.  They come in with a “I know it all attitude” or they come in with a “I don't need to crack a book” attitude.

I don't mind the person entering the Small Business Marketplace that grabs a book, sets up a test network, reads a KB article...heck.. can attempt to Google up an answer.  I do mind the consultant who's not listening to their customer, who's not taking the time to practice a solution, or learn something new.  The one who sets up a box incorrectly and then complains that 'hasn't anyone ensured this works?“ when it's a misconfiguration that they've done to screw up the system.

I do mind the person who blindly says “Oh my customer doesn't need Exchange, will never use it“   Why do you say that?  Shared calendars?  They don't need that?

I do mind the person who blindly says “Oh my customer doesn't need Remote Web Workplace“.  Why do you say that?  Have you truly evaluated their needs?  Remote connectivity?  Heck we're leaving more and more of our workstations on 24/7 to remote back in.

I do mind the person who blindly says “Oh my customer doesnt' need...... fill in the blank....“ Why do you say that?  Aren't you making decisions based on what you think their needs are?  Are you thinking ahead enough?

I do mind the person doesn't set up a SBS box with the wizards and thinks they are smart enough to know better to set them up without the wizards.  Sure, understand what they are doing, but you'd have a hard time convincing me that installing all the parts of SBS, manually configuring everything, that you can set it up as dependably as the wizards.

As a customer, I would rather you not learn 100% on the job on your client.  Do your homework for some of these things, you know?  These days as cheap as Virtual Server is {$99), there's no reason that things like your first install of a SBS box should be in your client's office.  There's no reason that your first Swing migration should be a clients.... practice on your own network with a copy of Microsoft's new Virtual Server.

In fact, I'd strongly recommend that you grab a copy of Virtual Server.  You can practice all you want on a variety of things in a virtual setting and keep copies so that you don't screw up a real server.    How about virtual hands on labs?

The point is ... go into your client with confidence.  Yeah you don't need to know everything.... but have the attitude that you are open for learning, open for new ideas ....

...but then again... the people reading this post already are open for learning and new ideas aren't they? 

The Toy Server

The “toy server”. 

SBS has been called this by even some of my fellow MVPs as the “Toy Server”.  Yet under the hood is the same active directory, the same bits and code, the same parts as our big brother servers..... and as such we have the same abilities to do stuff as our big brothers.

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller:
http://support.microsoft.com/kb/255504

See that KB?  It doesn't matter if you are SBS or Windows Server... that command works.  The only thing we cannot do on a SBS server is take any one of those roles off our SBS box.  All 5 roles must permanently stay on a SBS box.

• Schema master - we only have one forest...heck barely a tree.. so no surprise there
• Domain naming master - role in a forest [again, we're a tree] and this role is required to add or remove domains to or from a forest
• RID master - and our SBS box is the one that needs  to hold the tools and updates to user accounts and computer passwords
• PDC emulator - one for each domain [hello we only HAVE one domain]
• Infrastructure master - again since we're the ones that do the forestprep/adprep in our wizard, we keep it on our box

Because our wizards/our SBS box does the dcpromo stuff, we don't see, don't understand what is going on under the hood.  Active directory in SBSland just works because it's been standardized for us.  Smarter folks than us have figured out how to set it up and standardize it. 

But here's the thing...because these roles must stay on the SBS box, because even as a “toy server“, we have all the glue, all the gunk, all the same things as our big brother servers we can easily replicate this information to another server in a process that big server land does all the time.

The funny thing about going through about 1/2 of a SwingMigration this weekend is that all my hanging around and unsuccessfully lurking in the Active Directory listserve is that other than that we don't have to WORRY about configuration or planning of active directory, it's the same gunk.

So far I've replicated the active directory to a temporary domain controller, disconnected the temp dc [important step as the edits and seizing you do next you want to make sure you are not replicating back to your still good and still running main server] and then seized the roles because the NTDSUTIL command first attempts to gracefully transfer and since you don't WANT to be taking the roles from the still running production network, this the utility says “Okay, whatever I'll just grab what I need“,

So those of you who know me, who know that I bought a kit and am doing this to move to a new server at home because it's so wheezy are probably wondering why in the world am I going through all of this for a home, 4 computer network?

Because of my sister's customized Disney desktop.  If I screw up her desktop one more time, or her Outlook settings, or her...anything on her machine, I'll probably be sleeping out in the garage.  It's that important that the burden in migration is on ME not on the end user [aka her].

So comparing a migration that I purposely did last year with a clean install to one using the FSMO copy roles aka the Swing Migration method?

I still would argue that migrations suck in general.

But as far as the attitude that some folks have that we're a “Toy Server”?  Not under the hood. Not where it counts.  It's the same active directory....and as such we can use the same tools as our big brothers to help us in migration, in disaster recovery, in all sorts of things.

If you are reading this blog from a Server

Like Happyfunboy says...

SHAME ON YOU!

Now I'm going to assume that you have a laptop running Windows 2003 and it's not your production, domain controller.....but if it is STOP DOING THAT!

You are introducing risks in your firm and you more than likely removed the Enhanced IE security that makes Windows 2003 server immune to the latest security advisory.

Dear Active Directory Migration people of Microsoft

So I just went through part of Jeff Middleton's process designed to move the domain roles from one server to another...something that big server land does a lot of but we don't down here.

I'm just putting you guys in AD on notice .... in a very public way....via this blog..... you gotta blonde this down before we're forced to upgrade to 64 bit.

I understand the process going on with the transfering of the FSMO roles and the process of moving the server to where the desktops don't even sense that a change has been made, but let's get real.  Not all of us SBS 2003 owners are going to want to migrate...what they have will be 'just fine'.  I'm sure it's like the consultant crowds are seeing a bit now.... those networks/owners where things are “just fine” are still on SBS 2000.  But for those of us that do... and for even folks that use a consultant..... many of the IT Pros out there have never done this before.  Heck even Brian Desmond ensures that people go through apprenticeship before letting folks loose. 

Let's review our current options for migration

• Inplace - oooh yuck - leftover permissions and junk and running on possibly underpowered hardware  [and remember this one we can't do in 64 bit era]
• ADMT - Microsoft mothership approved...but you rename the domain and rip everything out and your Exchange mailboxes size may grow [not quite the issue these days...but still]
• Clean install - another rip out the domain glue
• FSMO transfer role with drop in of Exchange store- [aka Swing] Joe may like command line ...but if this is going to go from only being done by IT Pros to being done by reasonably intelligent DIYers....sorry Joe but I think this could be made a lot easier with a good gloss of GUI on top.  And I'm not sure at all we'll be able to do that 'trick' of 'drop in the Exchange store' reconnect and we're done.

Get the idea that migration sucks in general?

I like nice pretty gui screens that ...yeah...while I might not read them .... are designed to keep me from being stupid [or hopefully try to be].  Server "kikibitzfinal" knows about 5 roles

Schema - CN=NTDS Settings,CN=KIKIBITZFINAL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Kikibitzrtm,DC=local

Domain - CN=NTDS Settings,CN=KIKIBITZFINAL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Kikibitzrtm,DC=local

PDC - CN=NTDS Settings,CN=KIKIBITZFINAL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Kikibitzrtm,DC=local

RID - CN=NTDS Settings,CN=KIKIBITZFINAL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Kikibitzrtm,DC=local

Infrastructure - CN=NTDS Settings,CN=KIKIBITZFINAL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Kikibitzrtm,DC=local

And yeah I can drill into the Active Directory Users and Computers and check the status of the FSMO roles, and I can use ntdsutil to view them... but Mr. AD people?  Gotta get it easier than this....that's for sure.

So if I just bought it... why does it need updating?

So I bought Trend's PCCillian Internet Security 2006 ..and I downloaded it on DSL here at home so I wouldn't have to 'watch paint dry' also known as using dial up to download it.  So I burned it on a cdrom, took it over to Dad's computer, installed it, registered it, and sent it off to update it so as to make the XP sp2 security center to say it was up to date.

And it needed both an engine update and a dat file update that took an hour on dial up.

Uh... I just bought you from a web site.

The application is called 2006 version.

And the point of this was to make it easier for me to secure his system and yet it needed a major update before he was truly up to date.  I do have one more download, Office 2003 sp2 as that would take about 2 to 3 hours on his connection and 10 minutes on mine.  I just might have to violate the 'buy nothing day' to order DSL/Cable modem for him.  I mean it's not like don't mind being there for that long....but dial up .... is so ... well painful.

A little too much security

Eve of Thanksgiving.....everyone else has left for home or away for the 4 day weekend.....

I go to remove the backup device to take an offsite copy......

Use my keys to unlock the safe, swap out the drive, leaving the keys dangling in the safe....

I turn around...ensure the door to the server room will lock.......

.....  “click“  .....

..... and .....

....uh.....

where did I just leave the keys to unlock the office door, drive my car......

...... uh....

oh dear......hmmm.....

good thing the phone still works....

the blonde strikes again, doesn't she?

Dear postoffice of host.hawk.igs.net

Right now your admin did a stupid thing... they put a “please notify infected parties when I receive virus laden emails from someone that they need to have someone look at their mailserver” setting. 

But here's the thing.

It's a totally STUPID setting.

With all the spoofed emails today it's totally meaningless.  Man if you were not blocking zip files I'd be doing it right now because this Sober variant is changing so fast that trusting your antivirus will keep up with it is stupid.

So Mr. host.hawk.igs.net? 

Shut off the virus notifications ...they are meaningless.....they only add to the Sober variant problem.

Want to talk to a human?

This ... you gotta listen to....

NPR : Phone Guide Is a Real Customer Service:
http://www.npr.org/templates/story/story.php?storyId=5024153

Morning Edition, November 23, 2005 · Entrepreneur Paul English has produced a "must have" for the modern consumer. It's a guide to the customer service phone systems of major corporations. The big payoff? The guide tells you the quickest way to reach a human.

Paul's site... THIS is going on our firm's website/sharepoint -- http://www.paulenglish.com/ivr/

...so Microsoft called my Boss today....

And invited him to a morning presentation on Mobility, MOM, Security solutions and other ways to deploy end to end secure solutions for clients to make scalable and dependable infrastructure....blah blah blah blablah...... at about which time he turned the phone call over to me....and pretended to the lady on the phone that he didn't do anything with Computers and didn't even know how to turn them on just so he could get back to work.  He figured I might be interested so he turned her over to me... even still... as geeky as I am I said “uh can I get back to you on this invite?  So I went to go dig up what they were inviting him to ....and they had to have been reading from the wrong script is all I gotta say.....

'Join us at Microsoft Connections for a look at the tips and tricks you'll need to get the most out of your investment in Office 2003 and Windows XP.  We’ll highlight the ways you can use applications like Powerpoint, Publisher and Outlook more effectively to get your work done faster.  You’ll also learn how your PC running genuine Windows XP can make your environment a secure and productive one.  If you’re looking for a smarter way to communicate with your customers and grow those relationships, we’ll take an in-depth look at Outlook 2003 with Business Contact Manager.  You'll want to stick around to see how the brand new Small Business Accounting 2006 can make managing your business finances easier than ever.'  

That sounds a smidge more reasonable than scalable and dependable infrastructure.... but even still... the buzz words that were coming out of the description of the event.... I don't think even Steve Ballmer himself would have been enticed to attend that event.  I just sounded so plastic and not real world at all.  I reminded me of.... well let me put it this way there are some words I'd like banned at Microsoft presentations.....

• Rich as in ...rich client experience.... rich user experience.....
• Actionable ... action item....
• Competency ....now in fairness this is a word that is annoying to me because of other baggage it has...not just Microsoft's
• Deliverables.... is that even a real word? 
• Leverage..... this one annoys me too...
• and more here ....

Bottom line... even for your geeks....the buzz words get a bit much....

Yes the sky is falling

Incidents.org reports a “0-day” for Internet Explorer and while one should always use caution these days when surfing I think we're not fixing the real problem here.  This issue along with many others can be mitigated against if we run any software program more securely.

The issues is javascripting that can leave the attacker in the “rights of the user”.  Don't run as admin or tighten up your browser ...which everyone should do...

Run IE in high security or if you are surfing on unknown places use 'drop by rights', but let's stop yelling the sky is falling and instead, lets fix the real problem.  We're trusting all of our browsers too much and our workstations that run as admin are not protected enough.  Firewalls are not enough here.

Update:  Read Dana's blog and reports are on Mozilla browsers it's a Denial of Service.  I'm going back to waxed string and paper cups.

The competitive analysis

Something happened at a SBS partner group meeting .... let's just say one vendor who obviously helps host the event, helps to provide infrastructure to the event blew it.  They had a chance to step up to the plate of where we are in business today.  But ... actually let's put it straight on the table here... one person who was still living under the misguided view that their best way to compete was to exclude.  So they saw a topic about another operating system being presented at a Group meeting and asked for the advert to be pulled.

And you know what happened?  That one person represented all that is the dark side of marketing.  Remember when I said the other day “And the truth shall set you free?”... well marketing folks?  Salespeople?  Listen up.  You don't control the message anymore.  Oh you can try.  And you can use new technologies and channels to try and get my attention, but I have a lot more ways to get my information than from you these days.  So instead of opening up and having a meeting about how a server product can interoperate beautifully with many products, how in a small business you probably have Open source right under your nose [Opened up a Linksys?  Guess what OS is running it?  It's not windows]  

So instead of an honest, here's the facts and ways that every small firm has both of these in your firm and making the customer happy you end up causing a bit of ... well I wouldn't say upset...but let's just say you played right into the stereotype for sure.

Now, if I had been that Sales person/manager/whatever position it was that saw this meeting announcement, rather than calling someone and asking somone to ask to take it down, I would have instead turned the meeting around....

I would have pointed out the Interoperability between other platforms and SBS.  I would have pointed out that Mac's work quite nicely.  I would have pointed out that in public comparisons of SBS to alternative products they totally blow the stats.  [I'll do a call out on one of my personal favorite studies... shall I point out how they screwed up? ...

First..  they say Nitix is self configuring..that when new users are added that directory, email etc are set up.  That SBS has no comparison.  Dang... you mean I've been running that user wizard that sets up the email, user, etc and then I run the //servername/connectcomputer all this time and they don't do anything.  [obviously I'm not sure what they are comparing are apples and oranges but there are comparisons]

Next... they say Nitix is self protecting..that it sets up firewalls automatically and have the ability to evade attacks.  Dang..once again I guess that setting in Windows 2003 sp1 where the firewall is enabled until you run the connect to Internet wizard and only open up what you need doesn't work 'eh?  And that Data execution protection that blocks potential buffer overflows has no merit?

Then... they say it is self managing..that if you change the configuration of a service the affected subsystems are affected, again ... I'm just going from words...but the Connect to Internet wizard, the Change IP wizard has many of these features.

Then...self healing...built into the services of Windows are a lot of 'on fail take this action'.  So again lets compare honestly.

My favorite has to be the chart on page 11 where it states there is no firewall and no database in Small Business Server 2003 Standard.  Hello?  What exactly do you think the RRAS firewall and the MSDE is in that system?  I have both a firewall and a database at home.  No spam blocking?  Exchange IMF version 1 and now Verson 2.  Cost?  Free.  Redundant internet connectivity is only effective with an external router so as to not change out the DNS on that external connection.

And then last but not least...the major advantage Windows/SBS has over alternative platforms in the Small Biz community is the “Bus“ effect.  You know... the “Bus effect“ don't you?

The “if my IT pro person gets hit by a Bus I know that I can call up a Small Business Specialist and find a person that can help me out.  I don't want to be tied to one IT pro ... I want to ensure I have support.

That's the kind of comparison that “I“ would have done in this meeting.  Rock solid comparison that showed how Sharepoint has no competition.  That Sharepoint can be used by Macs. 

So Sales people?  This is how you compete.  You compete on the facts.  You invite your competition to the table.  And then to use a Happyfunboyism  .... you then KickAth!....  well you kick some you know what around anyway and you show that SBS and Linux and Mac and Windows Mobile and ...whatever you want can all work together.  It's all about picking the right solution for your small client...and if you build a better mousetrap .. you have nothing to worry about.

Off topic a bit...but have you noticed....

That sometimes words end up in your vocabulary that have meanings you didn't quite expect?

To me “the blog is horked“ means....well it's broken...not working...

Well ... reading the urban dictionary version...

Oh man.....

Yuck.

I mean we already have a problem with grammar and spelling already due to computers.  Who knew that a messed up blog description could be so.... well... gross? 

SBS Podcast Show - Intense about Disaster Recovery

Vladville - SBS Show:
http://www.vladville.com/sbsshow/2005/11/sbs-show-episode-4-recovering-sbs-in.html

The second part of the geek out podcast is now here.  The SBS Show this week is now online.

As HappyFunBoy said on IM...this one was pretty serious stuff because the two gentlemen being interviewed LIVED through disasters.  You want “been there, done that”, these guys are “been there, been through that”.

Blog is horking big time today

Many apologies, like most technology, the minute you threaten/plan new stuff the existing stuff starts failing... big time.  We apparently have major issues with the rss.aspx feed so we're getting 'server busy' about every hour on the hour.

In the process of moving to our own server rather than the co-hosted version so hang tight.

Isn't migrations fun?

Dell Optiplexes and the "cheesy" keyboard

Got one of those new Optiplexes from Dell ...the ones with the SATA drive and was surprised that they keyboard and mouse could only be USB.  I don't remember that the spec's saying that they were not going to be shipped with PS2 ports.  Yeah it's not a biggie...but it is. 

For one inform me that you are doing this, for two, why do you have to ship the cheesiest feeling USB keyboards as a result.  I'm probably going to buy a Wireless keyboard or something a bit beefier.  Yeah we got plenty of USB plugs but the point is.... the Optiplex's ....or at least this model just dropped a peg in my book.

Did I miss November?

Went to Target tonight... that's pronounced...Tar...shay you know.

Okay...can someone tell me what happened to the month of November?  Since when is Christmas right around the corner?  Did I miss Thanksgiving?  Is this December?

The Religious wars ....the technology wars

You know what gets tiring on some listserves that have a security focus?  The religious wars.  The “my software is better than your software” stuff.  The the whole “I don't want to pay for software” or the “we use open source software because it's free”.

Nothing in life is free, or so my Mother told me. 

Maybe I”m the weird one, I don't know...but the idea that I'm going to trust my business to “software by a volunteer committee” or something somone downloaded for free it just slightly freaks me out.  I have to stop and make a business risk decision regarding my choices.  I guess it's because I've been on volunteer committees and ...well.... I know how they work.  There are times I've been on committees that it is really excellent people and really the people that should be at the table are indeed at the table.  And then I've been on other less structured committees and ...well...the people that end up at the meeting table are just the people that showed up.  In my own City where I live where the people that show up day in and day out at the Council meetings, that give feedback regularly, that give input to the Council meeting...well that's their life.  That's all they do.  And they don't live in the real world enough to bring that view to the table.  They are just 'there'.  They just show up. 

The reality for today's business world is that we need a blend of tools.

Many argue that the active directory structure of Microsoft [especially in Windows 2003] hands down is better than other platforms to give a firm control.

Many argue that the desktop permission structure in other platforms, both Mac and Linux is more superior. [Well at least they are better at forcing their vendors to code appropriately anyway]

Arguably the platform with more forensic tools and distributions [KnoppixSTD and the like] is Linux.

As a business owner if I were picking an operating system based on “free“, you'd still see me at the checkout stand buying Novell's SuSe distribution.  Why?  Because I want an organization behind what I deploy.  I want support.  Don't get me wrong ...the community support of SBS is fabulous...but at the end of the day if there something amiss with my system, I want someone at the other end of a phone line that I can talk to.  I want someone who's made it their career and not a hobby to support the platform.  I want an operating system...no matter what the brand.....built by a person who has a vested interest in that platform from a career standpoint. 

Sometimes the decisions that come out of committees don't end up always the greatest decisions.  Look at our Congress for evidence of that [need I say more?].  The manuvering and deal making to get some of these decisions out the door is just crazy.  Yeah, big businesses can have just as much politics as Congress going on some times, but I still just have a lot warmer, fuzzier feeling about buying the things my business depends on. 

The funny thing I find when the “religious wars“ start up is NEITHER side knows enough about the other one to make reasonable arguments regarding their position worth a darn.  Windows NT is dead.  If you are still having to support NT, 98, 95 or ME I'm real sorry for you but stop using it as a benchmark. 

The next problem we admins have is not knowing.  It's getting to the point these days in the Server platform that we're getting like the Office platform.  “I want the OS to do this“..... “uh...it does that.“ 

I think some of this comes down to not taking the time to learn.  You know the guy who found that Sony Rootkit?  He wrote a book.  Windows Internals.  And what's the stereotype for the average IT person?  We don't read.  

I'll bet many of this blog have not read or know and I'll bet little of us out here use some of the following:

• Software restriction policies - want to restrict what software users load up?
• IPSec - want to ensure that only computers you want talk/connect/link up with the computers you want?
• Group Policy - control desktops, what the user gets to use, lock down IE, control the firewall...
• Windows 2003 Security guide - and if you are looking for a “click here and secure me“ ..this is a learn more about your system..the point is to this guide is that YOU have to understand your system to make the choices

Someone in a listserve today said they liked a certain vendors setup because it didn't rely on agents but rather forced you into better understanding the foundations of what you were setting up... ISA 2004, IIS, Windows 2003 server and XP sp2.  He said he prefered that over 'agent based' because it masked and made you not understand the foundations of the network you were setting up. 

It's funny isn't it?  Technology wars have parallels with human ones.  I think if all of us took a bit more time to learn, to understand, to find out more about the other guy, the other platform, the other technology, we'd stop these silly arguments and start fighting the real enemy. 

So my challenge for you this weekend is as follows.....Don't just read Mark Russinovich's blog about the Rootkit issue, download one of the free tools from the Sysinternals site.  Learn what it does.  Peek under the hood of the operating system.  Go read a book or two.  Listen to a podcast or two.  But lay down the weapons shall we?  Because as a small business owner, we don't necessarily care what you recommend, we just want you to listen to us, pick the solution that will best fit our needs and then we want you to know it.

Setting up and trusting

Gordo talks about how a misconfiguration of a Desktop search caused issues in a network.  Are you aware of the other issue that it may have?  On your Exchange?  The SBSPodcast guys talked about it last week and they pointed to the KB article

Exchange 2000 Server and Exchange Server 2003 performance may be affected when desktop search engine software is running on Outlook or other MAPI client computers:

I'm getting a bit annoyed about all these defaults that some of these programs are doing and when I ... okay..so I.ranted about how Thunderbird had automatically set itself up to update, I forgot about my MOST hated silent installers.

Adobe.

Tsee reminded me of the sneaky way when you download the Reader that if you don't uncheck the boxes you end up with the Yahoo toolbar.

Yup, I agree... hands down ...probably right behind Sony's DRM issue are installers like this.

You know what Robert, if Microsoft OR ANY of these software/webware vendors expect to earn my trust, how about in addition to a privacy policy that I can read ahead of time, how about a “my rights as a end user“ doctrine.  That you only install want I give you the right to install, you only do it in the manner in which I agree to, and above all else you stop taking me for granted.  If you think my small business clients are going to trust you or any software vendor these days the way you guys are treating us?  I'm sorry but the lack of respect that the online world gives to us out here..... Bill and Steve may be saying it's 'turn turn turn' time to go to the web, but until we “trust, trust, trust” the web, we ain't buying out here. 

Quite frankly .... we don't trust you.

You guys are going to have to earn it first.

Doesn't everyone get goosebumps when http://domain/connectcomputer works on a MCE?

So I used the “Banana hack” to get the domain bits back enabled under the hood on my Media Center Edition and just for grins I didn't manually install/join the domain.  I wanted to see if all of SBS's wizards would work.

There's nothing like a slight goosebump feeling when you realize that the SBS wizards all work like a champ.  http wack wack put your domain name in wack connectcomputer and [making sure you put that into your trusted zones in IE just to make it easier] and we got a domain joined MCE that ...the first thing it does is load up automagically the Outlook and Trend Antivirus. 

That folks [are you listening MCE people?] that's why I love a domain.  I want the server to be the handeroutter of this junk and I don't want to use the Trend PcCillian peer to peer stuff, I want to set this stuff up at the server and never worry about it again.  I want it to have the blue dot in the corner and be controlled by my server.  I don't do games, but I want the TV stuff.  And I want it joined to my active directory.  Next up to test out Remote Web Workplace [wonder how TV streams over that RWW connection, eh?]

So to all those folks who didn't want to buy a MCE edition for your firms to be the WOW factor because it wouldn't join a domain...

DO IT.

Join that domain.  Hang it off your SBS Server.  You don't need X box extenders in your conference rooms.  But hang it off your SBS.  Heck even WSUS has the MCE patches these days.

Kick that WOW factor in your office ten fold, get one of those plasma screens that look really cool and get a Media Center computer.

Inplace upgrades are just not my thing

Marcus posts about his inplace upgrade of SBS 2000 to 2003.

First off, I'd never recommend an inplace upgrade.  For one, it leaves behind permissions of both the 2000 and 2003 permissions.  Ick.  Messy.  Then there's a couple of problems I see here... he's been listening to marketing... he says SBS is for the less than 100 employee firm [try 75] that doesn't have a IT person on staff and wouldn't call PSS.

Well for one.. small firms outsource their IT to consultants.. ones that are SBS experts... and two.. heck I've called PSS and paid the fee for support.  Gladly. 

Since when do small firms not spend money for good solid support?  Not here.  We see value where it's needed and will pay for support. 

No Marcus what this really points out is not a problem with the SBS product per se [I hope you used the wizards?] but rather the fact that migration and upgrading platforms in Microsoft operating systems... well..it still sucks.  Why do you think there are folks still on the NT platforms.  Because migration isn't easy.  And I would not recommend that any firm who has an existing domain try to do it without someone who's done it before.  Active directory migrations are not easy.  And it's only going to get worse the next go round.  We're building up a lot of glue and not really giving any sized firm a really good migration...or for that matter... a disaster recovery story.

Sounds like Marcus missed that SBS does it's own self signed certs for Outlook over HTTP and inside the remote connection help file of Remote web workplace it has an exact how to, step by step instructions on how to set that up. 

Marcus, the best thing I can say is don't let this one off set your view of SBS.  You did a messy upgrade that even the pros don't like to do.

But I'm with you.... we need to get the story right for the future.

Try a clean installed SBS 2003 next time.  And all the wizards.  I think you'll come away with a different view.

Dear CAL people

To whom it may concern in the SKU and CAL department.  Yes, I know that we've asked before for less SKUs.  We've asked before for easier licensing, for Dell computers to be forced to stop saying XP Home operating systems are 'suitable for small businesses'.

There's one more thing I'd like.

I'd like another SKU.

Yes you heard me.  I want to have one more SKU for a SBS add on.

I want a Terminal Server bundle for SBS.  I want one SKU number to give to a small business owner or partner that would represent a Windows Server OS and 5 TS cals [and then add on more in increments of course].

Have you ever tried to explain to a normal human being that all they need is one Windows Server license, that the Server cals they say you don't need because you are a SBS server owner has nothing to do with the TS cals?

Even after reading this whitepaper, the normal human being still goes “huh“?

I talked to a normal human being today and it was obvious that he was confused by this document and just wanted a product SKU number that he could go to his vendor and say “I want that“.

So Microsoft CAL people?  Can I have one more SKU?  Please?

Taking action

91 percent of Canadian small businesses see Software piracy as unethical, says the headline.

Unfortunately around the world, there aren't enough Canadians, I guess.  Because there are enough firms, enough folks that are going to screw it up for the rest of us.

What am I talking about?  The Microsoft “Action Pack”.  It's a software kit for Microsoft partners to use and install and LEARN the software.  And it's reasonably priced.  Very reasonably priced.  To the point where there are some folks willing to nit pick their way through the verbage to justify it's use in their business.

Recently on a list serve I'm on, one of these 'oh yes, I deserve it' situations came out.  The firm argued that becaue they devised and deployed Microsoft solutions for their own employees and independent contractors that they qualified.  That's like saying “Gee, because I write Excel Macros in my firm I qualify for Action pack because I deploy solutions”.

Give me a break.  The intent, the goal of the Action pack is to get consultants, resellers, Vars, Vaps more confortable with the product to in turn, drive more sales.  It's not to provide cheap software for some customer who's willing to bend the rules.  In my book, unless you are in the new MPAN program for Accountants, if you are a firm and you have to HAND the box to someone to install it, then you don't comply with the rules of this offer.

So if you are one of those folks that are bending the rules to get Action pack?

Don't.

Stop it.

You'll screw it up for those of us who are legal.

So how long is that going to stay connected?

You know there's one thing that concern me about those new SATA drives that I am now getting in my office in our new computers..... those cables.  It just seems to me that they seem a heck of a lot flimsier than the old fashioned ones.  In fact on my home PC ....yeah, yeah .... the one I'm STILL building.... I've knocked off the data cable putting in cards a couple of times now.

And I think I need to start carrying spare SATA parts and certainly need to get a SATA ready USB enclosure.  One of the gang on the malware lists said that she was delayed a bit tracking down cables and hardware so she could work on an infested drive.

My normal trick of moving data from one computer to the other and then hanging the old drive off the new system isn't going to work this time without additional cables and connections.  It has no IDE cables inside the Dell Optiplex we just got. 

So how many spare parts do you have lying around?

How much of a control freak are you?

Dan [name changed to protect the innocent and the fact that I'm going to rag on his boss in this blog post] in the mailbag today asked a question about 'hosted' Exchange.  He said that his boss wanted him to look into hosted Exchange [asp] as an alternative to moving their MX records to their SBS box.  The problem is that the boss did not want to leave the server on 24/7.  Dan said that he only agreed because he didn't have the environment to run a high availability server.

Dan?  Boss of Dan? Come over here... see my network? Do you see my older 'member' server?  It used to be my main SBS box but now it's the TS/member server box.  That server is 5, maybe 6 years old... now I personally think the sweet spot of server hardware is about 3 to 4. You know what happened to me today?  Another drive on the RAID 5 array on that old server dropped off.  You know how much down time that affected me?  About 45 minutes.  During my lunch hour no less.  And about 15 of that 45 minutes was on hold with Adaptec [delay due to the Hurricane because all calls are going through Millpitas and not shared between California and Florida] because the drive had to be zapped off again [it did this the last time I lost a drive on that older server about a year ago and I couldn't remember the commands] and then brought back into the array as a hot spare and then it slid into the location where it's supposed to be and drive 0,1 in the three drive array.  And other than the screaming like a banshee sound that it makes while one of the three drives has dropped off the face of the earth, the server is still running, still serving, still doing it's thing.  In fact, many folks say that you want to leave your servers up and running, that it's the spinning up and spinning down that does more wear and tear on them.

I keep a spare harddrive [in fact now need to order a new one] just so I can slide a new one in with no issues.  High availability to a firm doesn't mean a datacenter.  It means just reasonably nice hardware.  Server hardware.  It's certainly not the overgrown desktop hardware that is running the DELL OEM I bought for testing purposes. [It is literally the absolute CHEAPEST model I could get and it's basically an overgrown desktop with one drive].

It means ...that even if you DO go the route of some of your parts being 'hosted', I would argue that you STILL want true Server class hardware.  Now these days, I'm not convinced it's SCSI all the way... I think it can be SATA as well.  But there's a RAID in there so you could drop a thing or two along the way like I did during lunch and it would not matter one bit.

Next reason why you want your SBS box on 24/7.... remote connectivity.  There's many a time I go off to a conference and go 'oh shoot I forgot that' and can remote back into the office 24 hours a day, 7 days a week. Remote Web Workplace 'is' the killer app of SBS. 

Next reason why you want your SBS box on 24/7.... patch management.  I have and do scan and patch my network in my jammies from home.  Now then, if you turn your system off...how can you do that?

So ...okay... next... about that Boss not wanting to point the MX records to the SBS box... okay so the Gang at the SBS podcast will hate me for this but here comes....come closer.... you know about that POP connector that is supposed to be a transition tool?  The one that you are only supposed to use temporarily?  Well like they said in one of their podcasts... folks have been transitioning on that sucker since SBS 4.0.  I use the pop connector at home all the time. 

And what about the MX records and all that.... you know that with a service like TZO.com you can have a backup MX record so that if 'IF” your SBS box goes down the email will stay in your backup MX holder and then forward it again when it's back up.

Okay ..so like WHEN would you want hosted Exchange?  I think you'd want hosted Exchange ...and hosted SBS for that matter.... if you are

• Not a control freak like I am
• Live in an area that you need to be nimble and move out of harm's way

I think [hint hint] Vlad in his blog need to post about advantages/disadvantages of hosted Exchange and ways to connect [VPN, RPC over HTTPS [I vote that one even with real SBS]. and whether you should stop Exchange to free up resources [remembering of course that again, if you have a real server, it can handle this stuff just fine].  For me I'm just waaaaayyyy too much of a control freak to handing Exchange not being in my office under my control.

This nimbleness I know came in handy for one of Jeff Middleton's tech support clients.  He helped them backup their data and they sent it off to the software vendor that in addition to having a PC based application also had an ASP version.  This allowed them to quickly get back online.

So Dan's boss?  Leave that server turned on please?  You don't need to turn it off and night and reboot in the morning.  This is a server, not a workstation.  Heck we're even leaving workstations on 24/7.  And bad guys can break into you via the Internet just as effectively if you are stupid on setting that box up during the day as well as during the night.  While turning a machine off and encasing it in cement, dropping it to the bottom of the ocean probably does increase security of your system greatly, it kinda doesn't help much to boost productivity.

Leave it on, Mr. Boss.

Okay who searches while they IM people?

I'm just taking an unofficial survey of how many folks have

• Accidentally typed in an Adminstrative password in an IM window [after it grabs the screen] and sent it off to a friend [hopefully friend anyway]?
• Accidentally hit the search button instead of send in MSN 7?
• Accidentally invited half of your entire IM listing to a chat?  [and in my case that's a BIG list]
• Accidentally typed in the conversation of one chat into the window of another causing the person in conversation A to wonder where you went and the person in conversation B to wonder what the heck you are talking about?

...and other follys of IM?

...and exactly WHO searches and IMs with someone at the same time anyway?

.... uh... I don't know about you... but...uh... googling... it's kinda a private solitary thing... ya know?  I search alone.  I don't get this 'buddy search thing'. I mean I'm into sharing things with the community ...but searching?

Why doesn't Microsoft say that?

“....why doesn't Microsoft say that?“

It was a question I was asked earlier this week in response to an email I sent to a journalist. 

...and you know what... I really don't know why someone from Microsoft in their PR department didn't just say what happened.  The truth.  But for some reason the truth, the facts didn't get out to the public.

And the sad thing is, the truth would have made the public more secure, would get rid of the fears, the doubts.  But because that message didn't get said, because the words weren't said, I think Security was affected.

Security is defined as Freedom from doubt, anxiety, or fear; confidence.  .

And in the WindowsUpdate newsgroups, some people had a lot of questions about a 'buggy” patch.  Even on non affected Windows XP machines.  Even one of my fellow MVPs emailed and asked if anyone had any links to information about a “buggy” patch.

But here's the thing that is amazing.... you see the patch wasn't buggy at all.  The bad effects of this patch that the press talked about was mostly as a result of Administrators who had made security settings, tightening to registry keys, called 'hardening'.  But here's the thing.... these settings are actually not recommended by Microsoft at all.  They really are not supported.  So anyone following these guidelines, knew, they understood that they had responsibility for their network. They knew they would need to test. 

So I can't understand why, when the press starting writing their stories about the effects of this patch why someone from Microsoft didn't just say the truth.  That it was the people chosing to set up their network this way that got the most affected.  Now I'm not saying that people that were not running Windows 2000 and did not adjust permissions didn't have patch issues, but I think all of their specifc issues got passed over by the headlines regarding this so-called 'buggy patch'. We lost the real story of what was happening with this patch because of the overwhelming press that got stuck on the issues with the patch that were inflicted by the Administrators themselves.

And all of this confusion could be done away with if the Public Relations of a company just said the truth of what happened.  Truth didn't get said.  People got confusion instead.

Sometimes I don't understand the world of marketing and Public relations.  In fact, sometimes when I'm faced with a hard slick sell, it turns me off.  Big time.  In fact, give me truth.  Tell me the warts of something, because if you don't I'll find them in the product.  And believe me, if you didn't tell me about the truth of a product, and I find out about it after I've bought that product, I'll feel like you didn't tell me the truth and never forget that.

I was talking today with another guy about a software product I have at my office.  Bread and butter, line of business application.  One that I moved from one to another a few years ago, a competing product.  When I was talking about the issues I had with it, and comparing to a competitive product, the gentlemen and I that were discussing these products were commenting that we couldn't beleive that both products hadn't done better things for the customer.  That they had been in the marketplace this long and neither one was perfect.  Both had software 'warts'. And if I had known about the software warts of each platform, rather than just getting the salesman 'speel', I think I would make the same decision I made, but I wouldn't feel ... well... slightly abused by the 'speel' I got from the Salesman assuring me the software was perfect.  But because no customer was in the role I was, truly comparing the two, no one had recently made the migration, I didn't get the real facts.  I got the slick ads. 

So here I am, in a software program that works, but isn't perfect.  And if the salesman had been more honest with me I wouldn't feel the way I do now.  “Sold“ to.  Owner of a product that doesn't quite work like it was advertised.

Trust is defined as Firm reliance on the integrity, ability, or character of a person or thing.

I don't understand why firms don't understand that the best way to build trust with me and my business is to be honest. If you want me to be a long term customer, don't sell to me, be honest with me.  I moved from that other Line of Business application because they kept promising and not delivering.  And jumped from one that kept under deliverying to another software that kept pushing back a release date to the point where the ship date missed an entire tax season.  We were told one thing, when the truth was another.  And while the salemen were on the phone lines assuring me that the product was shipping, when I called tech support on this product, they said “oh it won't ship until May“.

Why do we accept what we do from Salesmen?  Why do we accept the slick ads?  I've chatted with many a folk who buy a software product only to find that once they peel back the onion layers and the software doesn't work as advertised they feel like a bit abused.   Why is it that the human folly is that we need Madison Avenue to convince us to buy things we don't need?  Isn't the obvious example of this perfume?  It's fragrant, colored water that more is spent to package it, advertise it, than it does for the ingredients for the product itself.

Sorry if I'm rambling a bit tonight.  But several conversations this week have led to this rambling blog post.  Today at lunch with a good friend, the two of us were chatting that we're not sure the press or the public relations of a firm control the message anymore.  We agreed that in this day and age of blogs, newsgroups, communities and word of mouth, even the three major networks didn't control the message anymore.  All it takes is someone who will never forget a bad experience and will tell this in a public online forum such as this and there goes a dent in all that good public relations you've built up. 

I don't know, maybe I“m being naive here, but I think being honest and truthful goes a long way.  I thnk it builds the trust.  I'm not convinced we need all the slick packaging that we end up getting.  I think being honest to the business owner... building that trust... I think that's a stronger, more long term sale.  You might not see the immediate “Madison Avenue” benefit, but I think that honesty will reap a longer term relationship. 

A funny thing happened the other day to showcase how a bit of honesty changed a conversation. I was hanging out in Andy Goodman's MCP chat the other day and was using my usual online alias and at one point in time started chatting with a poster arguing strongly about the advantages of SBS 2003 over SBS 2000.  I said that it was obvious in the recent patches where Windows 2003 was not a readily vulnerable as Windows 2000 proved that it was time to get off that platform.  And at one point in time when the poster was challenging me, he said “what have you drunk too much Microsoft Koolaid or something?“ and it took me aback a bit.  There are times people think I choose Security too much.  But here's the funny thing, once I had 'outted' myself and told the chatter exactly who I was, he recognized me from the blog and his attitude changed.  He was listening to me, not as a “koolaid seller“ but as someone who had earned ...well hopefully anyway... a little respect.   I had changed the relationship by being honest with him of who I was. 

And speaking of chosing Security over Business is that I don't think we choose Security enough over business needs.  Because at the end of the day John Q. Business Owner doesn't want things blocking him from doing his job, his business.  He will find ways to go around that barrier if it stops him from doing his job.  So security better just work.  And it better be honest.  And the technology salesman shouldn't 'spin' the product promising that the product will do things it won't do.  And we'd better not have to buy more 'things' to get the products to work the way they are advertised in the slick magazine ads. 

Because if you aren't truthful with him, he'll remember.   

If you aren't truthful with me, I'll find out and not forget either.

...so coming back ...hopefully full circle.... to this rambling post of mind tonight that you've indulged me in tonight [well not that you had any choice in the matter... I was in a mood],

Say Micosoft?  How about just being honest and saying that you had a bunch of “Buggy Admins“ who forgot that at the end of the day the responsibility for their network is theirs, not yours.  And if they chose to move away from a supported position, then it was their job to test that patch.

At the end of the day, I'm the one who's in charge of my network...not Microsoft.

The buck stops here.

A post for The "~'s" and the "V's" and all the rest.

There's a person I'm going to refer to as The “~”.  Now while I'm going to speak specifically about this one person... in reality he represents a type of a person. 

His job is to fix things.  Find things.  Get things to break.  Figure things out.  Analyze things.  Thus, he's the type of guy that would be installing Exchange 2003 Service pack 2 today.  Now.  In fact, I'm surprised he wasn't up at midnight installing it on some box somewhere.  And in fact if things go smoothly ... he might be a bit disappointed.  He and those like him actually like breaking things.   Because then they learn more about the thing they are breaking.

There's another type of person I'm going to blog about.  This person is the IT Pro.  The Consultant.  I'm going to call him The “V's“.  Now he's a bit like The “~”, but a smidge different.  You see he wants to figure things out, but he wants to ensure once he's installed something, understands it, it's reproducable in a solid manner to his clientele.  So he'll install Exchange 2003 sp2.  Document it.  And quite quickly in fact, but he's probably going to go through the dry run steps of a 'best practice for deploying Service Packs” checklist.

He'll make sure he's read the documentation, he'll make sure he's backed up the Exchange Store.  He'll understand that for his clients that depend on email, Service packs deployments on Exchange are upgrading a Jet database.  Thus he'll make sure he builds in a rollback strategy.  But he's going to to a dry run on a test machine and recreate as best as he can the steps and checklists he'll use for deploying this Service Pack.  He's then probably going to watch that box for a few days and monitor the log files and just make sure everything is as it should be.  And then he'll start rolling it out.  Mainly because his clientele are near the max of those 16 gig limits right now and they are busting at the seams.  And he'll read the documentation on how the default store goes up to 18 gigs but above that needs a manual registry adjustment.

He's also probably going to “triage“ this service pack and only deploy it to those clients who are near that 16 gig database limit.  The ones that need that registry edit.  You see he's probably already in the process of deploying SBS sp1 and he'll want to give is clients a bit of a breather on that for a bit before fully rolling this one out.

Then there's me.  And it's this personal view from my Patch Deployment Central.  It's this view that I post to this blog.  My role in my office is to not introduce risk.  My role is risk mitigator.  So I'm not going to be the one downloading the patch at midnight installing this on my box.  I'm waiting.  I'm going to first install it on my home server, again following the guidance of The “V's”, and I'm going to watch the log files.  I'm going to then pick a date in my office that it's a good time for me to deploy this.  In my office my traditional time for deployment is Friday night, after the office closes at 5 p.m.  I'm going to ensure I have a rollback plan.

And what if you don't have a home server to test this on?  What if you are a DIY admin and you only have your one SBS box?  Well, you can be rest assured of the following....

• The “~'s“ have done it and are running just fine [well it will be as soon as he installs SBS]
• The “V's“ have done it and are running just fine
• The patch has been certified for SBS boxes by Mothership Redmond and Los Colinas [there is no need to wait for a SBS only service pack]
• and soon I'll be doing it here

In my earlier post I talked about how one shouldn't patch at lunchtime.  There's a running joke that we are so confident in patching that we'll just blindly install patches before testing.  If you don't have a test machine, but only a real production one, just keep this in mind... follow the recommendations.  Have a backup.  Remember you have to have SBS sp1 on the box “before” applying this Service pack.  And honestly you really should consider a Service Pack like a near new operating system.  You don't have to be first.  You can wait for all those “~'s” and “V's”.      

Need some guidelines and ideas for Patch [and a bit of Service pack] testing?  Here's some things I've gathered up along the way...

• Identify the operating system subject to testing.
• Identify the service pack level.
• Identify the hotfixes installed on your systems (if in addition to security fixes).
• Identify critical third party applications.
• Identify third party applications that have had patching historically.
• Identify those files used in patches that may have causes issues in the past. Are the included in this current patch? Assign testing resources appropriately.
• Study the bulletin to determine if you can uninstall the patch. If not, determine if additional resources for testing or imaging need to be in place before approving the patch.
• Test the installation of the patch both manually and via your automated patch technology. Can you uninstall the patch using add/remove program or your patch tool?
• Review the processes of your line of business applications. Are they performing as expected? Attempt to replicate a production environment using imaged data. Having an exact image provides the best testing bed.
• Set up performance and monitoring tools to review your testing machines43 such as PerfMon, tools from Sysinternals and review all log files.
• Confirm the installation of the patches via registry review or other means.
• (OPTIONAL) Confirm the effectiveness of the patch using testing code.
• Follow any additional procedures your situation requires.
• Approve the patch for release.
• PREPARE BACKUPS. [Oh yeah did I say prepare backups?]

The Infraguard Technology Risk checklist also includes the following:

• When applying a patch to any system vulnerability, verify the integrity of, and test for the proper functioning of the patch
• Verify that the patch will not negatively affect or alter other system configurations
• Test patches on test beds before being released into the network
• Backup your system before applying patches
• Conduct another vulnerability test after you apply a patch
• Keep a log file of any system changes and updates
• Prioritize patches prioritized
• Disseminate patch update information among the organization's local systems administrators Add timetables to patch potential vulnerabilities
• Require that external partners deploy all non-critical patches within 30 days
• Require that external partners deploy critical patches to servers and clients within 48 hours

So if you are one of “The “~'s“, go ahead, deploy it.  The rest of us mere mortals will type up a checklist and at least make sure we have a backup in place.

Exchange Service Pack Destroys Reading Ability

Yes, the thing I was ranting about earlier this week..the sensationalist headline I'm using here for a reason.

Got ya to read this blog post didn't I?  Didn't I?

It's apparently obvious to me that the sight of a new software patch destroys all ability for folks to plan and read documentation.  Marina and Mariette have said time and time again [even to me when I forget] that we need to SLOW DOWN and READ.

Already getting folks pinging the blog after... AFTER... apply the patch and folks, I don't know about you but I cannot imagine that you have

• Read the release notes
• Read Vlad's blog
• Backed up your Exchange store SEPARATELY from the normal backup [In fact stick it someplace special on a harddrive somwhere just for this purpose]
• Anticipate that once again, the Exchange patch, since it's coming out from the “normal“ Exchange folks would once again flip our OWA login from just plain user to domain\user [or so one poster to the blog says happens... you mileage may vary ... I haven't tried it so you early adopters will have to see, word is from the gang that the User name only stays and works -- it's just the OWA page that 'says' Domain\user name.  It will still work fine with just “User“.  Nick says the SBS gang fixed the underlying SBSized plumbing so Exchange won't stomp on us anymore after you apply SBS 2003 sp1]

IMHO, either ... give up fixing that stupid domain/user thingy... train your users to go through RWW and never use straight OWA..... or try applying the previous fix/up patch that did the trick with Exchange 2003 sp1 when it did that to us.  Honestly I think we need to just give up our SBS customizations if Exchange or any other patch is going to stomp on them all the time.  When I picked my domain name, I picked it nice and small.  To me, I'd rather stay with a 'standardization' of patching.  So if Exchange is going to constantly reset that .. I say... fine .. let's stop fighting it.  Flip it to domain\user and we won't have to worry about fixing it anymore.  It's honestly an end user education issue anyway.  I'm starting to be a big fan of patch standardization.

So, can we read first please? 

Sometimes it 'is' the last thing you try

So I have the big hunking HP Pavillion Harmon Kardon has the built in 10 key on the keyboard that we beancounters drool about, weighs about 9 pounds dripping wet, monster in for a checkup, installing an update to the Trend antivirus [and just realized this doesn't have Microsoft antispyware, shame on me] and what not and for the last two days I've been off and on trying to troubleshoot a problem with it.

You see about every 30 seconds on both the wired and the wireless connections I was trying it would fall 'off' the connection.  I always enable the network connection icon down in the system tray and I would see it drop the connection and then reenable the connection. 

I'm thinking viruses?  Spyware?  Nic drivers?  and trying to troubleshoot a device when it's falling off the Internet every 30 seconds isn't fun, you have to google msnsearch on another machine, find the drivers or software patches you need and then copy them over.  Needless to say I was just about stumped and about to call in the hardware gurus.  And flat out honestly, I'm a software gal.

So one last ditch effort I boot into safe mode to see if I can see if the nic drivers are acting up under safe mode and realize you can't enable the network icons in the system tray in safe mode.  So I reboot into normal windows and ...for whatever reason that escapes me now.... I hover over the far right icon which is the 2Wire network connection monitor for the Home DSL modem that this monster laptop normally connects to.  And again, maybe it was annoyance with icons or something...but I made the monitoring software temporarily exit the program.

Two days.  I've been scratching my head off and on for two days trying to figure out why this has been dropping off the wireless and the wired network at the office and it was the fact that the 2Wire wasn't able to phone home to it's DSL modem was why this laptop kept dropping off the Internet.

It is always the last thing you try isn't it?

Now given that we're about to insert in a Linksys or equivalent at home [where this monster normally parks itself] so that the DSL can be shared out with the Granddaughter on another computer [and not this one that I'm typing this blog post on to confirm with myself that the connection is solid], so that she doesn't mess with this clean, pristine laptop, I'll probably have to permanently disable that monitoring software of dubious reliability.

I'll also have to figure out the best way to protect Granddaughter.  I'll see what I can do with restricted user mode and the fact that when she visits...she wants to play games. And unfortunately game writers have yet to fully embrace the “Secure by Design, Secure by Default, Secure by Deployment” mantra.

Yup, sure enough... rock solid connection.  So exactly again ...why do I need a network connection monitoring program that 'causes' network connectivity issues when it's not connected to what it's wanting to be connected to?

Yeah, there's probably a group policy setting that I should go find for this - the temp file issue

Annoyance 101 - Temp files.

When you receive an email and there's a file attached... why is it that the default location for the files is some buried obscure location on your hardrive?

I mean it's an attachment, right?  Why can't I have a “My Attachments” folder rather than some Temp file location?  I mean Temp file to me means that it's temporary.  Yeah you are supposed to do a 'save as' and get it out of there, and from a security standpoint it probably would be wise if you clean that out you know...but in reality... how many times in a small firm does stuff get stuck in the temp folder and we never realize where it is?

Yeah we can do Desktop search and all that to find it, but wouldn't it be better if something popped up when we went ot save and said “you do realize where this is being saved, right?”

So?  How many times have you found stuff of clients in temp folders?  Is it an education problem?  Or should we be adjusting where our email programs dump those temp files? 

I say ..fix the program.  What about you?

Clean Slate

So when do you give a vendor or a person a clean slate to start over.

A new page?  Start from square one.

I was thinking about this tonight in regards to a couple of conversations and sometimes I wonder if sometimes...just sometimes...we let the word of mouth... the Church of the Customer not let us make up our own minds.  Now don't get me wrong.  Word of mouth ...the been there and done that can be the greatest piece of information and knowledge sharing you can get, but isn't there sometimes when evaluating something it might be better coming into it with an open mind from the beginning and then letting the facts let you come to your own conclusion?

A fresh start; another chance after wiping out old offenses or debts. This idiom often appears as wipe the slate clean. For example, Henry's boss assured him that the matter was finished and he could start with a clean slate, or He wished he could wipe the slate clean, but it was too late to salvage the relationship. This expression alludes to the slate boards on which school work or tavern bills were recorded in easily wiped-off chalk. Since 1850 or so the term has been used figuratively, and it has long outlived the practice of writing on slate.

I still remember going to a movie that the critics loved.  Their 'word of mouth' regarding that movie meant that I had certain expectations in mind.  I sat in the movie theater ...waiting for the movie to get to that part that the critics said was wonderful.  And I sat.  And sat.   And sat.  And soon the end credits rolled.  And their word of mouth, set my expectations so badly that ...to this day... I can tell you exactly the movie that I sat through thinking.... did I see the same movie they did?  Did I wander into the wrong theater? 

Don't get me wrong... I think the “been there and done that” and “word of mouth” is valuable, but sometimes...just sometimes... you might want to do something I call the “To kill a mockingbird” effect.  Walk across the street.  Turn around.  Now look at the view from the other angle.  That word of mouth you are getting is just that... a view.  And maybe...just maybe..... making up your own mind ...without expectations might also be of use.  Maybe the view is just what happened to them.  A one-off.  Maybe the view is that from a long time ago [like me and that movie]

I will never forget a movie that horribly set my expectations. 

So tomorrow in my part of the world in the end of the week and Sunday to me, is the beginning of the new week.  It's the day we get to 'start over'.  Now I'm not saying I'll be watching that movie next week.... but just maybe I'll start Sunday morning with a clean slate and pick a new movie to watch and decide what I think about it.

How about you?  How about you pick something or someone and start off next week with a clean slate?  A new view.  Another chance. 

And this time... make up your own mind from what you expect...not from what others have set for you.

Why I ask for "the exact error message"

Coworker - my computer at home isn't working? Got any ideas?  It won't boot?

Me - what's the error message?

Coworker - it's a long one.

Me - yes, but what is it?

Coworker - I have to write it down?

Me - yes, is it a BSOD - a blue screen of death?

Coworker - no.

Me - okay so when it happens, can you write down 'enough' of the message you are seeing...otherwise I can't search for an answer.

So he brings in the handwritten note of the message.  The primary part of it being the “UNMOUNTABLE_BOOT_VOLUME”  and of course, within seconds we have our answer.  Yeah, it's not a blue screen...uh huh... yeah.

I see so many times folks will say “my computer just bugchecked” what does this mean?  What's this error code?  And yeah, I can google msnsearch and point you to the Debugger Tools with the help file and all that ... and I might be able to give you a hint or a clue ....but you know what?  There's an easier way.  Support.  It's called support.  An for you guys in the partner program you have even more options for support.  And all it takes is one trained person to review that file and more often than not they can tell you exactly why that machine errored out and where to look for a fix [if it's hardware driver based] or give you a hotfix.

Now I'm not saying that you are guaranteed a free call or anything ...but honestly... isn't your firm worth the $245 call?  And depending on the issues, there have been times that I've ended up being 'comp'd' that call.

Getting the right help gets you back in business quickly.

Why aren't you taking advantage of the resources you have access to?

Getting there

“Tech for Non Profits” blogs talks about getting to SBS 2003 and I agree with blog post one.... that moving from a domain to another domain in a pain... I guess he didn't know about our swing solution at sbsmigration.com...but there's a couple of things I think need a little clarity in post number 2.

First off... DON”T give up on centralized virus management... excuse me.... you want the dat file coming into the server and autodeployed.  Get the corp editions of that for that purpose...not the yellow box standalones.

Next, the firewall can be adjusted by you at the server...or you can edit the policy to let the workstations manage the firewall [see here for the policy to be adjusted]

Next...get off of pop email...please?  You do realize that you can't use Exchange IMF or any of the cool server spam tools.  And just because you are small doesn't mean you can't do full smtp email with tzo.com forwarding your email [I've blogged about this before...I'm not going to bore the regular readers with the details...but they've probably heard this rant before anyway]

Next you don't have to have local admins on the workstations... once the install of the programs are deployed...shut those workstations back to standard user.  Easy.  I mean, I don't know about you but I don't redeploy Outlook 2003 sp1 every day.

Larry... migration from a domain to another domain isn't easy.  From peer to peer is the easiest method and the /connectcomputer will migrate the settings of the profiles. 

Yes, DNS is sweeter when you let SBS do it's thing...but that's AD.  I love the AD glue and so will you.

Part of the problem is there are many ways to set up networks.

...and Larry?  What updates?  as the SQL one normally doesn't like to install unless you've run the monitoring wizard. 

I'm tired of following best practices

This all started on the WSUS patch management listserve where someone said “Oh you MUST install SQL on it's own box” and started us talking about how one firm, one person's 'best practice' didn't always fit for another firm.

I'm tired of big server land 'best practices' to be used to compare to my small network.  I mean...show me a big firm and I don't think they are any better than I am. 

But one thing that I think is for sure is that you can't use big server world's best practices to set “MY” best practices.  They don't compare.

Let's see some of the myths of best practices and see if they fly in my network....

• Best practice number one - Never put IIS inside your network.  Okay if we follow this lovely one, we can't run WSUS or other such tools that actually help me to be more secure.  Folks that say this one are back in the IIS 4.0 days.  IIS 6.0 has proven to be solid. 
• Best practice number two - always put SQL on it's own server.  Well in SBSland, the first thing we will do is violate our EULA.  Does it freak out the gurus to have all our services on one box?  Oh sure.  But excuse me?  Look around at what is happening in the virtual server world.  They just announced some changes to Virtual licensing going forward.  Does anyone else but me see that 4 servers on one physical server sounds kinda like what we do in SBSland?  We just don't have the fences between the children on the playground is all.
• Best practice number three - Always put a firewall on an external device.  The problem with this one is that invariably the issues with firewalls is how they are set up and not necessarily where they are positioned in our space of SBAland.  Have you left the default password on it?  I also find that I patch the ISA one a heck of a lot more regularly and the monitoring report [even though I'm not 100% fond of it], makes me view it more.  A Linksys on the edge just doesn't give me the 'in your face' information I need.

so ...what other best practices do you think ...well....just aren't necessarily best?

Man ...where do I get all this junk on my workstation?

I upgraded my computer yesterday...well...not exactly... I did a Drive image of my existing disk [120 gigs] over to a 300 gigs [which doesn't say 300 on the “My computer” by the way, because I was nearly out of room and the poor drive was file swapping like crazy to keep up with me.  So I imaged the old one to the new one and then moved the new one [putting the necessary jumper block in place] to be able to boot off the new disk flawlessly.

Hands down this is the easiest way to migrate...but at some point in time, I'll want to migrate cleanly and it's still a pain....Which reminds me I need to grab a TV tuner card for my workstation at home [the new one I havent' migrated to yet] so I can throw MCE on it.

Dell just called about the workstation I ordered....for FREE they can upgrade that 80 gig harddrive to 160 gigs.... okay...whatever... 160 gigs of stuff that will have to be moved in the future... fine.....

The vendor issue

Earlier today, David Litchfield wrote an open letter to Oracle users recommending that they get on the phone, send an email and demand better security response and an improvement in quality of their security patches.  Cesar on the SecureFocus list echo'd Mr. Litchfield's comments as well [you can read David's comments below Cesar's in the post].  Now most of us SBSers don't run Oracle, but as Mr. Litchfield points out.... our data is probably on such a database somewhere.

Dr. Jesper Johansson posts about a similar issue... vendor support of patches.  When a vendor puts us at risk like this .... it's unacceptable. 

And of course my favorite software that forces me to make insecure choices... Quickbooks which demands local admin rights.

Vendors know that they have us in a bind...upgrading and migrating to a new software is a pain in the rear.  But at the same time we HAVE to start waking up to the insecurities these vendors are placing at our doorsteps.  The decisions they are making on our behalf.  The risks they are forcing us to accept.

Mr. CEO... how about you lose $1 of your salary for every time you put my personal data at risk?  Maybe if it hurt you personally in the pocket book more you'd care and force your employees to read Secure Coding and the Deadly sins of Software? 

I have.

...and I don't even code anything....

Dell ... if I'm a corporation ...I'm not buying XP HOMES!!!

If Dell Optiplex “Means Business” as the headline reads...why then as I am spec'ing out a new desktop for the office does it DEFAULT... DEFAULT mind you to XP Home.  Dell WHY are you shoving XP HOME machines down my fellow small business owners when the Optiplex line is supposedly for business?  Do I now have to go to the Precision line of desktops which appear to be all XP Pro based machines?

Then on the Precision lines... they are putting 160 gig to 250 gig harddrives on those local drives.  In a business setting...where the desktops are not getting as backed up as they should... why do we need a 250 gig harddrive?  Shouldn't we instead be making sure that we're backing up all critical data on the server?

Then, the default is to not give me a resource cdrom for drivers.  Again, for disaster recovery purposes ...why would I not want such a cdrom?

Then what drives me crazy as an admin is the size of the minimum harddrives.  I don't want a workstation to have 80 gigs of storage.  Why do my workers need that much?  For the mp3 files they are not supposed to be downloading?  The Precisions are even worse with a minimum of 160 gigs of storage as default.

Now granted one could take advantage of the new Small Business SKU and buy XP Home on those boxes and then add Windows XP Pro with software assurance...but that just seems a bit cumbersome as well.

Yes you can add a SBS 2003 to an existing domain

Roy says in the comments... “Yes, you can add SBS to an existing domain but not forever. In the KB article you mention is this comment: "This retirement process must occur within 14 days of adding the new SBS 2003 computer to the domain or the new SBS 2003 computer may display warnings and shut down periodically."

Uh Roy... that's only for migrating from one SBS to another or for moving the FSMO roles.  You “CAN” add a SBS 2003 to an existing AD domain and as long as you ensure that the SBS is the Primary domain controller and all the FSMO roles are on that SBS box you 'CAN' add a SBS 2003 to an existing AD domain.  The gang out here has done it before.  Check out the info on sbsmigration.com as it's basically doing a similar process.

Yes Roy, you can add a SBS 2003 to an existing domain...forever.  You just have to get rid of the 'normal' AD domain stuff off the prior DC and make sure all of it is on the SBS box.

It can be done.

Remember what that KB article says..... it's not meeting these conditions that make it shut down...

The following conditions must be true after you install the new SBS 2003 computer in an existing domain or the new SBS 2003 computer may display warnings and shut down periodically:

• The new SBS 2003 computer must be a domain controller that is installed on the root of the domain.
• The new SBS 2003 computer must hold all the Flexible Single Master Operation (FSMO) roles.
• The new SBS 2003 computer must be a global catalog server and must be the licensing server.
• There must not be any existing domain trusts or child domains.
• Only one SBS server can exist on the domain. If SBS 2003 is installed, no other SBS 2003 or SBS 2000 server can be installed on the same domain.

Failure to meet these conditions may cause the SBS 2003 server to shut down.

I love my Lunch time menu internal communication system

Steve has a problem.  He has a small network and because he wasn't wacko like me, didn't catch Live Communication Server.  So now he's looking for INTERNAL ONLY nothing going out the firewall thank you very much [no MSN hotmail need apply] for an internal IM system. 

In fact I need to load up LCS 2005 with it's new communicator thingy...but I've not got around to it because I don't really need all those VOIP, forward to cell phone, internal routing of calls do-dads-thingy-whatchamacallits-wingdings here.  We like plain phones that just work, thank you.  And IM is really just for the 'ping' for “what do you want for lunch” and “hey, there's a call on line 2, you want to cut that one you are on short?”

Sometimes..like with the Audiovox 5600 phone geek toys are WAY cool.  But sometimes simple is just better and all we need.

Vlad blogged about his same problem earlier.

Keep in simple, that's all we really need.

Got any other ideas for Steve?

Mr. Minasi we can do that too!

Met up with Mark “oh SBS is evil because it can't have a secondary domain controller” Minasi at the MVP summit and it reminded me that we recently got a clarfication on how we CAN have a secondary domain controller and all you need to have to cover the licenses of that secondary DC is plain ol' SBS cals.  You don't need Windows server cals.  The SBS license specifically allows us to have our member servers and even our additional domain controllers covered by a SBS cal.  So all you need to have in order to set up and be legal for an additional DC is the server CAL that came with the Server OS [and yes if you buy Open License version of Windows 2003 server you can buy it with one and only one CAL] and then your SBS CALs.

So to review....

• SBS CAN have a secondary/additional DC
• The CALs for it are merely ONE Windows server OS CAL [you know the one you get with the OS itself]
• and then it's covered by the SBS CALs.

The Enterprise IT pro white paper even talks about this.  “You can add a computer running Windows 2000 Server or Windows Server 2003 as a replica domain controller to a local or remote office for redundancy in the event that the server running Windows SBS is unavailable. Replication with the server running Windows SBS keeps Active Directory up-to-date on the additional domain controller even in the remote-office scenario, provided there is a link between the offices. Users can then log on to the network normally until the server running Windows SBS is brought back online.”  Personally I've found that what's more important is the DHCP than the Domain controller per se...as workstations that can't find a domain will merely log in via cached credentials. 

Bottom line.. buy good hardware and normally is a non issue in a small office.

Yes, you can do that Mr. Enterprise IT Pro.

In a white paper on the download site about “Introduction to Windows SBS 2003 for Enterprise IT Pros“ it says

“I feel the need to repeat this, so here it is: there can be only one machine running Windows SBS in a domain! In sum, that means that the only kind of domain that a Windows SBS computer can be part of is its own. You can’t add it to an existing Windows Server domain, and you can’t add another Windows Server machine to a Windows SBS network as the primary domain controller. (You can add extra machines running Windows Server to a Windows SBS domain as replica domain controllers, line-of-business (LOB) application servers, or servers that have Windows Server 2003 Terminal Server enabled, but we’ll cover that later in the "Common Scenarios" section of this paper.)”

And I'd like to point out that one sentence “You can't add it to an existing Windows Server domain”... which is... well...it's just plain wrong.  You see you can add a SBS box to an existing domain.  You see there's a KB article out there .... 884453 in fact that is titled up as "How to install Small Business Server 2003 in an existing Active Directory Domain" that is right on point telling you how you can do that.

“You should use the steps that are described in this article as an outline for how to install a new SBS 2003 computer in an existing domain to maintain the existing Active Directory directory service infrastructure.“

Needless to say I'll be finding a way to give feedback on that document because that one part in particular is a bit wrong.

<psssst.... whitepaper already updated on the web....dang you guys work fast...>

The lowercase "c"

I'm sitting in Portland with a couple of hour layover before I go home after a couple of days in Seattle.  And in my slightly sleep deprived state as I wait for the time to get the next leg of my flight, it’s always a bit of a reflective time as those of us in this “community” all scatter back to the corners of the globe...there's a couple of thoughts I need to express.  This summit feels a bit transitional for me as I’m part of the “old guard” these days.  No longer the newbie, I’m the one who now gets the pride of seeing that newbie ‘oh wow’ glow of a new MVP coming to Seattle for the first time.  THe one who beams when a fellow MVP makes the connection with a product group to help grow the connection between customers and a large company.  This is also a good time to self reflect on what exactly is this thing called community.

To me, I think there are two “communities” out there.  One with a capital “C”, one with a lowercase “c”.  The “C” one is the one seen by the business side of folks.  This is the one that the “buzz” words are thrown out around… you know… we’re going to “leverage this and that” as the business side of “C”ommunity is apt to say.  To me this one is the one that has the logos and the swag handouts.  The “C” is the one that is seen in the business world as a conduit for viral marketing and word of mouth.  The one that Madison Avenue tries to harness.

But there’s another Community out there.  The lowercase “c”.  The voices that I think large companies need to make sure they are listening to.    The lowercase “c” one is the one that folks like Paul Thurrott, I think, missed seeing.  Since he posted about the MVP summit, I'm going to publically comment about some of the issues he brought up....He said that “I'm a bit freaked out by the sense of entitlement I get from many MVPs. Many of these people are fantastic and are true experts in their respective categories. But as in any large group, there is a minority that kind of ruins it for anyone.”  I think he saw the “C” part of the community, not the “c” part.  He saw the minority that do it for personal reasons and not the “c” ones that look at this insane thing we do as ‘paying it forward’ kind of thing, or a calling to keep Microsoft honest.

Another journalist that was at the event didn't want me to introduce them to Microsoft employees.  He said that he didn't want to get too “close“ because of his journalism role.  I guess I see it differently than he does.  Because in my view there are times that I feel I can yell louder when I am known by people behind the wall.  You know how you can argue more passionately and strongly with family members than you can with strangers?  I think there's a bit of that going on.

When meeting with Folks this week, many of the things we asked for were things that the gang has asked for for three summits now.  And the funny thing is, in many cases, the items we’re asking for,...the really obvious stuff like tools to help transition the break/fix businesses into managed care plans are already in the marketplace.  Level platforms comes to mind as one such tool that’s already there making an impact.  It’s often been said that a large percentage of features requested in office are already in the product but people don’t know they are buried under the hood. 

I think Paul was right in that he should be freaked out by the “entitlement” view he saw.  I get freaked out by it too.   In fact embarrassed a bit by it sometimes.  I also strongly feel that the “MVP” view is only one of many data points that Microsoft as a company should look at.  We’re just one datapoint, one set of voices and I would hope that Microsoft is not just listening to MVPs or journalists like Paul.  In fact, there are times, we're not the right “voice” to listen to. 

In all honesty there's been a bit of a concern about Paul Thurrott being an MVP as he says.  He is after all a journalist.  And as a journalist, how can he sign NDAs on the one hand in the MVP program and write about the latest and greatest stuff at Microsoft.  Does Paul Thurrott need to have access to Microsoft in the role that he has.  Definitely yes.  Does he need to be one datapoint as a feeder of information that has impact.  Absolutely.  But is it even fair to him to put him and others in this catch22 of a situation where it's his job to report on the latest and greatest and even not yet released Microsoft technologies and then bind him by a NDA? 

Can a member of the press who's role it is to report, is it fair to him or her to put limitations that might have to be investigated as a potential “leak“.

But I'll be the first to admit when I signed up to the Blackhat brieflings under a Press Pass [that I later on had to back out on going to].... I'll be the first to say that saying I was a member of the “Press“ due ot my Patch management articles I write felt weird.  Interestingly enough I didn't feel independent 'enough'. 

Is the Press a member of the “C“ommunity or a member of the “c“ommunity?

I tend to find that the lowercase 'c' of community are not silos of information and I'm not sure we're pushing enough to get the parts of a large company to better communicate. We had a presentation on Exchange and our SBS group considers Outlook just an extension of Exchange...it's just that platform's communication conduit.  Thus having Exchange be even more aware of Outlook and Outlook of Exchange is key.  Sometimes all of us work in silos of information and don't look at the bigger picture.

I'd argue to Paul that the MVP program is indeed important.  We give a voice to a group. But honestly,the lowercase “c” of community is obviously just fine without us MVPs.  Questions are still being answered, topics are still being discussed even though we were pretty much offline.  Because while the uppercase “C” of Community might have a finite size, a budget, swag and all that... but the lowercase “c” is bigger than that.  

But at the end of the day it is just one voice...one datapoint.  Sometimes I get embarrassed by folks saying that this is “THE“ Susan Bradley.  But what they miss is that I wouldn't be “THE“ Susan Bradley if they rest of you weren't doing what you do.  

And then we get asked “If Microsoft is the richest company in the world, why do guys do this?”  Bottom line it's the 'pay it forward' for many of us.  The 'attaboys'. We'd still be doing what we do even if Microsoft didn't invite us up every now and then. 

A person who has this 'pay in forward' attitude isn't taught this....it's part of the fabric of their personality, twisted that it may bel....

You, the lowercase “c” of community makes me into the Uppercase “C” of Community.

For that I thank each and everyone of you that read the blog, send me questions every now and then so I don't run out of blog topics.  Yeah one could argue always that the MVP program is awarded for past community work, but I think Microsoft gets the most out of me when I'm representing their current customers.I wouldn't be a MVP... a person who represents voices in the community without having people to listen to in the first place.

It's my hope that when I'm in various places as a representative of you, I don't embarrass you so that Paul can't be talking about any SBSer including myself when he says “some MVPs”  have a sense of entitlement.

I still say when you stop worrying about “what's in it for me”, you get rewards ten fold...not to mention an online relationship that is unique and special.

For everyone of you that make the lowercase “c” into the community that it is,....

Thank you.

You have mail!

To all those in meetings where you bring in your laptop....can you shut off the sound?  One of the Vista features is a presentation mode that shuts off the sound and IM and changes the desktop to being “more PC”.  [Politically correct that is....]  But I'd argue that there should be a meeting mode..... because there's nothing more annoying to be in a meeting and somone logs in to their computer and you hear the music.

Next to me in the Portland airport is a guy who just got is email.  I can tell because the voice just said “You have mail”.

So folks... can we turn off the audio please when you are in meetings and traveling?  It's just a smidge annoying...

I want an RSS feed and I don't think I'm the only one

On a couple of listserves, WSUS, and Focus on MS, I've seen some folks talk about how their first indication that Office 2003 sp2 was when their workstations popped up with a “you have patches to install” icon.

Hands down the Security folks have the SDcubed +C nailed.. Secure by Design, Secure by Default, Secure by deployment and Communication.... the Security patches are communicated to us ahead of time, we know what code is installing on our box.

But if you want us admins to 'trust' enabling autoupdate on our workstations, you HAVE to inform us that you are going to be releasing Serivce Packs that will be coming down on Microsoft. Update.  Yes,  I know it's not a security bulletin and thus not your communication responsibility, but go wack the team upside the head in Service Packs that should be communicating better.

If you want me to enable auto updates, then let me know what's coming down on my box.  I should not use the “updates are being downloaded icon” to be my communication vehicle for such things. 

Gentlemen, I want an RSS feed of any bits that hit my machines.  As an admin, I've been asking for a email notification for Security patches for many years now.  I've upgraded my request... these days I want an RSS feed.  But the bottom line is, I'm not the only one who was blindsided by that SP coming out.  And as I'm the controller of my network at the office, I don't want to have to use my Laptop where the AU is enabled to be my “what new code is going to be offered to me indicator”.

Feedback

I got a ping today and in the email this was included....

“My biggest concern is that the last 3 calls to Microsoft's Business Down Critical Support have yielded no help whatsoever and the communication issues have been a huge issue as well.  Our techs don't even want to call support any more as a result, and I want to pass this concern on to someone who can make sure it is heard”

Ouch... that hurts...and something that is a real shame to hear.... if you don't like what you are seeing give feedback... it's the only way things will change and get better.

The 'other store'

We walked into the “other' store in San Francisco.  The Apple store.  And while one could argue that the tack that Microsoft has taken with it's 'open' platform that allows anyone to upgrade and build on the Windows platform, man could Microsoft take a page or two or three or four out of Apple's marketing playbook.

Young, hip.  With a presentation section that had a young woman talking about 'using' the Mac to the “Genius bar” that allowed you to book expertise to help you migrate data from one Mac to another Mac or... uh... migrate from a PC to a Mac. 

And with displays that are pleasing, uncluttered....not like the glaring, noisy, jarring Best Buy with the absolute information overload of varieties of Personal computers and laptops.  

Designs of systems that just are clean and stylish.  Don't tell Steve Foster this, but even challenges his Acer Ferrari laptop up for a coolness award.

Training ...education...not just shoving stuff and warranties at you with blaring rock music in the background.

Mac, I have to give you guys hands down credit.... in the marketing and buzz department you kick.... you majorly kick.

The checklist

Geek clothes....

...more geek clothes....

... Blogging T Shirt.....

Power cords......

Cell phone power.... [and btw you would think that a cigarette lighter that's supposed to be a mini usb would fit my Audiovox but it didn't and Steve and I were in Yosemite today with my dead cell phone... cut off... no email...no IM... no...oh yeah we were taking the day off weren't we?

Check the weather report ......

Get maps to San Francisco and Frys....

Print out PDF with full detailed info on where we 'think' we will be.

I know I'm going to forget something....

oh..yeah....

Don't forget the train tickets.....

You may receive a stop error if you are running PcAnywhere with A/V

You may receive a "Stop 0x00000020" error message on a computer that is running Windows Small Business Server 2003 or Windows Server 2003:
http://support.microsoft.com/?kbid=905539

This problem is known to occur on servers that are running Symantec pcAnywhere 11.5 with Symantec AntiVirus 8.x or with Symantec AntiVirus 9.0. An updated version of the Symantec Event Handler driver (Symevent.sys) causes this problem. The Symevent.sys driver is installed with pcAnywhere 11.5. The Symevent.sys driver causes the Symantec real-time protection drivers to generate the "Stop 0x00000020" error.

To resolve this problem, download and install the latest Symevent.sys driver.

My comment... what the heck are you doing running PCAnywhere on SBS when you have practically forty trilllion ways to connect to that box without using a third party program.  If your vendor demands that they have to have PCAnywhere... get a new vendor!

P.S.  Okay so forty trillion is an overstatement...but still...

I don't salute you one bit....

 James Coates says....

"I salute you for keeping a Windows 98 computer running in the face of enormous pressures to upgrade to XP,"

And he gets PAID to write this?

And he's a technology writer?

Do we really value ourselves properly?

How many hours will you bang on an issue before you call for help?

An hour?  Two?  A day?

I mean do they assign a value to your time spent dealing with an issue?

What about you?  The IT Pro?  I've had this rant before, but sometimes it spills into buying products or services as well.  The idea that a consultant will not call for support and pay the fee, or will not buy a product that will make his or her life easier.

Don't you value your time?  Don't you value your expertise?  Why will you not look at the cost of a product and thing of the time savings you will have?

Think about that the next time you hesitate before spending money on something to make your life easier.

Installing a new A/V

So while I'm making sure I'm not getting ragged on at the summit, I realize my Trend a/v is getting close to renewal...so I re-up. 

Now here's the annoyance...because I'm going up to the 2005 version, I have to uninstall the old one.  And of course...when does it tell me this?  AFTER I've attempted to install the 2005 version... and of course that means I have to write down the Product Key code and all that....Oh wait ..never mind.. it kept the product key code ...now I'm doing the full install even though I use the XP sp2 firewall and the XP sp2 security center.

You know one thing that is amazing... how can the normal non geek understand what these anti spyware prompts are telling you?  Heck I don't even know what some of this stuff is doing!

If you are an app developer... have I got a forum for you....

If any dev type folk happen to be down in Los Angeles at the Professional Developers Conference... and if by any chance anyone from the Intuitive Accounting application program is down there... can you really do me a favor?

Can ya

• Learn how to read Secure Coding Second edition
• Read the 19 deadly sins of Software Security
• Read Threat Modeling

And then join the Vista Technical forum on “Security for Applications in Windows Vista“.

Please notice that “I“ as a buyer of software posted the first post, so obviously you Devs from any Intuitive accounting software probably are still paryting down in Los Angeles for the next couple of days at the PDC.  I'll let you slack off for now, but I'll be watching to see if you start posting in there.

Security for Applications in Windows Vista - Microsoft Technical Forums:
http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=116

I'm working on getting your software buyers to care... can you work on caring as well?

But Steve, you don't understand, I'm not small business... I'm just a Little Enterprise

You know... I really shouldn't draw any conclusions when Vista is still in beta, certainly not even to the point of shrinkwrap or anything, but sometimes, Steve [Mr. Ballmer] you make it such an easy target because of the rumors and leaks and messages that don't get communicated well.

Again, referring to article, it says “the Enterprise Edition“ - “Optimized for the enterprise, this version will be a true superset of Windows Vista Pro Edition. It will also include unique features such as Virtual PC, the multi-language user interface (MUI), and the Secure Startup/full volume encryption security technologies ("Cornerstone"). There is no analogous XP version for this product. This version is aimed at business decision makers, IT managers and decision makers, and information workers/general business users. Enterprise Edition will be offered exclusively through Software Assurance.

The marketing message: Enterprise Edition provides an advanced application compatibility solution that will be crucial to many large business users, can be deployed to multiple language locales using a single image, and provides Secure Startup functionality for the ultimate in security on the go. It is the client OS that is optimized for the enterprise. Enterprise Edition reduces IT cost and complexity by providing tools that protect company data, reduce the number of required disk images, and ensure the compatibility of legacy applications.”

You know... why can't Vendors get it that even small businesses need to be run like Enterprises.. and why can't folks like Steve get it that it's a heck of a lot easier to get small businesses on the security bandwagon sometimes.  I'm not saying that all small businesses are like me, but in my firm, you don't have to go through forty million committees to get an Executive buy off.  You just convince me.  Just me.  Once you convince me, the rest of my firm comes along for the ride.

I mean ... I may be little...but that just means I'm a “Little Enterprise”.  Don't I have company data to protect just like big firms?  Don't I have just as many legacy applications that I have to ensure are compatible [which reminds me I gotta go see if Vista Beta and Quickbooks play nice...]  I mean you haven't seen legacy apps until you come into some of the farming communities that are using customized Grain programs. 

Sir, I don't need games but I do need application compatibility and security. 

But I'm little.

Just don't forget me, okay?

I mean I guess they have to have something that makes Software Assurance valuable and since I already have SA on SBS, I 'think' when I'd be getting new software I can add SA on the individual units that I purchase within 90 days of buying OEM software [at least I think I could?].   So I think I might still be able to get this for those machines I might want this version on..... but I think it's going to take another aspirin for sure.

Dear Mr. Ballmer - make the message clear

I'm not a marketing major or anything, but in reading the page about the upcoming versions of Microsoft Vista, can I just ask a favor of you?

Apparenly you have taken a page out of the US Government's House Ways and Means Committee and their never ending quest for Tax Simplification.  Those of us in the beancounter industry refer to these actions to 'simplify' as “Full Employment Acts for Accountants”.

We have in the umpteen versions of Vista - the “Small Business Edition”. Oh gawd, says I.  Includes the following unique features “Backup and Shadow copy support”.  Uh our server does that.  Castle and Server Join networking. Okay Castle is peer... if “Server Join” isn't the same thing as fully supported domain active directory full glue.... ala Small Business Server..... so help me ...

Okay so I probably shouldn't rant before having all the facts but I'm come on Mr. Ballmer...you are making it harder for us in the marketplace of Small Businesses called Small Business Server with XP Homes, this version BETTER glue and glue good to SBS boxes otherwise it should not use the name “Small Business edition”.

Don't ship anything... not Microsoft Small Business Accounting 2006, not anything that isn't fully supported without issues on a SBS box if you use the words “Small Business” in the name.

Just once I'd love it if your computer wasn't set up by Ron Markezich but instead you walked into Best Buy with a hat on your head or something so folks wouldn't recognize you and you go try to buy a computer and set it up yourself.

We already get headaches now with licensing.... don't add more.  Please.

Do you?

I was talking with a fellow SBSer about how he runs their business and he said that every morning he checks a console for the uptime of all the servers that he monitors in his company.  And I asked him, “Are you charging for that?” and he said... no.

Well why not?

Everyone of you that does any kind of making sure your clients are still okay, still making sure everything is working.... it's a service that you should be charging to your clients.

When USBs work they work...when they don't....

One of my tasks is to get data from 'there' to 'here' inside of our network.  So on a regular basis I'm copying cdroms, usbthumb drives, to the point where the other day when I was handed data on a floppy disk I sort of sat there for a moment as my brain wrapped itself around the idea of data small enough to fit on a floppy disk.  Wow.  They can fit that on one disk?

So now I'm fighting with a Maxtor OneTouchII that someone brought in that when I first stuck it in the USB connector of my workstation it found it and 'woke up' and assigned a drive letter.  But then it reported that the drive wasn't formatted so I stuck in the Maxtor software driver cdrom.  Well that was a mistake as now I have an 'unknown device', and it won't wake back up and assign it a drive letter.

And, of course, I uninstalled the Maxtor software but OF COURSE it's still all over the stupid registry. 

Why is it that USB's either work the first time... or they screw up and drive you to drink?

So ...Maxtor.... and all you other softwares out there...when I say “uninstall” can you PLEASE uninstall?

Who can protect us from clicking?

I was earlier arguing with fellow MVP [aka the Naked one] Nick about what responsibility we have for end users.  He had a situation where folks were surfing for music lyrics and surfing and clicking and Aurora gunk was downloading right behind it.  He wanted it stopped [and rightly so].  But here's the problem I see.

Spyware is big business today.

Worms and viruses are mere conduits for getting spyware on the box.  When vulnerabilities go for $20,000 a pop, when virus/spyware writers are making six figures in a year, that's the reality of the world we live in.

Yet I still get beancounters that don't care that Quickbooks demands that they run their systems insecurely. 

It's we...the marketplace out here that has to care.  All of these software vendors are in business and they will only push security to the point at which the marketplace cares.

Right now my beancounter crowd as NO CLUE of what local admin rights are even about. 

We have to get 'us' the marketplace to care.  To push.  To say to everyone, I'm sorry you cannot code like that anymore.  I cannot run my machine like that.  You have to protect me better.

XP sp2 cannot do it.  Not by default.  They will not put resources into it.  Vista is the name of the game, Nick.

But it's us, now, that need to get our vendors on board.  They are the ones that are going to drag us down, not Microsoft.

Remember you cannot build on security afterwards, it has to be designed into the product.  We have to think about it ourselves first.

SCW, Exchange Best practices,  the XP shared computer toolkitl.   All of these are tools we have to help us.  In the home space the best tools are still Dropmyrights and not running as Admin.

“But I can't!“ We say, “my vendors won't let me!“.  So complain.  Get them to take action.  To stop setting your risk analysis. 

I mean when you get in a car, you buckle your seatbelt right?  You take precautions.  You got trained.  Where do we do ANY training whatsoever on our computers?  Even in my own office, I cannot depend on the end user understanding enough.  But maybe they should?  Maybe, just like with a car, there should be more training so that they can operate it safely?

Blowing through the myths

September 8th there will be a webcast to blow through the cobwebs.

Attend this session to learn why Small Business Server is perfect for any large business under 75 users.  This session will debunk some of the common myths regarding the reliability and scalability of Small Business Server environments.  We will also discuss scenarios on how to use Small Business Server 2003 for the most complex server workloads such as multi-server environments, line of business applications, and Terminal Services.

Haven't we been saying that for YEARS?

How to sell to a Beancounter

There is one way to a Beancounter's heart. 

Free CPE.

So for all you SBSers out there that realize there is a potential to upgrade the Accounting industry and possibly get them off of Win9x and Word Perfect, here's the game plan for you:

In many areas of the Country there are local CPA chapters that are regional divisions of the larger State CPA Society.  These CPA Societies are the ones that can certify your presentation as CPE.  Do NOT make it 'sales-ishy', you must make it a learning experience.  Put a hook of Security in there.  Talk about how Gramm-Leach Bliley Act requires Financial Privacy.  Thus this weekend when I was watching the Hurricane coverage and they were showing ads for “Gotomypc” and the announcer was talking about how it was not problem getting the Firm's Financial Statement off of the Home PC without having to go home, boy was that a fun thought in my mind that if an employee would think nothing of leaving confidential client info on their home PC.

Contact that larger CPA society, and find the location of the local chapter.  See if they have a Technology committee that meets. Offer to do a presenation.  You do realize that for 4 years I ran the local Technology Committee here where I live before I became the State Technology Chair.  It was a fun gig because all these vendors would call and offer to present a program.  Write up an Outline, do 'death by Powerpoint' and plant the seed.  Remember how “I“ first got turned on to SBS?  In a CPE class.

Here are some ideas to help the Beancounter see the Advantage of a network

• Centralized Storage - ensuring that all the data is in one spot ensures that it's fully backed up and properly secured.  Charlie Anthe showcased an upgrade that he did where every workstation was mapping drives to each other's local drives and that totally blasts the rule of only set up those rights and privileges you minimally need.  All that mapping means that there is data everywhere and it's not getting backed up.
• Data never leaves the server - I purposely make the choice to NOT set up Outlook over Http.  Because I 'don't' want any offline data file storage on a laptop that may be stolen.  The fact that I can remote back in and never pull data off that server is wonderful in my book.
• Security - Compare and contrast the security of Remote Web Workplace to PCAnywhere.  Because, yes, that is the app you are competing with.  Point out that PCAnywhere uses two static ports and that if that router gets reset, there goes your access.  Whenever a software program starts off with “We use a proprietary encryption algorithm“ run in the opposite direction as fast as you can.  Notice that by version 11.5, they finally junked that and are using AES 256 encryption.  Now class what does RDP include?  Oh just these standard RSA RC4 encryption thingys.  So your first question should be ...what version of PCAnywhere are your running because it looks to me like those older versions need to be junked and fast.
• Multi-user means a network.  Now I'll be the first to admit that Microsoft has this problem too.  They build a package for 'multiuser' and we have to hack the package to get it on the server.  Come on gang.... a Network is just a workgroup with more toys.  All those mapping of drives from one system to another means that you've got major major goo and a major major eggshell network setup.  We can't set up this stuff like this anymore.  Especially not in a network for an industry that needs to realize that we have responsibiltiies to our clients to protect data.  SBS 2003 with XP sp2 puts firewalls on each computer only opening up those ports that are needed for operation and blocking all others.  It's called defense in depth.
• Sign them up for the MPAN program [which btw offers free CPA and an alternative to Quickbooks in the new Small Business Accounting]
• Oh and KILL OFF THOSE WINDOWS 98 WHILE YOU ARE AT IT

...do that and I'll stop yelling at them in the CPA listserves I'm in.

So it looks like they haven't changed in 5 years.

Let's see class how many wrong statements are in this list that was posted by “HappyFunBoy's“ blog post?

• sbs sucks...and is stupid - Hardly ... I think that partner is for having a closed mind
• sbs is slow, which is stupid  - Slow? What are you installing it on?  The minimum specs?  You know how they lie.
• running exchange on a dc is stupid  - If you only know how many firms I find running Exchange on a DC... you'd be amazed.  This is 2003 era anyway.
• putting everything on one server is stupid - Actually I prefer it all on the same box... I monitor it better than if it were strung out
• not being able to add other servers is stupid  - uh... did you miss the part where we can add additional servers in SBSland?
• sbs is a good idea for companies that will never ever grow, but stupid for anybody else - You do know about the transition pack?
• ms is stupid for not putting all this [cool] stuff in their "real" products - That's probably the ONLY good statement in this list.... except we ARE real.

You know... it really makes me question if I want to send customers over to “Microsoft Partners” if 5 years later they are still so stupidly closed minded to how SBS can absolutely ROCK for a dynamic small company.

But like HFB says... if you want to pass these customers by.... more work for him.

[BTW to make it clear... HappyFunBoy heard these comments by the TS2 attendees, partners that just don't get SBS even still.  He'll be the one reaping the rewards of SBS sales, not them.  I'm just surprised he didn't get up and slug some of these partners for saying this stuff.]

Dear Mike Healey

Dear Mike:

First off I have to apologize.  I'm picking on you because your name was in a CRN article about SBS.  You see you were labelled as a partner who “dislikes” SBS and that will instead push the midmarket bundle.  “Discounted software” you said and “let the actual customer needs dictate the number of servers”.  Yes Mike, let the customer needs dictate the solution, but don't close your eyes on SBS.

In 1998 I went to a class on networks and computers and in that CPE class I was first told about SBS 4.0.  I knew that it would be a perfection solution for my firm.  So I found a consultant who knew NT, but not SBS.  We muddled through, didn't screw it up too much.

So along comes SBS 2000 era and I went searching again for a SBSized partner.  And this time I was told “we don't recommend SBS”, “we find firms outgrow it”.

Yeah, right.  So here I am how many years later and still, there are Microsoft partners who turn a blind eye at their customers needs.  Oh they say they are listening, but I see the same pattern that I as a customer encountered.

You see, Mike, unless that mid market bundle, which right now is just a pricing bundle and has no 'specialness of SBS', has anything like SBS's killer apps of a monitoring email and Remote Web Workplace, all you are doing is hurting your Small Business customer.

Remember we 'can' add additional servers, member servers, additional domain controllers.  But if I'm a business owner that is in the target size for SBS, you'd really better show me a business value for 'not' being on SBS.  And it better be a good reason too. 

Rick Richardson at the Illinois Business and Technology show asked the audience “when's the last time you saw a killer app” to a room full of Accountants.  He said Visi-calc.

I said Remote Web Workplace.

I think I'm right.

Dear IT Pro Community:

HOW TO FACE OFF AGAINST MICROSOFT

Intuit has repelled the Redmond six times. Now it's defending its

largest business -- small-business accounting software

http://newsletters.businessweek.com/c.asp?id=583044&c=0a3482e76a3aa5ed&l=2

INTUIT'S BENNETT: READY FOR MR. GATES

Facing another onslaught from Redmond, the finance-software maker's

CEO says, "I love our position." Score so far: Intuit 6, Microsoft 0

http://newsletters.businessweek.com/c.asp?id=583044&c=0a3482e76a3aa5ed&l=3

-----------------------

I am a CPA in Californa.  On a pretty regular basis I deal with small business customers.  Some that have standalone computers, some with networks.  I have a trusted relationship with all of these small businesses. 

Just like how you install software better when 'you' know it.. just like how you have impact with what I call the 'wow' factor and word of mouth, so do I.  As a result Microsoft has just introduced the Microsoft Accountants Network to introduce my world to Microsoft's Small Business accounting 2006.  As part of this network my community is now eligible for free CPE and the Action pack [for $299 a year]. 

Now before you start yelling "Hey Microsoft, you are now allowing CPAs to use Action pack? You are taking software sales away from us",  Correct me if I'm wrong, but I don't think you make your income from software sales.. you make it on the labor and installation of the network. 

Microsoft is offering to my world because they realize too how much I influence software purchases when I am plugged in.

Now in these same beancounter communities are the "just good enough' folks.  The same people that when they raised their hands in a presentation on Wednesday and said if you ARE running Windows 98, you are sending a message to all of your clients that you don't CARE about the security of their data.  These are exactly the cheap, 'it's good enough people' that you can now go to and say, "here's a way to get software, to get secure, to get free CPE and all you have to do is sign up and check out this software bundle"

Also for this plan it gives them "business critical down" that includes things like printers failing on April 14.  To a beancounter ..that IS a critical down issue.

This week I was in Illinois and Cindy Bates of Microsoft indicated that the firm that "gets IT" has higher growth that one that doesn't.  Here's your chance as a consultant to go to that CPA in your area and show them the MPAN program and say ...it's time you killed off that Windows 98 machine.  It's not good enough ANY MORE.  Show them THIS link and tell them this is one time “too good to be true“ isn't.   

Now then my IT community out here... all you IT consultants... you talk to that CPA and tell them about how they can share calendars.  How with Audiovox Windows Mobile phones, the partners can check their calendars from anywhere.  That having their client data on a system hooked up to the Internet IS safe, and in fact with high speed access I would argue allows you to be more secure and up to date.

I told a room of 100 or so Accountants that if they thought the SBS 2003 product I talked about and used at my firm and actually demo'd was cool, that they needed to go and find an SBSer.  To go to YOU and ask you how many SBS installs you had done.  Be honest.  Don't say you have and you've never even seen the product before.   

Just remember if you don't treat my CPA community right, I just might hear about it.

A bit of customer service

I'm going to relay a story and see if it has any echos in the consulting world. I had an experience last night where I was expecting a level of service, but because the person in charge of 'my' experience was busy trying to help and support another person, I didn't get the service level that I was expecting.  Now I don't think the person who got the superior level of service is going to recognize how good of service she got.  But I'll never forget my experience with poor service.

We all have that kind of issue in the customer support world.  The “A” clients, the “B” clients and worse yet the “C” level clients.  You know what I'm talking about don't you?  You take the exercise of looking at your client list and grading them.  Giving them a grade.  Hopefully you don't have any “F” or “D” clients ...and if you do... you should fire them.  But if one of those “C” clients is taking time away from one of your “B” or worse yet, one of your “A” clients, you need to stop yourself and ask...why am I letting that client do this to me.

Be careful that your “C” clients aren't taking away from your other ones.

Now in my case ... I felt so strongly about it... felt that it truly was taking way too many resources from other consumers of the service to send off an email and complain.  Now keep in mind for all my throwing about of the 2x4, I'm a pretty laid back, tolerant person.  Okay so maybe I should put the 'caveat' of laid back and tolerant doing certain things or something, but all in all, I don't think I'm as intense in person as I am via email... you know how that goes.  So for me to ensure that I gave customer feedback in this instance, means that it made a lasting impression.

Consulting is a service industry... just make sure you service customers and clients correctly.

...not the success they thought it was going to be...

So I'm talking with Bob Scott of Accounting Technology and he says about SBS 2003 something along the lines of “it's pretty solid...but it's not the runaway success they predicted...”

...oh and that was a red flag in front of me....

...and it's funny...because here I am with one foot in the IT world and one foot in the Accounting world and SBS's success IS over 'there', but here in the Accounting world...where let's face it...we're CHEAP.... I have a hard time convincing folks that the technology that they think is 'good enough'...isn't.

Sorry Bob, but walk over here to the IT side of the world where it IS the success.  We just have to get the folks in my beancounter world to realize that they have to get 'it' and IT.

Sign up for that Microsoft Accounting network folks... you should have been here when Cynthia Bates of Microsoft was showing during her powerpoint presentation an video about a small business who realized their existing technology was a THREAT and not a resource.

Who's responsible for the goo anyway?

Donna points to a recent survey that blame Microsoft for the worm....

But here's what I don't get... there was a workaround in there... Null session... and excuse me but I've read/heard about null sessions being a bad thing for HOW LONG now? 

Let's analyze this... YOU Mr. network person, YOU Mr. Businessowner let file and printer sharing goo traffic INSIDE your protected network and you allowed annoymous connections. Remember the workaround from the advisory? 

“If an administrator has disabled anonymous connections by changing the default setting of the RestrictAnonymous registry key to a value of 2, Windows 2000 systems would not be vulnerable remotely from anonymous users.” 

WE KNOW we cannot 'trust' our networks and yet we are doing NOTHING to secure than any better than if you had an entire fleet full of Win9x machines.  I mean you are pretty gooey and creamy in the middle there.

As far as not rolling out patches as soon as you can, I'm sorry I'm getting to the point where truly..when's the last time patching desktops broke something so badly you had to roll it back?  I'm not talking servers here.. I'm talking desktops.  Honestly when's the last time anything happened?  Maybe we need to zone ourselves... speed up those desktops that are obviously pretty gooey...and protect those servers better.

Isn't it better to have a small % chance of breaking something on the desktop ....than Disneyland not being able to sell tickets?

If you think your OS is good enough 'as is' ... and not willing to update to a platform of XP and 2k3 that were NOT hit by this ONE BIT, well then you have to make your network less gooey on the inside.

I mean don't we roll out antivirus signatures every hour on the hour?  How is that different?
------------------------------------
A web poll of more than 1,000 business PC users1, conducted by Sophos, has revealed that 35% of respondents blame Microsoft for the recent worm attacks against businesses across the globe, which exploit a newly discovered vulnerability in the software giant's code.

Systems administrators are also feeling the wrath, with 20% of respondents blaming them for not patching systems quickly enough. 45% hold the virus writers responsible for the 19 worms, which all take advantage of the same flaw.

"The majority of users believe that the virus writer has to take the ultimate blame for deliberately creating and unleashing this worm to wreak havoc on poorly protected businesses," said Graham Cluley, senior technology consultant at Sophos. "But what is most surprising is that so many people blame Microsoft for having the software flaw in the first place. Users' anger is perhaps understandable as Microsoft's security problems and their consequences are felt by businesses the world over. Many respondents appear to be incredibly frustrated by the constant need to roll-out emergency patches across their organizations."

http://www.sophos.com/virusinfo/articles/zotobpoll.html

How to join a MCE to a domain

I almost called this post “the Banana” as you will see when you read the post on the google link.

Now I'm not one to advocate a 'non supported' solution..but.. well.. I just think it's totally DUMB that a MCE 2005 cannot be optionally joined to a domain.  I can't tell you how many people have said they wanted the 'coolness' of a MCE 2005 sitting in their conference rooms and once they found out it couldn't hang off the domain so that they could control it like any other box they backed off of it.

So ..here's the “Banana hack”

And Microsoft?  Realize that some of us are flexible out here and want these suckers in businesses? 

You probably also have no idea how much more sense a SBS makes in a Mac network over and above an OSX do you?  Guess I'd better blog about that one next....

Really we're not all like that....

Charlie has a blog post about a visit to his Accountant.. one that is still working on a 1980 vintage network. You know the type... one step up from a sneakernet.  What I love is already the “oh it ain't broke” posts at the bottom... “why doesn't he get a consultant to come in and fix the problems like a database instead of Excel and an email server setup”

Apparently they missed the memo about what SBS is... you... folks.. business owner?  CPA?  Attorney? Blog comment people at the bottom?  Folks?  Come over here... that's what SBS is all about.  It IS providing a database.  It IS providing an email server..and here's the thing... it puts in in a package that gives you the business owner way more control than you ever thought possible even if you aren't geeky. 

Oh and business owner?  Are you still using a AOL.com email address?  If so ...do you realize how lame that makes you look?  It's not professional AT ALL.  There is such a better way to be more effiicient in email, in saving files, in backing up, in securing your network it ain't funny.

In my own office .. I think back of how much more automated I am.  I used to have to manually install a/v signature files.  I used to have to sneaker net.  Now I can remote in FROM HOME.  Last Friday night in fact, I security patched the entire network sitting in my jammies. 

So many times in small businesses we don't know any better.  We just make do with 'good enough'.  Well sorry folks.... this is one sign of a network that was so broken it's not funny.

• No antivirus
• No patch management at all
• No monitoring of that server for security purposes
• No email
• No easy storage solution

Sorry folks...but that's not the sign of needing 'parts' thrown at it, that's the sign of a need of a solution in a box.

...oh and Charlie...we're not 'all' like that... some of us are using dual monitors [in face one of our guys in the office has four flat screens].

P.S.  ... that Accountant should.. if they are recommending and installing accounting software..to sign up for the Microsoft Accountant's network

Please note..while I know that the folks reading this blog are probably not small business owners still on dial up and Win9x, and I truly know I'm preaching to the choir and you already know how hard it is sometimes to convince them to change... remember two things... this beancounter embraces technology [yes there are some of us out here who do] and secondly there are times that the blog is cheaper than therapy.  Notice the category of “Rants” to the side?  This is a Rant.  Preaching to the choir of why SBS fits so well with a small firm, I know...but that's all it is... just a rant...

About that RSS branding Robert...

Scoble talks about how those Orange XML tags are confusing for newbies looking for RSS feeds and told to look for RSS feeds... you know that is even MORE annoying?  Those RSS tags that DON'T go to feeds, but rather link off to another page that has the feeds.

People BE consistent.

There are pages on the Microsoft web site [not sure if I should quite point them out though. they are a bit MVP related and I'm not sure if you can get to them without popping through passport ] that have an RSS icon and all they do is link to another page that has the XML real feed links.

Okay Robert... how confusing is THAT?  How about making sure that any page that has good info that gets regularly updated has an RSS feed.

Like this one.  See this page here?

Where's the RSS?  Heck where's the XML?  I don't see either one? 

Content should be read.  Good content should be RSS-d. 

'nuff said.

You could have 74 additional servers if you really wanted to....

Once again, let's get the misconceptions about the SBS platform blown away tonight shall we?

No... SBS 2003 does not have to be the ONLY server on the Subnet.  It DOES have to be the PRIMARY domain controller and hold the FSMO roles.. however if you really wanted to have 74 additional servers and no clients....

Go knock yourself out..it will support it.

I don't need a trust in a small business dude... I have two servers here just fine.

...next... dude.. that's Windows 2003 server that forces that documentation of why the server shut down... if you don't want it google and shut it off.. most consultants LIKE it because it documents when the owners have mucked with the server... and lethargic?  Lemme guess... you beleived the 'minimum standard specs“ of RAM didn't you?

1 gig of RAM and nothing less is what I recommend for a real production box...you can get away with 512....with a small one or two client network...but mine isn't lethargic one bit. 

Bored to tears waiting for me to ask it to do something yes... lethargic...no.

Yes I know... you aren't human...but you really are...

Yeah yeah I know...the Captcha thingy down there really sucks...but it was the best I could do at the time to get people from stop spamming the blogs... it was so bad that Christian was about to stop blogging...and as much as he blogs... you know it's bad.

So bear with me a smidge longer... we've been in this really long process of getting up to the new Community Server platform and somehow the summer is just racing by. 

I think I'm a bit like ~Eric's Brett.... he doesn't want to blog... I'm too chicken to upgrade.

Stay tuned and put up with the Captcha thingy just a smidge longer...okay?

Ever notice how you end up with screws leftover?

From the mailbag comes the request that I fess up what I have in hardware based on my talking about how I haven't migrated yet to my new computer....now you'll know I'm not a 'real geek' in that I have to slide over and see what the Intel [yes....I know... I couldn't break the habit and buy an AMD] chip is and all that... I can tell you it was a fun exercise in that I put it together.

Yes, you read that right... this is a NewEgg, Frys and CompUSA built machine...built by a GUI gal. 

The important parts about it is that the case is black.  Now the choice of black is very key here because it goes with the Mickey Mouse themed room that the upstairs office is decorated in.  A hovering Space Mickey is over my head along with the beginning of the trail of the pixie dust that Tinkerbell leaves on the ceiling as she flies out of the TV sitting on the TV mount on the wall over to the window behind me [yes, there's a Tinkerbell doll hanging from the celing.]  So since the monitor is black and all, I had to make the new computer a black case and all as well.  Regardless of the rest of the pieces...the outer case looks cool.

But since I'm sure the emailer wasn't wanting to know about the Black computer case....it's an Intel 3.2 GHz chip, 2 gig of RAM, a 250 Sata drive, one DVD/CDRW drive, one DVD/RW drive, Nvidia GeForce 6200 turbo cache [and I'm seriously thinking of putting in a second video card here at home for the second monitor as I have one at the office and there are time here at home that I'd really like to have a second one around], one floppy [yes even though I'll doubt I'll need it].  I'll have to ask my friend down in LA what the Motherboard is as he's the one that recommended it.  Tells you how hardware-ish I am doesn't it?

The lessons I learned?  Even though I READ the instructions...really Marina... I did!.... it wasn't clear that I was supposed to put in the two power connectors.  I thought it needed only one.  So that slowed me down a bit in the building of the computer until I figured that one out.  Next, make sure you get that goopy stuff called Artic Silver and you don't have to put as much as I put on there...but it works as when I first put the thing together the machine was pretty quickly shutting down and when it did work ...if you went into the bios it was reading that the temperature of the chip was too hot.  So it needed that silicon gunk as the wafer of protection it came with wasn't enough.  Took the fan assembly off the chip, put the gunk on there, stuck the fan back into place...and voila.. machine runs just as it should.

You do end up with stuff however that I'd like to complain about...

Screws.

..no not as in 'she's got a screw loose' even though I'm sure some might say that... I mean I always end up with leftover, weird sized, what screwdriver do you use with that... screws left over.  I have them all over the place.  Along with cables that I can't remember where they came from.  Somewhere there's a bunch of computers that are missing a ton of screws and cables. 

Call me.  I think I have them here.

Why doing a clean install of Windows XP is a good thing..

You cannot find options under "Use Extensible Authentication Protocol (EAP)" on a computer that you upgraded from Windows 2000 Service Pack 4 to Windows XP with Service Pack 1 or Service Pack 2:
http://support.microsoft.com/default.aspx?scid=kb;en-us;902934

It's Knowledge base articles like that that make us recommend clean installs on Windows XP.

That said... I have to admit that I'm sitting here typing this up on my clunker machine of XP sp2 while my new spiffy super dooper SATA harddrive machine is sitting over there with it's side off waiting for me to hang one of these harddrives on this machine inside that machine to make it easier to migrate the 'profile' data.  Once upon a time we could just copy the 'wack' folder from one system to another and everything would just magically work.  But then someone invented...the registry.

Yes the same registry that the Scriptomatic guys joke that you are always reminded in KB articles that oh if you muck with this sucker you could blow up New Orleans in the process if you aren't careful.  I think the problem that we all have with people not wanting to migrate up to Windows XP sp2 from what they have because what they have is 'good enough'...I think it's also a problem of migration is still ...even with the file and transfer wizard...isn't good enough.  I know in my own office, if Word has a funky macro in the old machine and the new one isn't IDENTICAL, I'll end up with a messy normal.dot or a macro template that I muck around for hours trying to get back out of the newly built system.

..one of these days I'll be on my new super dooper computer....just probably.... well most definitely...not today....

APC's understatement of the year

On the APC web site is this tech note

“In order for PowerChute Business Edition to remain functional, users must upgrade to any version of 7.x. Due to expiration of the Sun Java Runtime Environment certificate, versions 6.x of PowerChute Business Edition will cease to operate normally as of July 27, 2005. Failure to upgrade will result in PowerChute Business Edition no longer providing monitoring and graceful shutdown of your system.“

What it really should say:

APC?  Be a bit more honest about this... I'm not looking forward to next Tuesday when we'll have that possible forced reboot for a patch day coming up.  Remember this only nails you after you've been forced to reboot.

Asking the hard questions...do you Mr. Vendor, allow me to patch?

When someone emailed me about an accounting application that would not certify installing patches on servers past Security bulletin 04-012, a patch released last April, I felt it was time to open up a new section in the "Vendor Hall of Shame" for those vendors that will not go on record as supporting security patches in a reasonable time frame.

PATCHING:
http://www.threatcode.com/patching.htm

If you would like to make submissions, the nomination form is here:

NOMINATIONS:
http://www.threatcode.com/nominations.htm

...who's feels that it's time we start getting a list of those vendors that we need to be more aware of so we can make smarter software decisions.  If they won't support us patching..and we're small enough that we can't test appropriately.....then we need to know these constraints ahead of time so we can protect and defend and mitigate appropriately.

Maybe we need to look into IPsec for domain isolation?  Maybe that's one way around this issue?  The point is though that we need to know ahead of time what vendors patch support policy is so we can decide to patch without support, use other means to protect and not patch, stick that server on an isolated segment and just in general plan ahead.  Knowing this stuff ahead of time before we sign on the dotted line.... maybe it's something that even we in the small firms need to start asking about when we buy software on subscription.. something a bit more long term line of business like than a box from Office Depot.

We've taken it for granted that we can just patch and not have to worry about non supportability.. I think we need to start asking the tough questions....

• Do you support restricted user?
• Do you support security patches if done in a reasonable time?
• Do you use a minimum of firewall ports?
• Do you use the industry's latest and greatest accepted standards for secure coding when dealing with highly sensitive data? SSL in transmission, Encrypt in storage?

Just some questions to think about...

The vendors who set your security policy

I got an email today from a friend who was VERY rightfully concerned that a Vendor was setting patch policies for his network.  How can that be you ask?  Well it's called “support”.... you see they would not certify and support that customer on a server who patched 'past' Security bulletin 04-012 on Windows 2003 server...they hadn't even certified Service Pack 1 for Windows 2003. 

Yet they went on to say that they really recommended [and oh really so does Microsoft you know, that you wait for Service packs as they are more tested you know I mean we'll point to their article called “Why Serivce Packs are Better than Patches” to prove our point ].  In the mean time they are giving no guidance for exposure, mitigation...alternative ways to set up a network that you were blocked from patching. 

After I picked myself up off the floor on that one..let's see exactly what that server is exposed to shall we?

So let's see what we are exposing ourselves to shall we [and this won't include next Tuesday's critical patches...]

• 05-037 - Jview Internet Explorer - Moderate [okay don't surf at server..but still]
• 05-036 - Color module - critical
• 05-033 - Telnet - Moderate
• 05-032 - Agent - Low
• 05-031 - Step by step training - Important
• 05-030 - Outlook Express - Important
• 05-028 - WebClient - Important
• 05-027 - SMB - Critical
• 05-026 - HTML help - Critical
• 05-025 - Cumulative IE - Critical
• 05-019 - TCP IE - Critical
• 05-018 - Windows Kernel - Important
• 05-016 - Windows Shell - Important
• 05-015 - Hyperlink - Critical
• 05-013 - DHTML - Critical
• 05-012 - OLE and COM - Critical
• 05-011 - SMB - Critical
• 05-010 - License logging - Moderate
• 05-009 - PNG - Critical
• 05-008 - Windows Shell - Important
• 05-004 - ASP.NET - Important
• 05-003 - Indexing service - Important
• 05-002 - Cursor and Icon - Critical
• 05-001 - HTML help - Critcal
• 04-045 - WINS - Important
• 04-044 - Windows Kernel - Important
• 04-043 - Hyperterminal - Important
• 04-041 - Wordpad - Important
• 04-037 - Windows Shell - Critical
• 04-036 - NNTP - Critical
• 04-035 - SMTP - Critical
• 04-034 - Compressed folders - Critical

...okay.. I'm tired of keypunching...do you get the idea that there are just more than a few patches that accounting vendor are recommending that you not install on a server running that critical business application?

They point to this article as to why the program is regression tested and certified only with the generally available releases of service pack, and that if the customer is in urgent need to install these updates that they set up a test system to try it.  Oh for the record ....that article recommends service packs and then applying 'selected patches' based on your network based on your needs....it doesn't say ...oh only patch so far and then wait until your vendor says they've finally gotten around to certifying patches.  Which is the way we really should do it...only apply just enough 'code' to our systems as we need.  But certainly not 'oh stop at 04-012 and call it a day...

So here's the consultant/admin/you name it stuck between a rock and a hard place.  He or she either takes on the burden of software patch testing on their own...setting up a test network on their own, or they wait until the vendor certifies them. 

I'm sorry but the words “we won't support you if you patch the underlying system that our accounting application is installed on” is unforgivable.  Honestly I'd hate to see the patch level they run their machines at... I mean really if they take such a cavalier attitude about patching YOUR most critical business asset ...how seriously do they patch their network and their systems?

Look...according to that vendor..they shouldn't even be patching for 04-045 discussed in Robert Hensing's WINS hack.

So I guess the only advice we can do is to totally separate our accounting data from the rest of our networks..isolate it... segregate it...ensure that it's on it's own subnet, acl'd to smithereens and IPsec'd and sandboxed or something?  Certainly don't be as blase' about installing it as we have been me thinks.  Maybe that's what we should do is start going back to these vendors that won't support patching and demand that they give guidance for alternative ways to set up our networks such that the accounting software is totally isolated and thus protected and mitigated against?

You would think that the Accounting vendors would be embracing of security and all things surrounding it...

I guess not...

It's pretty sad when I look around and can point to a number of Accounting vendors that just absolutely don't get it ....

Pave and Nuke

I have a workstation... it has malware on it... it got it from a clicking end user when they were a local administrator to that box.... because the annoying popups were so bad and the combo of XP sp2, Google toolbar, Trend antivirus, and Microsoft antispyware were not enough ..we took the box to where they only had restricted user rights...meaning they could no longer click and install.

So the last few days when it would boot up a file would freak out upon boot.. usually a dll...usually in the system32 directory.  So I knew I probably still had he critters left behind.  So I started looking at the machine.

First rule is to look for unusual services... didn't see any of those...so lets go to the next step where we look at the files causing the error.  ssayerxp.dll.  Hmmm...wonder what that is...and interesting...not on other machines in the office...nor Googlable.  Okay let's look at it's properties.

Now this is interesting... Digitally code signed with a Thwate Code certificate for NicTech Networks.  Remember how Peter Torr asked how could he trust Firefox since it wasn't digitally code signed?  So this IS code signed... so what does that prove other than I can now trust my malware?

So I called Microsoft Product Support Services and asked for a WOLF analysis done to ensure that the damage was limited to this box.  The good news it was [I'll be typing up a full article about that later] and this sucker is slated for nuking and paving.

That's right I said nuking and paving ...because even with all my tools, it wasn't until I put the workstation to Restricted Rights that the malware showed up enough for me to find it.

I don't trust the machine anymore.  Data is on my network anyway.  Backups are in place.

It's nuke time for that workstation.

A little bad advice

Like my prior post, sometimes there's an instance where someone gets bad advice.  And right now I'm seeing one issue with getting bad advice in the past.  Remember class, my history.... I was once told that SBS was too limiting for me....that I would outgrow it...that it wasn't for me.

Look around folks...now tell me that SBS is limiting?  Let's see...oh yes... Remote web workplace where a co-worker is logging into from overseas...oh yeah..that's limiting... or Cell phones that sync up with the mail server... ah yes... see how limited I am?

So when that firm has indeed listened to a partner.. a Microsoft Partner in fact... I'm sorry...but I don't think it's right that they should now suffer and not be able to get any kind of version upgrade rights into SBSland from 'normal' server.  Alas the migration from Windows 2000 [plain] to SBSland is not seen as an upgrade/version upgrade or anything that qualifies the customer who got bad advice to a slightly better deal. 

Now... you know me.. I certainly call a conversion from plain Windows 2000 to SBS..ANYTHING above a 2000 version an upgrade.  I mean ... we have so much more to offer than plain server it's not funny.

Call me silly, but I think it's even more silly that the customer who thought they were getting a good recommendation...didn't.  Especially now.. some would argue that there were major drawbacks on the SBS 4.0/4.5 platform, less drawbacks on the SBS 2000 platform... for a firm in the 'sweet' spot, it's just a shame that they have to now pay for the bad advice they got.  Even in the SBS 2000 era... SBS was seen as a bit of a 'runt' box and cut down... 'oh you have a limited version of SQL don't you?' ...uh...no you are thinking of SBS 4.5... so it took a long time for Microsoft partners [remember MY story about how I had to insist on SBS?] to deploy SBS 2000 and you pretty much had to get someone wacko enough to beleive in the platform.

So I would argue that it's now a bit hard to say ...gee you should have gotten a better Partner recommendation...when it was 'buyer beware' and the customer had to insist on SBS in many cases.

Other examples of bad advice... don't buy Full retail/packaged product of SBS 2003...buy it via open license.  It gets you into the Open license model where EULAs and CAL codes and what not are kept track of for you.  As a customer of SBS, make sure your consultant talks about the options you have in licensing... if all he or she does is bash Microsoft... go get a new Microsoft partner...a Small Business Specialist in fact [just got the welcome box today as a matter of fact]

Oh...and one more bit of advice?  If you ARE selling/installing SBS and you aren't a Microsoft partner...arent' considering going for the Small Business Specialist designation...if you are not a hard core SBSer and planning your trip to Seattle and SMBnation, the SBS lovefest? 

Why not?

How many employees can a SBS server handle?

And no the answer I'm not looking for is 75 users or 75 devices which could mean hundreds of potential users....how many Accountants can use a network built around a SBS server as a foundation?

Well according to engineers at Dell, not 35 beancounters.  It drives me crazy when Dell or any dealer blows past the 'sweet spot' of SBS... the range of about 20 to 40 users and tells folks that SBS cannot handle multi server environments.

Let's review what is the killer apps of SBS and why... if you are in that 'sweet spot' of head count... you really and truly need to question your sanity as to why you are passing this up.

• Monitoring email - the daily in your face to the admin email that keeps me aware of what's going on in your network.  Don't get it anywhere else but SBS.
• Remote Web Workplace - just enough connectivity but not enough connectivity.  Get those boxes on XP inside the office [which I would argue you SHOULD anyway - and dude... the benefits of remote access are just too good to pass up
• The wizards... someone the other day was asking about changing the IP and I said we had a wizard for that among other things... at the end of the conversation... he was joking..what DON'T you have a wizard for?  The point is they make our lives easier...don't fight them ...they are the 'tao' of SBSland.

Now then... let's review what we can add to a SBS server to make it fully workable ..and I would argue the one to choose in a firm that is in that sweet spot ...but still need the multi-server setup.

• Can we add member servers?  Yes.
• Can we add servers to be a Terminal server? Yes.
• Can we add servers to be a dedicated LOB SQL server?  Yes.
• Do we need server CALs for these?  Nope.  Covered by the SBS server EULA.

Right now the biggest drawback to SBS 2003 is honestly the size of our Exchange...16 measly gigs of space...BUT the fabulistic news is that in Exchange 2003 sp2 [due out later this year] this goes up to 75 gigs.

As a general rule of thumb... I would argue about 1-25 people need one server ...yes you read that right ... I said one person....as someone installed a SBS 2003 server for just one person as he wanted OMA/Smart phone sync ability [which ... I must admit...is really cool].  25 to 40 you probably want a second server...or... your line of business application forces you to a second server.  Regardless... I am proof positive that making the SBS as your 'base' and adding servers makes sense.

P.S... need to migrate 'into' SBS? We can do that one too.

..and 100% of Quickbooks users...

 http://blogs.technet.com/tonyso/archive/2005/08/01/408487.aspx

This article says that Microsoft's research indicates that 85% of corporate users and 97% of consumers are running their machines as administrators, according to Neil Charney, a director of product management at the software vendor. Charney said the company is hoping those percentages will decline as a result of the User Account Protection feature.
Read up on UAP here.

And I would argue 100% of Quickbooks users.....

www.threatcode.com  Get your vendors on the LUA/UAP wagon...and get them on it NOW...

..okay make that 99.99999% of Quickbooks users because I know a few that have indeed taken the time to wack the hives and gotten it to run a bit more in restricted user.

I hate ClassesRoot

Steve Riley in an ITShowtime says that most programs that can't run restricted user write gunk to local machine or user or whatever he said ... [it's a great series...I'd strongly urge you to watch/listen]...so here I am fighting with a workstation ...not with Quickbooks restricted user..but our Time and Billing program.

Practice Solution  3027Cannot Update.  Database or object is read-only.

Grrr... and when I go through the registry looking for places where this writes.. man almightly is this sucker all over the ClassesRoot hive just like Quickbooks is.

3027 is an Access error message and yes, this is running on an Access 2000 runtime program... so I'm off to hack the hive some more and let you know what it turned out to be...

Well no wonder this sucker is all over classesroot.... “It is primarily intended for compatibility with the registry in 16-bit Windows.”  I love that we get updates on a yearly basis for these line of business applications and they are coded like I'm running Windows 9X.  I hope someone tells them there's a new operating system in beta and do plan to code for it in the next century or so....

Update:  I had to open up permissions to C:\WinCSI.NET folder on the local drive and to get rid of all the Windows\System32 funky dll errors that would pop up after booting, I had to remove each item from the startup menu with the exception of the ISA 2004 firewall client. 

Someone, I'm not sure who, said this process takes ten minutes to figure out what programs need to run in restricted user.... I guess my clock is slow or something as I've yet to figure these suckers out in less than an hour....

One more restricted user/LUAized workstation... more to come...

Dear Steve:

Dear Steve: 

I used to call you Mr. Ballmer, but we've swapped emails a rare time or two [yes he does email back] and I've used this blog venue a time or two as well so I think I can call you Steve now.  I just read where you announced in front of a bunch of beancounters that you'll be selling a “new” higher priced version of Windows and Office that will be high end desktop editions. 

“We have plans in the Vista generation to introduce an Enterprise edition”

Oh please don't.  It's bad enough that we have to deal with convincing folks that Windows XP Home is ...well..for HOME and not for an office, it's bad enough that the Dell Small business sales catalogs feature XP Home, it's bad enough to wade through the versions of Office [and no ..the Student and Teacher edition should not be a valid version for a small business].  But when you say you'll have an “Enterprise version” that will have high end features...watch it, Sir.  You know us small businesses can [and many times do] have more of your new technology than older firms.  I'm 110% Borg now [the added 10% is due to the Smart Phone we just got].

Don't say “Enterprise” and only think Big Business.  Show me a large firm and I'll show you a lot of older stuff.  Show me a small firm and I'll show you a firm that's a lot more agile.

Be careful in your targeting of this product, Steve.  “Enterprise” is a state of mind, not the size of a firm.

We're looking to start a support group for former Enterprise Admins who are now SBSers

<with special thanks to the fabulous, beautiful, charming and brilliant Lanwench who graciously allowed me to steal this from something she wrote about her thoughts about SBS.  In this post she lists all the things about SBS that may [will?] drive Enterprise Admins to drink about SBS>

Some things that people will need to watch out for – especially after they do it the “old fashioned” way the first time and then realize that some features don’t work right:

• When setting up workstations themselves, don’t name them what you want to end up with – you have to add the computer accounts using the wizard and then pick the name you wish for that PC during /connectcomputer
• Don’t change OU names, or move computers out of the SBSComputers OU – if you don’t create the computer accounts with the wizard, or if you rename OUs or move a lot of things like group policy won’t work right, annoyingly!
• Don’t move users out of the default OU either
• I believe that the template account one uses when creating new users with the wizard doesn’t set up roaming profile paths (not sure) [Susan – no it doesn’t, this is another wizard]
• During the SBS Setup, presuming one has configured one’s hardware RAID already & created the system partition, one can simply cancel out of the wizard when it’s time to select the paths for various things like the users’ home directories, data folders, profile folders, etc – can create the additional partitions/assign drive letters as needed, and then click the ResumeSetup shortcut on the desktop. The doc/wizard doesn’t make this obvious. Or, one can alt+tab to computer management/disk management & create the Exchange/data partitions then, and then go back to the setup wizard
• User quotas are enabled by default (I think) – if one is like me, and hates these, turn it off manually [Susan – by default and yes I turn them off as well]
• Circular logging is enabled by default in Exchange – if one chooses to use NTBackup instead of SBS Backup, this will not be changed, and must be deselected manually in ESM
• (I don’t remember whether the mailbox quotas are set up by default on the store, or, if they are, whether the dangerous “third trigger” is set – I don’t like or use that one) [Susan  - on by default, I also turn them off]
• The CEICW needs to be run as it is entirely possible to do everything it does manually, but it takes a lot of steps – in IIS, access to OWA and RWW, etc., will by default be set up to deny connections from anything other than localhost & the LAN IP range
• The POP connector may sound like a great thing, but don’t use it – get your client to register a domain name & host his own mail. POP is for clients to talk to servers, not for servers to talk to servers…and you shouldn’t turn your server into a client anymore than you should turn your server into a router (the latter is the opinion of this writer and does not reflect the editorial stance of this station)

Note: SBS is a great bargain, but you have to do a tradeoff of sorts. You can get an SBS network functioning pretty well without using the wizards for some stuff, but not all of it (until MS decides to release a painfully detailed doc outlining *exactly* what, and where, the wizards do stuff). IT Pros may not like “black boxes” (I don’t!) but for the price point on SBS it’s worth it to most small businesses – so one has to cede a degree of granular control if one wants things to run properly. It is *always* good to know what is happening under the hood of any system – wizards should not be a substitute for knowledge, but just give up & run the wizards and it will work out all right. There is probably a therapy support group for enterprise-product admins who have gone through this. I’m looking for one.

You know you are a geek when...

You are standing in the bank and you recognize the exact make and model of the Dell small terminals they are using as teller workstations.

You stand in such a way to see the screensaver so you can see what OS they are running [Windows 2000]

And when the teller is unable to do a search and brings over another teller and says “This is giving me an error message saying I have an ODC error and it's not giving me any results”

...... and you stand there as they are discussing the issue for a bit before piping up and asking “Is that an ODBC error?” 

“Oh yes”

“uh if it's an ODBC error that's indications of an underlying problem connecting to the database and you won't get any results back”

And now two bank tellers are a little more knowledgable about their computer systems and the standard errors that indicate ...just take the money of the person who drove to an ATM to get it and send her on her way and deal with it tomorrow.

I argued with a computer today

So I'm at a bank and in order to complete the transaction with involved ordering historical items, I needed to pay for the copies of the items.  Problem was, I wasn't a customer of the bank.

Do you take checks?

No, cashiers check, cash or money order.

Okay.

So off I go to find the nearest ATM...

So I call the cell phone 411 and instead of just talking to a human at that point I talk to the ATM finder computer system for a Bank ....a Bank that's located ...in America.

Would you like to find an ATM or Branch by zip code, street or phone number?

hmmm how about City as I don't know the street..that's why I'm calling... okay let's try street.

Street.

Please state the City and State.

Clovis, California.

That was Delano, California, if this is right say yes, otherwise say go back.

Go back.

Please state the City and State.

Clovis, California.

That was Kerman, California, if this is right say yes, otherwise say go back.

Go back. [grrrr I'm thinking]

Please state the City and State.

Clovis, California.

That was Calwa, California, if this is right say yes, otherwise say go back.

Go back. [No, I'm thinking.. CLOVIS...geeze, I mean I am on a speaker phone and sometimes I don't pronouce words as clearly as I should but geeze]

Please state the City and State.

Clovis, California.

That was Colma, California, if this is right say yes, otherwise say go back.

Go back.  [really grrrrr now, how can they not hear CLOVIS, I'm really pronoucing the word as clear as I can now]

Please state the City and State.

SEE - ELL -  OH -  VEE -  EYE -  ESS .....Clovis, California

That was Kerman, California, if this is right say yes, otherwise say go back.

Go back. [in a very loud argumentative voice this time]

If you'd like more information, please visit our web site at www.bank that is in america.com.

I'm in a CAR for heavens sake obviously not paying the attention that I should ...how can I get to your web site?  I haven't fixed the Audiovox yet for one!

I called the Cellular operator. I told him it was so nice to talk to a human. 

"I haven't got the slightest friggen clue what you just said."

Sometimes you get the funniest things said to you.  It all started when someone asked how to stop spyware and even with Firefox and a firewall they were still being infected and overwhelmed.  And I told them in addition to the Microsoft Antispyware tool that they really needed to pushing to stop using local administrator and instead try to move to restricted user mode to better protect that computer.  That antispyware software wasn't enough, that we truly needed to stop running our computers with local administrator rights. 

I knew though that they will have line of business applications and thus won't easily be able to do this.  So I explained that they needed to urge their software vendors to better support 'restricted user'.  And as a result of my email .... the response that came back was.....

"I haven't got the slightest friggen clue what you just said."

Steve Riley says tonight that he and Dr. Jesper Johansson have an idea for a second book for home users [you do know about their first book don't you?  You should!], and there's a section in the outline that talks about “Running with least privilege”.   But already I can hear the poster that said that to me, read that outline and go ...... “I haven't got the slightest friggen clue what you just said."

And there's the rub.  Here it is a basic foundational rule in security... only give those rights that you absolutely must, and most of us haven't got a slightest friggen clue about what it's all about.  Aaron says “The security principle of “least privilege” is well understood:  Software should run with the smallest set of privileges needed to perform its tasks. “

Understood by whom?  Certainly not with the folks I hang around with.  Certainly not home users.  Certainly not buyers of software that haven't a clue that that Accounting application you just bought, that is a pain to make run as restricted user, is actually causing you, forcing you to run your system in a very insecure way.

Even in the Ebook/College notes for the Teen's guide to safe computing “Always use Protection”, I don't see where Dan talks about restricted user at all.

So here's to the day that I don't say the word “restricted user” and someone doesn't say ....."I haven't got the slightest friggen clue what you just said." 

In my view it can't be soon enough.

I had a local admin on a desktop...I don't anymore

One more down... a few more to go.  Slowly and surely I'm taking back the use of local admin from the workstations.  Yesterday one of my computer users got one more pop up on her IE and it was driving her crazy.  So I sat down and tweaked up the registry so she could run as restricted user.  Now you can say that if I had her use an alternative browser that would be the solution, but that's not the issue here.  It was clear that she had been tricked into downloading things.  So the important part wasn't to change browsers, but to protect her from getting tricked into clicking and installing.

More importantly too is that any application that requires...that demands local administrator should be put on notice that Microsoft “Vista” [the new name for Longhorn] has got a name and is that much closer to doing more on LUA.

It's time to take back our rights and throw out those local administrators.

P.S. One of the reasons that her desktop was relatively easy to LUA ize....no Quickbooks on hers.

The perfect solution for a small business

If you read this article you would think that the answers to your prayers is Open Source software because of course..it's free.

There's one problem with this article.

There's only about 1%...maybe 5% of the world's small businesses can take a 'free' software and customize it, and do what they need to it without an IT pro that knows what they are doing.  The rest of the civilized world when faced with software problems on EITHER 'free software' or Microsoft software spend THEIR TIME AND ENERGY making that software work.

Newsflash for you folks -- your time is VALUABLE.  Put a rate on it.  And the next time you are banging your head on an issue, add up your cost.  Take for example the issues we've had with Service Pack 1 on SBS.  You do realize that when there are issues with security patches and service pack installation issues on SBS it's a free call?  You do realize that while I would say the newsgroup rocks, there is a team of Motherships out there to support SBS?

Nothing is life if for free.  It takes time and energy to implement.

What you really need is good advice, someone to tell you what works, what they've implemented before for your sized firm.  Going to anything 'free' does not mean your budget for IT will be less.  I've migrated too many times to know there is a loss in productivity.  That learning curve is NOT easy.

So maybe learning new 'free' stuff works for some...doesn't work here.  And certainly not something that most small business owners care to do or take the time to figure out.

They need to do their job, not learn how to compile or roll their own patches [as the Open source community are apt to tell me is one of the benefits].  Pick the right software, but above all else, get the software that is supported for YOUR sized organization.

That is truly what is important.

MCE on a SBS domain

Media Center Edition.  Think it's just for the home?  I think there's another untapped marketplace out there.

At the SMB Technology Network several of those in attendance mentioned that they were getting asked about installing MCE in the businesses' conference rooms.

There's just one problem... they can't join a domain.  So unless you use a googlable info on having them join a domain, use “pass through authentication”, you really can't have them in your SBS network [you know me on wanting to make sure all workstations are controllable].

I still say everything should be domain-able....but that's just me....

p.s. when I say domainable -- I mean out of the box and supported by the vendor...not upgraded from 2004, not only available on a clean install, not there if you hack it... I want it there all the time in a supported condition.

The incident

Longhorn following Unix on security? | The Register:
http://www.theregister.co.uk/2005/07/11/longhorn_security/

"In October 2003 someone asked: 'How come, when I go to a Windows machine, everyone has to be an administrator?'," Nash told conference delegates, referring to an incident at Microsoft's partner conference two years ago.

Jeff Middleton SBS MVP asked that...and yes we SBS MVPs are very proud of that fact.

Don't forget...it's up to us to now push our other vendors.

The shades of color between black and white

Someone posted something...and me in my stupid reactionaly opinionated way, emailed the poster back and argued that the point he made was missing the bigger picture.  I argued that with XP, the use of blank passwords wasn't the threat it used to be and that in a home setting, may not be as bad as you think.  For example, the default setting in XP is that you cannot connect remotely to the Administrator account over the network if the local Admin account is blank.  I've tried it... once when I forgot to set the local Admin password and I was trying to do something remotely and it failed.  I applied domain administrator credentials and remoted to that machine just fine, applied what I 'though' was the local admin and no go.  Well I finally realized that I had a blank local admin password.

Bottom line in the emails that went back and forth...and before he finally blocked me from emailing him, I couldn't get him to see any different color than what he wanted to see.  I tried to tell him that Dell Optiplex's don't do this.  That a blank local administrator password [assuming you had physical security] was in some cases actually more secure, and that if you had physical access [which is part of his post] ...you could just reset any password set up anyway.  I've done that several times myself.  And here at home with my not yet domain-ed new workstation, it hides the true local administrator in the User account view.

Remember law number 3?  If I have physical access to a computer the game is over.  That the fact that a password is or is not there is irrelevant now?

It gets back to users [and I would argue home users] don't want to be bothered by all this information.  We already have information overload, too much spam and my hairdresser still says she hates computers.  They want security handled for them.  Managed.  Made easy.

So many times, myself included, get stuck in this black and white view.  That there's only one way to do things, one way to secure things.  Heck... you tell me that you don't like ISA server, that you are setting your SBS up with one NIC and I'm practially hyperventilating.  And really I shouldn't.  Because there are indeed may ways to secure things.

So Michael?  I know you won't read my emails anymore, nor will you probably read this, but the fact is we've got bigger security problems to worry about in my view than this one.  I'm still ranting about applications that require administrator access, or ones that don't secure data properly.  I'm complaining about the bloatware on Dell OEM machines.

I'm not an idiot.

I just have a different opinion than you.

And that's okay...because you see there are indeed shades of color between black and white.

The human impact of Sasser

You know...too many times we live in a fast world and don't think about the impact that technology has ...good...and bad....

In Stepto's blog [Stepto works for the Microsoft Security Resource Center] he talks about the personal impact Sasser had on him.  Makes my impact in Vegas last year ...pretty trivial.

You know.. behind 'big bad Microsoft' there are people.  People that care.  People that do work hard.  I'm mean yeah I'm sure they also hire jerks a time or two, but all in all behind every cold company is a bunch of just plain old people like you and me.  Wanna know what wacko thing I did?  Just to say thanks for being there and monitoring security 24/7... on New years eve I sent an email of thanks to Secure@microsoft.com right at [or right near anyway] midnight my time.  I mean yeah it's their job...but that's still someone giving up time away from their family on a major worldwide holiday after all.

I got an answer.

I've emailed Steve Ballmer...and every time SteveB@microsoft.com emails back. 

P.S.  Can't say the same thing for Michael Dell.  Never got an email back....

Perhaps he needs to hang around the Security newsgroups a bit?

CNN.com - Sasser author gets suspended term - Jul 8, 2005:
http://www.cnn.com/2005/LAW/07/08/sasser.suspended/index.html

Okay let me get this straight....because he 'created' the virus when he was 17, but only released it on his 18th birthday and thus not an adult.....he's on probation for 21 months and only 30 hours of community work?

Honey... sit him down in the Microsoft Security Newsgroups and make him answer newsgroup questions at 1 hour a day for those 21 months.  Now THAT would be proper treatment of this guy.

I was in Las Vegas and Tech 2004 when Sasser hit and I'm sorry...but 30 hours of community work for the impact of that worm is a total joke.  We had entire vendor booths that were put out of commission and thus looked a bit foolish at a technology conference.

Folks, until we get judges and laws that realize that this is a crime, that it has major impact... I'm sorry but this is a bit of an insult for all in the Security community who fight so hard against the bad guys, worms and viruses and what not.

Yeah give him a second chance...but make that community work have a bit more impact than this...

....oh yeah..and one more thing.....he now has a job.

The Motherships

If you are a reader of the blog you'll have heard me talk about the “Motherships”.  Basically it's those folks around the world that are tasked to keep an eye on us. 

Sometimes those folks need our help.  On Charlie's blog is a reminder of the power of 'us' reporting into the “Motherships”.

Right now they are seeing rare BSOD's in applying Service pack 1 on SBS machines.  Now it could be related to the Dell Open Manage [you know where you have to be on 4.4 and not on 4.3] but maybe not.

IF YOU GET A BLUE SCREEN... don't hesitate one single second...don't walk but run and call Product support services and ensure you say you are a SBSer [uh...but....don't ask for the SBS Mothership because they probably won't have a clue of what you are asking about]

Then work with that PSS Engineer to get a dump up to them for analysis.  A blue screen on a computer these days is normally driver related and most of the time I don't see it affect data...your sanity yes....but not data.

So bottom line if you are seeing this... CALL.  And don't let that US $245 stop you either.  When it's an issue like this..due to a service pack installation they will not charge you.

To my hero[s]

To the consultants that see SBS as a solution to a business needs.

To the consultants that refuse to install Terminal Services in application mode on any domain controller.

To the consultants who refuse set things up insecurely.

To the ones who will lose a job rather than reduce the amount of security they recommend.

To the consultants who push clients to lock down desktops, install XP sp2, lock down Exchange, install SP1 and WSUS

Thank you for that.

Keep up the fight.  We need you doing the right thing.  Setting the bar.  Thank you for that.

An interesting comment tonight... “one thing we say to a lot of our enterprise customers is you should be more like our SBS guys..... they generally don't have spyware and malware problems....but the big guys do... Why?  Because it's actually quite easy to lock down a small business network you just have to convince the owner...and it can be deployed very quickly....“

Oh can I kiss the man that said that?

Dell, OEM, WSUS and Ed

Reading Charlie's blog  on an issue with Dell Open Manage 4.3 and below and SBS 2003 sp1, reminded me that I've not seen any resolution for you guys on the issue with getting WSUS installed on Dell OEMs. 

For one, because I don't have a Dell OEM, I can't get a support ticket opened up to ask about it and there is nothing on their Service web page that I can tell that confirms or denies the issue we are seeing where we can't get WSUS on a Dell OEM machine.   It's getting stuck on the Dell supplied IWAM account ...and while it 'shouldn't matter' ...apparently it does.  I don't like to be too alarmist if I don't personally see an issue, but all I know is that I've had too many folks report this issue to not take it as gospel.

Ed complains that Bloggers shouldn't get preferential treatment when we publically complain ...and Ed... I quite agree with you.  In that respect my blog is no different than the 'full disclosure folks' I rant about.  One shouldn't have to have a vocal hissy fit about something that is broken to get it fixed, the vendor should just do something about it. 

For me, I'd personally like it if Dell would have some sort of designated liason with the SBS community.  I'm sure we sell enough Dell boxes around here.  But when we're just hitting a brick wall ...sometimes it just makes you feel better to hiss...well, just a little anyway.

So for any of you folks that ARE seeing this issue and DO have a Dell support contact?  Can you do me a favor and see what the status is of this?  Feel free to ping me or contact via the blog.

Hotfix? Got yur' hotfix?

Microsoft Hotfix.  I need a hotfix.  

Need one.  And normally at like 12:30 a.m. on Saturday night... I don't know what's up with that.  Call the 800 number for Microsoft.  Press '3' [at least I think it's 3?].  Rattle off, “yes I need hotpatch blah blah”.  Talking to a very aware and awake person at 12: 30 a.m. in the morning even.  Okay.  Email address is “blah“.  Got it.  Yes I know it's not regression tested.  Yes I'll put it in a test network first [yeah... I'm testing it in my production network..]  Done.  Sent.  Received.  Got it.

End of transaction.

Antivirus vendor hotfix [for a firm that will remain nameless]

Call for a hotfix.  It's an 800 number but only Monday through Friday until 5:00 p.m. Pacific time [uh..okay] So I call... I say I need a hotfix.  The guy asks 'have you tried to change the registry to '1' and see if that works'.  “uh, well since you close at 5 and I have to do the computers after 5 in some cases I want to have it just in case”.  “ok”.  After a bit of back and forth he indicates I need to be called back by a next level engineer. Which of course means....tomorrow.

By the way this is the fix for the 'roaming clients' i.e. laptops that won't connect back to the mothership to get their dat file update.

But why is it so hard to get hotfixes?  I mean we complain about Microsoft's procedure [and admittedly in the USA I'm spoiled as I CAN get them 24/7, some of my fellow SBSers are not as lucky as I].  So why can't you stick them on a web site, let me click through something to register for them so you can follow up, and just let me download.  You don't have hours that match up with SBSland's need for technical hotfixes, so why make it difficult like this?

Just seems like this could be streamlined is all.

What time is it?

What time is it?  No, really, what time is it?  If I wanted to meet up with you at 8:00 a.m. tomorrow morning and you were in a different time zone, what's the best way to make sure that I arrange to meet you at the right time? 

It's a little thing that I take for granted but has been nailed on a couple of times and in fact found this very Tablet PC didn't have the little check box checked to ensure that daylight savings time would be automagically converted at the right time.

So here I am doing my rant about the issue that I have about OEM machines not “keeping' that check box even though as you load up the computer you check the box.  So much so you should have heard me and John Levy at the AICPA Tech Conf.  He argues that outlook should not be hooked to the computer time and in fact should be relative, whereas I beleive it has to be based on GMT.

Well imagine my surprise when I've heard of a worse issue than mine.  Because we are a world wide world and global community, we need to worry about what time it is around the world.

Fellow MVP Steven Teiger brings up his headache about time greater than any headache I have.  In his time, the government sets the time zone when they decide and not by standards. 

Can you imagine not having your time automagically taken care of, but rather, on the decision of politicians and thus you have to scramble to make the time change consistently?

If you've never had to unscrew up a Group calendar when the calendars aren't in sync, well you just haven't had fun.

So next time you complain about that annoying check box that doesn't keep track of the time, there's someone else who has to deal with something way more complicated than you do.

Standardization is indeed a good thing.

The Advice

Was watching a show on Showtime about “Life Coaches” and the statement was made that we don't take advice seriously until we pay for it.  It's funny I was just talking about this the other day to a fellow MVP about how it amazes me that people will not pay the Server price call of $245US to Support, but instead will bang their head on an issue.

When something happens in my network, I have various tolerances for 'action plans'.  If it only affects me, I'll put up with the issue and google.  If it affects the entire office, I've got the credit card out and calling.  We're not making 'wigits' if the network is down and thus the more people that are affected by issues, the faster I'm calling.

While my SBS doesn't go down much at all, when I do have issues, calling in the proper amount of help and not spending hours on an issue just is not a reasonable plan.

Ask yourself.. how much is this network affected? What are they losing?  Can you work around the issue?  You know XP workstations can use cached credentials and they will log into the local profile.

Just think about that the next time you spend hours on an issue.... how much ... what's the real cost of that call?

It might be less than you think.

Duct tape, plastic and cardboard

I hope you forgive me... normally this is a technical blog. But tonight I've been watching Apollo 13, a movie I've seen before, a movie I know exactly how it ends, but no matter how many times I watch it, I end up during those last four minutes grabbing a kleenix and just getting inspired about the power of man [or of woman for that matter] to make a difference.  With impossible odds, with plastic, duct tape and cardboard, a group of minds overcame hardship, overcame technological odds and brought three men back home.

It reminds me of the power we have as humans.  Don't think we do? Listen to the reading of this American document that is always empowering to me.  I'd rather not think of it as a document of war, but that's what it is, isn't it?  But I don't consider just an American document, I consider it a worldwide document of the power of an idea, the power of humankind, the power of change.

I think I was about 11 or 12 years old when I visited the East Coast and saw where this document was born.  I still remember putting my shoes on the worn doorstep and walking into the room where this was written and thinking that I just stepped in the exact place where over 200 years ago, people gathered to decide to take a stand.  I stepped where those men stepped.  I stood where they stood and thought of the declaration they made for change.

Listen to the words.

Remember these words were written by humans, normal folk like you and I. 

It always reminds me, inspires me that we can make a difference.

We've come a long way as mankind since then.  We've gone to the moon and back.  Heck, we're doing a bit of space stuff this weekend even.

My wish is that we do more to realize that we're all in this world together and get along.  That we've got a small planet.  Really just a dot.

Call me silly, but to me the daily war you and I wage out here in keeping your clients safe and secure is more important than any national issue.  It is a war.  One that I have every confidence that we can win.

...and don't forget... duct tape, plastic, cardboard and and some smart thinking got three guys in a broken space ship back home.  Just think what we can do with the technology and brain power from around the world that we have now.

News at 11

So we're a bit high maintainance females

You would think Anne and I would fight over the TV station or where to eat or which sink which one of us is going to use in the hotel room..but no..we fight over the high speed access.  Thus this time in my geek travels I brought with me a tiny [and I do mean tiny] Dlink Wireless AP that broadcasts the room's connection.

So for those folks on the 17th floor of the Spa Tower at the Bellagio...no the hotel doesn't exactly offer wireless connectivity... you just have two geeky gals that hate sharing one wired connection so we made it easier to connect both of our laptops.

And yes, it's reallllyyyyy tiny.

Piracy in Software

What do you get when you purchase software?  Think about it... it's instructions, it's a cdrom..but what really 'is' it?  Is it a manufactured item?  Not exactly is it?  It's someone's brain cells in a silver cdrom isn't it?  Think about it.  It's someone's ideas, thoughts, goals, brain power, it's all of that isn't it.  And all we do is “license” it.  We don't own it.

So I just don't get it sometimes when people ask about buying software from somewhere and the price of that software is just way way way too underpriced to be legit.  A couple of instances occurred recently when someone asked about software being sold on Ebay [red flag number one] and the Ebay seller said that the transaction involved “evaluation software” and you would then get a registry program to tweak it to be a full software.  

Say...whaaaattt?

The only way you can get full software from an eval is BUY full retail versions and install it over the top of the eval.  You don't lose anything other than the time bomb.  There is no such thing as a tweak program.  Next is the bogus issue of selling OEM software with something as stupid as a mouse.  I'm sorry...but OEM Server software means you HAVE a server..not just a mouse... to go with it.  And then there are sites that offer 'downloadable“ SBS software.  Excuse me?  We don't even download the Premium version of SBS service packs and have to order those by cdrom.

Software licenses have a price tag...this isn't the normal marketplace...this is the price that has been set for this software.  So that if you see someone selling a SBS Standard at a beginning Ebay auction price of US $40...that isn't a value that has been set by marketplace factors ..... not unless you call selling not for resale product, or selling pirated versions marketplace factors.

As a result of all this bootleg stuff...we all pay.

Just keep that in mind will you...the next time someone asks if a cheap software is a good deal, remind them that they are stealing from all of us.

Just remember.... we all pay for piracy in the long run.

Still having issues with backup and monitoring after SP1 and the KB doesn't work?

Lrob pings that he's still having issues with backup and monitoring..... However, that particular fix does not work for me. And I am about to take a gun to this unit. This did happen after a service pack update and also broke the MSDE icon that sits in the system tray. Before the service pack it had the green arrow and would list the server and associated database. Now, no arrow, no database listing. It has been this way for a while and does not seem to be affecting the server operation except the backup and monitoring pages. I have looked everywhere and have tried different things. Is there anything else related to this that you know of?

If you've tried that KB, that's all I have... if it worked before the service pack...then call product support services and get help on this.  Don't let the threat of the price tag scare you.... once the issue is identified as being caused by a security patch or service pack, the issue is normally a free call.

Also the icon can be removed and it's merely a leftover from a SQL patch.

The best advice I can give is to call.  For those that are supporting customers on SBS... sign up for the Microsoft partner program as they have Business down support offerings.

If you are supporting customers on SBS and are not a Microsoft partner...can you come a little bit closer to the monitor?

Closer?

<wack upside the head>

Why aren't you?

This is your business and why aren't you getting all the tools and resources you can to best support your customers?

When things screw up...reinstalling is not the answer

Today I had an issue with a SQL application...one that I was banging my head on for hours.  And I called in support in the form of a very talented MVP who fixed me up in less than 2 minutes.  2 minutes.

Today in the newsgroup I see, once again, folks that get into a bit of a bind and then think that the way to get them back in business is to do a clean install of the server.

Folks ... a server is not a workstation that you blindly flatten and start over again.  Those workstations hanging off of that server will totally freak that you've changed the 'glue' they once used to stick themselves in the network. 

If you get stuck or in a bind.. don't flatten, don't bang your head, don't reintall... CALL.  It's worth every penny to call Product support services to get their help.

Don't forget...call when you get stuck.

You know you are a geek when....

You reach in your purse to show off your 1 gig usb thumb drive and compare it to the CompUSA salesman's drive [his was smaller but still a gig]

You tell him about the USB pen drive that is a Writing pen and he didn't know about it.

You can remember when 1 gig was a large harddrive in a brand new computer [and these days they have 400 gigs in CompUSA]

You remember when the operating system and Lotus 123 would fit on the same bootable floppy disk.

When you travel, you seemingly end up in cities that contain Frys electronic stores [what's up with that?]

You buy things at Frys Electronics stores and ship things back home when you buy too much.

You were extremely pleased when Instant Messenger raised the limit of IM buddies from a maximum of 150 because you were starting to have to look at folks and wonder if they were IM address worthy.

Your Amazon.com book purchasing list is populated with [as Brian put it] books by Security Freaks.

You just went to a clients today, and while there when they got DSL installed, you immediately jumped them over to Microsoft Update and explained how the little icon would show up next Tuesday.

You strike up conversations with fellow plane passengers about “Patch Tuesday”.

You don't listen to music on your MVP MP3 player, but rather Security presentations.

Yeah... I think I got it pretty bad....

Proud owner of several Porsches

I HATE TAPE DRIVES.

Now that I have that out of my system.... let me tell you why I hate them.

For one my Sony Quad tape drive decided to stop working over the last couple of days and the more days that went by that I was only able to backup to a physical hardrive on my network and not remove a copy of the data offsite [especially after the BBQ incident the other day] the more nervous Nellie I got.

You see for the last couple of days the tape drive would suck in the first tape in the quad but never fully load it up and get it ready to go.  I tried making sure the SCSI cable was tight, that the backup software was updated [it's ultrabac], that the scsi card software had the latest driver.  And then the annoying part of the Ultrabac is that it doesn't use a signed driver for the Ultrabac quad loader and can't use the Sony digitally signed driver ...and well.... I'd finally just HAD it with tape drives.

I'm still going to send it in to get it fixed as I think it's the heads or alignment or something, but during lunchtime I stopped by CompUSA [we don't have a Frys here] and bought a bunch of large LACIE harddrives.  At first I was not going to hang the USB2 off my domain controller and bought a USB2 card for the member server where my Terminal Server and Live Communication Server is loaded, but every time I went to install the USB2 card, the video on the member server wouldn't work.  I don't know about you, but while a headless server is okay, it's not my favorite way to start out a server install.  Now with the video being on board, and no switches on the USB2 card, it was a sign to try the LACIE on the server.

So with much trepidation, I plugged it in the back of my SBS 2003, crawling on my hands and knees with a flashlight to find the USB slots, getting my formerly dark outfit that I am wearing progressively grey with dust bunnies in the process.  I found the USB slot, shoved it in, closed my eyes, crossed my fingers and crawled back out to see what it was doing on the server.

It found the drive.  It gave it the letter G.

Sigh of relief.

So off we go to backup the server.

I think I might get used to this.  For one I can literally browse to that G: drive and see the ultrabac backup files there on the drive... tape drives you have to run the header report.  For two it's faster.  For three... well for three it was a heck of a lot cheaper to buy a bunch of LACIE drives than to buy a new tape backup unit that's for sure.

Apparently I'm now being backed up by a Porsche. 

P.S.  backup finished in 2 hours exactly... I think I might like this....

Are you an Admin? Should you be?

From the Administrator Accounts Security Planning Guide

If you regularly log on to your computer as an administrator to perform common application-based tasks, you make the computer vulnerable to malicious software and other security risks because malicious software will run with the same privileges you used to log on. If you visit an Internet site or open an e-mail attachment, you can damage the computer because malicious code could be deployed that will download and execute on your computer.

If you log on as an administrator of a local computer, malicious code can, among other things, reformat your hard disk drive, delete your files, and create a new user account that has administrative privileges. If you log on as a member of the Domain Admins group, Enterprise Admins group, or Schema Admins group in the

Active Directory® directory service, malicious code can create a new domain user account that has administrative access or put schema, configuration, or domain data at risk.

--------------------------------------------------------------------------------

Oh ..go ahead...say it... “But SBS loads up the workstations in administrator by default“. Yes it does.  And why does it do that?  Because 99.99% of my line of business applications will not work unless you either

     a.  run as local admin

     b.  Hack the registry to death

I made this point to the CPA meeting we had up at Microsoft, that to demand using restricted user rights wasn't Microsoft's problem, it's OURS.  It's our vendors that we need to push to do this right, especially for Longhorn coming.

As much as I love to rant about non-admin, I wasn't about to drag myself out of bed at 5:30 in the morning to watch the web cast by Aaron... I'll get the recording   In the meantime the TechEd Bloggers look like a few are finally 'getting it'

Now... go talk to your vendors... they are the ones who need to get it.

You would think a phone company could call or email or something? Having issues with PacBell DSL?

DSL went out at home and my sister did all the things she thought to do... unplug the DSL modem, unplug the Linksys router, but no go.

So I get home, log into the router and it says PPOE authentication failure.  Hmm... so I try resetting it and no go.  So I check to see if it's just a network issue and fortunately have a dial up backdoor account to Pacbell and get the tech support phone number.  And as I answer the voice activated menu, I get to the point where the nice lady says “There's a network tech note, please press pound if you'd like to bypass this message”

Ah ha.. must be network connectivity issues.

“As of June 2nd, if you are a Pacbell customer you now need to include @pacbell.net in your authentication information”

WHAT?  You have GOT to be kidding.

Went to the linksys... added the @pacbell.net to the PPoE log in screen.

Sure 'nuff.  That was it.

Okay Pacbell...exactly HOW would I know this?  Did you send me an email 4 days ago?  Call me?  Send me a note?  Smoke Signals?  Anything?  Where did you tell me this?  And thank goodness I have a modem still in my desktop as a backup to get the phone number to call you and find out this was it.

Bottom line if you have residential DSL from Pacbell, and assuming you can still read my blog, go fix your PPoE authentication and add “@pacbell.net“ to get your residential Pacbell DSL working.

Like Eriq has said before with his issue on Verizon... for telecommunications companies, they sure suck on communication.

Professional Identity Theft

I got a call today from a mortgage company to confirm that I did the bookkeeping and tax return for a client.  Slight problem.  I didn't recognize the client.  Next problem, the woman from the mortgage company said the letterhead that was typed up had my full name on it.  You know...with my middle name that is only on legal documents and Board of Accountancy web sites.  Next, while it had the firm address, the letter was typed with merely my name on it, and did not have the firm I worked for.  Any letters that I write have my firm letterhead on it, and would not merely have my name, and definitely not my middle name up there like that.

Now after I've slightly stopped freaking out over this... I'm contacting the State Board as there is indeed enough info on that site and my firm's site for someone to pretend to be me.

Hmm.... think Al Gore ever envisioned the Internet to be used like this?

Putting you guys on notice

If you are a blog reader you'll know that WSUS is finally out and for us SBSers, you should understand that this is step one, a big baby step on the way to perfect patch management system.  For us premium folks, it won't patch ISA Server, so we'll still need to watch for that [but honestly ISA hasn't needed too many specific patches].