Cannot connect to Sharepoint

In the mailbox tonight [one last post....] Carl asks “ I couldn't connect from outside the router to the SBS2003 through Sharepoint. From inside, everything works fine. I turned on port 443 and 4125 on the router. How do I troubleshoot this?“

And Carl...your email address wasn't right so it bounced back...so I'm blogging back the answer.  Figure it's more productive then sending the email I'd really like to send to the Windows Update team right about now anyway.....

Remember if standard....port 444 also needs to be open from the outside on the router for Sharepoint.

If Premium there's a KB with instructions to get it to go through ISA...it's also here in the blog.

And that's it for the blog posts tonight folks...see ya tomorrow.

My apologies.

I'm an SBSer.  And I feel that I represent the SBS community to Microsoft.

I feel like I've let the community down today.

I didn't represent you well enough to the Windows Update team.  I didn't understand the impact of the 'normal' Windows 2003 service pack 1 was on our SBS boxes.  I didn't follow the beta closely enough to fully understand that it would have impact.  I didn't understand that a Service pack that has impact on our SBS boxes would be offered up to us top of the window in Windows Update today.

I let you down.  For that I apologize.

Going forward I'm going to make it my personal goal to ensure that the patching goals at Microsoft include a goal that if a service pack of any kind adversely affects us that it will be blocked in Windows Update and will not be offered up to you if you go to Windows Update.  [Update... the Service pack is no longer on Windows update -- Thank you Microsoft for being VERY agile and responsive]

Someone asked today how to set up a test network if all they had was a production one and you can [if you are a Microsoft partner...see why you want to be a Microsoft partner] get a subscription to the “Action pack” which is a bundle of software that would be perfect for a 'test' network.  But if you don't have the time for that ask in the communities about how the patch is working on systems.  We'll tell you.

This one should not be installed on SBS.

UPDATE - 4/2/2005 - Windows update no longer offers up SP1 to SBS boxes.   Thank you Microsoft for responding to our concerns. 

From Sean Daniel, Windows Small Business Server

There has been quite a few questions regarding Windows Server 2003
SP1 and it's support on Windows Small Business Server 2003: I hope
this post will clear up any of the confusion here.  If you have
immediate questions, please feel free to follow up in the public
Microsoft Newsgroup at: microsoft.public.windows.server.sbs I will
attempt to answer your questions as best I can.

Windows Server 2003 SP1 is supported on Windows Small Business
Server 2003, but there are some known integration issues that are
resolved in the Small Business Server SP1 (available within the next
60 days).  With the Windows Server SP1 installed, you may encounter
the known issues and our recommendation is to:
a)      Be patient with the issue and wait for Windows Small
Business Server 2003 SP1
b)      Un-install Windows Server 2003 SP1, and wait for Windows
Small Business Server 2003 SP1, which includes Windows Server SP1

Furthermore, a KB Article will be written to further address these
issues, I will post it to the public newsgroup when it is available.

In the mean time here is the short list of the known issues:
-      Remote Access Wizard hangs when creating the connection
manager package
-      Small Business Server Change IP tool will fail
o      Change IP tool will continue to fail after un-install of WS SP1
o      Workaround: Remove WS SP1, disable DHCP, re-run CEICW
-      Power Users retain SharePoint Administration privileges even
after the role is changed to Reader
-      Re-Install of Exchange fails
-      Re-Install of Intranet component fails
-      Fax Services won't start and the Fax Configuration Wizard
cannot be run after un-installing Windows Server SP1
-      DHCP service may not start after a restore

Please let me know if you have any further questions

Here's how to install a Service pack

Here are Susan's suggested items on how to install a service pack on SBS 2003

• You don't install it on a production system, middle of the day during lunch time
• You don't install it before a weekend
• You don't install it before testing it yourself
• You don't install it before waiting for feedback from others [Community ...check with the community before installing it]
• You don't install it when it's Windows 2003 sp1 and we should wait for SBS 2003 sp1

UPDATE - 4/2/2005 - Windows update no longer offers up SP1 to SBS boxes.   Thank you Microsoft for responding to our concerns. 

Coming Soon: Windows Small Business Server 2003 Service Pack 1

•	Microsoft Windows Server 2003 SP1
•	Microsoft Windows SharePoint Services SP1
•	Microsoft Exchange Server 2003 SP1
•	Microsoft Office Outlook 2003 SP1
•	Microsoft Windows XP SP2
•	Microsoft SQL Server 2000 SP4 (Premium Edition only)
•	Microsoft Internet and Security Acceleration (ISA) Server 2004 (Premium Edition only)

5717D53E-DD6D-4d1e-8A1F-C7BE620F65AA

5717D53E-DD6D-4d1e-8A1F-C7BE620F65AA

Don't know what that is? 

That's the unique SBS 2003 GUID code for the SBS suite.  Do a search in the registry and you'll find it in a couple of places.

I'm sure you know you have SBS 2003.  You are an SBSer right?  But right now Windows Update doesn't know you are a SBS box.  It thinks you are a Windows 2003 box.  The good news is that it's not coming down on Autoupdate [thank goodness for that], but the bad news is if you run Windows Update on a SBS box it will indicate that you need this.  You don't.  Also watch out for SUS and make sure that the service pack isn't approved.

UPDATE - 4/2/2005 - Windows update no longer offers up SP1 to SBS boxes.   Thank you Microsoft for responding to our concerns.  And sorry too to the WU team.. I know you know what SBS is but you know us gals in the heat of the moment..stuff pops out.  Thank you for your quick action and response.

Let me say this loudly

IF YOU ARE RUNNING SBS 2003 WAIT FOR OUR SBS 2003 SP1  - don't install this when it shows up on Windows update like this:

Again, do not install this patch from Windows Update.

UPDATE - 4/2/2005 - Windows update no longer offers up SP1 to SBS boxes.   Thank you Microsoft for responding to our concerns. 

Note: Customers who have Automatic Updates enabled with automatic
download should be aware that Windows Server 2003 SP1 will be made
available through Automatic Updates (AU) as a High Priority update in
July 2005.

UPS, unexpected power losses and oh? Have you done this registry fix?

Services may stop abruptly when you shut down or restart a Windows Small Business Server 2003-based computer:
http://support.microsoft.com/default.aspx?scid=kb;en-us;839262

Jeff from TechSoEasy reminds me of a registry fix that we SBSers need to do.  He had an issue with unexpected power issues and now has a bit of a messed up server.  It reminded me that he may have needed to put in that registry fix. Now this will be in the SBS 2003 sp1, but for now, do this registry fix manually.

Just a reminder...DO NOT install Windows 2003 sp1 on your SBS box [even if Windows Update is offering it to you]

Windows 2003 SP1 RTMs...ours is still in the oven

For those of you running 'normal' Windows 2003, you can start testing on the SP 1 as it just 'RTM'd....

For those of us on SBS 2003 remember

In addition, Microsoft is announcing that Windows Small Business Server 2003 Service Pack 1 will also be available to customers within 60 days.

I'm putting that in Bold and in Color because I missed reading it the first time.  [ummm...sorry Jerry!... I tell ya going blind]

So folks... ours isn't ready yet.  Hang tight just a little longer.

Download details: Windows Server 2003 Service Pack 1:

Install Microsoft Windows Server 2003 Service Pack 1 (SP1) to help secure your server and to better defend against hackers. Windows Server 2003 SP1 enhances security infrastructure by providing new security tools such as Security Configuration Wizard, which helps secure your server for role-based operations, improves defense-in-depth with Data Execution Protection, and provides a safe and secure first-boot scenario with Post-setup Security Update Wizard. Windows Server 2003 SP1 assists IT professionals in securing their server infrastructure and provides enhanced manageability and control for Windows Server 2003 users.

Which includes
Security Configuration Wizard for Windows Server 2003:
This is actually a cool tool but we don't need to run it on our SBS 2003 boxes as we're very well tweaked just as we are right now.  Again for those on normal server, take a look at it. 

What versions of Internet Explorer are supported?

Understanding the Windows lifecycle policy (for all you IT Pros out there):
http://blogs.msdn.com/ie/archive/2005/03/29/403513.aspx

One last post before bed tonight... nice consise recap of what IE versions are supported on what platform.

Really we're not shouting!

SOMEONE IN MY OFFICE LEARNED TODAY ...oh sorry...

Someone in my office learned today that when she was Internal IMing the guy in the office and she used all CAPS [because you see in the tax software program she was using it's normal for us to use all caps] that she was shouting at him.

She didn't know that there's this 'rule of online' etiquette that grew out of email etiquette

“Send an e-mail in all UPPER-CASE. Use of upper-case words is the equivalent of shouting in some one's ear. ONLY use upper-case words when trying to make a point (such as I just did). Even at that, you should be careful with who you are exchanging messages.“

For your clients that are email newbies, you might like to let them know of these unwritten/written rules of online etiquette.  Obviously they don't need to learn l33t speak or anything like that but just a nice friendly 'here's what others expect of you online" is nice.

How to Shutdown

Ever notice how there's like four or five ways to do the same thing?

I posted about my Remote Web Workplace experience and wanted to know if there was a way to remotely shut down.  Matt posted in the comments "shutdown.exe" but there's a couple more.

Handy Andy said Start> run> “shutdown -r“

For one, once I have that Control-Alt-End which is the remote desktop equivalent of Control-Alt-Delete [the infamous three fingered salute -- no relationship to David just happen to share the same name]...bingo, I have a button there that says "shutdown". 

Duh.

Then Chad and Marina said, click on Start and Windows Security and sure 'nuff in a RDP session, Windows Security...which is the shortcut to the screen that gives you task manager, shut down, log off, etc. is right there. [Which is of course the same solution pointed out to me by Dave in the post that started this whole exercise in the first place  -- that once you RDP into a session either via RWW or onto a server, that the Windows Security shortcut is right there, just a mouse click away]

Learn something new every day!

The icons got a bit messy today

One of the issues with Remote Web Workplace and especially with the interaction with a dual monitor system is the reality of 'letting go of static icon location”.

Take this morning for example, I went to log back into RWW and there's a brief moment where there's a black screen and a blinking icon as the desktop 'takes back control' from the closed remoted session....well.. it's supposed to be brief anyway.  This morning it got stuck on that black screen and I had to do a hard reboot.  And man, did the icons on the desktop not like that one bit.

Now 1/2 of my icons are on the other screen.  Normally I fix this by going into display properties, pulling the display back to merely one screen and then reenabling the second screen.  That's probably the one thing you really need to kinda get use to when dealing with dual monitors.

Get over the 'My icons must be IN THAT EXACT SPOT”.  Get used to them kinda blowing up and moving around every now and then.

One other burning unanswered question that I had about RWW that is now answered [thanks to SuperG and Dave] is how to do a control-alt-delete on RWW.

SuperG:  Control-Alt-End

Dave:  Windows Security icon in the start menu that brings up the Control-Alt-Delete dialog.

Oooh I forgot to ask if RWW can be rebooted remotely. That's another one of my questions.  Stay tuned.

Are you an Admin?

	Law #1: Nobody believes anything bad can happen to them, until it does
	Law #2: Security only works if the secure way also happens to be the easy way
	Law #3: If you don't keep up with security fixes, your network won't be yours for long
	Law #4: It doesn't do much good to install security fixes on a computer that was never secured to begin with
	Law #5: Eternal vigilance is the price of security
	Law #6: There really is someone out there trying to guess your passwords
	Law #7: The most secure network is a well-administered one
	Law #8: The difficulty of defending a network is directly proportional to its complexity
	Law #9: Security isn't about risk avoidance; it's about risk management
	Law #10: Technology is not a panacea

In case you need a little reminder of the laws of Security Administration. 

That reminds me too that Brett pinged me via the mailbag today and wanted to know if admins can join the Communities of SBS.

Heck yes!  Many of them attend the user group meetings as well!

You definitely are welcome in the communities of SBS

SBS2k [which includes all flavors of SBS]

Mssmallbiz

You probably don't need the Smallbizit one as that's the business side.

Welcome Brett to SBSland!

Sniffin' a bit of a password tonight

Russ in the newsgroup picked up a new SBS client and they didn't write down the POP connector password.  He asked “Anyone know of password programs that unhide password in 2003?  All I can find are the ones for XP?”

As Russ found out it wasn't even that hard.  Load up a little Ethereal program, sniff the tcp/ip packets and that password will travel from the server to the pop box at the ISP in clear text.  You see a 'elho' command and then the lovely phrase 'password' and it's pretty obvious what the password is. 

Remember, physical access means the ultimate lack of security.  With physical access I can even reset the local admin password [only do this on desktops, not on the server]

http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

IPsec anyone?

Tonight on the download page, there's a ton of IPsec downloads.  This is another of my 'gee I need to learn more on this topics”.  For now I'll just list the links I found:

• Download details: Interoperability Considerations for IPsec Server and Domain Isolation:
• Download details: Introduction to Server and Domain Isolation with Microsoft Windows:
• Download details: A Guide to Domain Isolation for Security Architects:
• Download details: Domain Isolation Planning Guide for IT Managers:
• Download details: Domain Isolation with Microsoft Windows Explained:
• Download details: Setting Up IPsec Server and Domain Isolation in a Test Lab:
• Download details: Server Isolation with Microsoft Windows Explained:

Happy getting paranoid!

"A wireless internet has been found in range"

A couple of times, clients have come into the office and we've needed to get data off of their laptops.  So they've turned them on and we typically these days use usb thumb drives to pull the data off.  And each time a 'newer' computer is turned on, one that has wireless automagically enabled, it 'finds' the wireless access point at the office.

Is it an open, unprotected by WAP access?  Nope.

Could it be?  Yup.

Why?  Because I purposely put it in a place that would first and foremost give me a secondary backup to high speed access when taking down the server [Rule of Susan, always ensure you have a connection to the newsgroups or IM].  So it's on the outside of my SBS network hanging off another port in the 4 port dsl modem/switch.  It handles it's own DHCP and does not interfere with the DHCP of the SBS since its hanging off of the DSL modem/switch.

It hands out addresses in a range that doesn't match the internal address of the network.  I do all this because we don't really need 'true' wireless at the office to the internal network and I'm not yet ready to see if SBS can handle PEAP [I think it can...don't tell Jason or Charlie I need to re-read the chapter on wireless in SBS in the SBS 2003 Admin's book because I can't remember it.

If you run cat 5e/cat 6 wiring in your office, you can pretty much be certain that it's a bit easy to know where it starts and where your 'physical access points' end.  The RJ45 connection in the wall.  Now at Micrsoft where physical security of a 'campus' means they have tons of wiretaps, so they use IPsec [more on this in the next blog post] to protect those physical taps [remember don't use 802.1x to secure wired connections]

But where's the physical access limitation of a 'wireless' connection.  Yup it's as large as you are broadcasting.  Remember I've said before to check and make sure how others see you by visiting grc.com and seeing what ports you have hope are the ones you expect to have open? 

Don't forget to do the same with your wireless connection.  Take a laptop that is enabled for wireless... walk your perimeter.  How far do you broadcast?

St Louis SBSers! A group for you!

One of my long time SBS mentors and 'big brothers' Cris Hanna is starting a SBS partner group in the St. Louis area.  Join him online and in person for a 'in face' community.  I still remember the first time I met him in person with my fellow SBS MVPs, Cris found me talking to a bunch of FoxPro mvps, tucked me under his wing and started the introductions to people I'd never met in person but already had a bond with.

It's the “bounce” factor.  Talking to someone who works in the same area you work in, does what you do, sees what you see.  Join Cris for a bit of live community.  I think you find he'll tuck you under his wing and make you feel as welcome as he did me.

A place for people like me

I'm not one of these, but I need their talents.

I'm not one of these, but I rely on them.

I'm not one of these, but I value their expertise.

But sometimes, I need more information targeted for ME and not for them.  What am I?  I'm an admin, not a coder.  I'm a CTO, not a developer.

And the blogosphere [if I'm reading this right] just acknowledged the different between my world and theirs.

The Microsoft blogs used to all be on MSDN, that's the Microsoft Developer Network....but, you see, I'm not a Dev, I need admin-y stuff.  But now I think Microsoft just started a place for “us” to start watching the blogs for 'my world”.

Technet has opened up [I think you call it a soft opening] of their TechNet blogs.

Just in time before TechEd in Orlando comes the place where us admin geeks can follow the latest and not get posts that talk about Hungarian coding and posts about VB classic versus .NET.  Don't get me wrong, I find such posts interesting, but when you have a blog that spits out discussions of how to handle something managed code versus unmanaged code, and they put that gunky stuff [as I call code] in the blog posts, I start saying to the waiter “Check please? It's time for me to move on to another blog”.

Bottom line now I think I'll be able to find more 'admin-y' posts directly. I'll keep watching if what I think they are doing is what they are doing. 

So you Microsoft folks that aren't of the Dev world?  Start blogging folks, because you now have a home just of your very own.

Sometimes you have to remember just 'how truly portable' you are

America West has this feature that you can go to the Internet, log in and print out the boarding pass. So the guy at the office who is in Arizona gets ready to fly back, goes online just like he did at the office, checks in, confirms his booking and goes to confirm it and realizes.......

Um...He has no printer.

Now I have seen printers that offered IP based printing in the hotel rooms [but I've never been quite confortable with that], but he didn't have any such options. 

 I guess you “could” cart around a portable photo printer, or as I was joking with him as he related the story, print it to Adobe PDF and then when he got to the Airport, turn on the laptop and say “here's my pass”, but somehow the instructions on the print out that says 'cut here' might not work on a laptop screen...you'd have to have some really sharp scissors to cut the pdf off the screen, me thinks.

Speaking of airports, someone mentioned that they lost their roller blade allen wrench going through security.... 'course... I have to wonder about someone that packs roller blades for business trips [seriously they probably just forgot it in their pocket], and my sister one time had to mail back an manicure kit that she forgot in a carryon bag.  She forgot and threw it in there at the last minute.  Fortunately she had enough time to get out of the security line and find a mailboxes etc in the airport but I guess the world is a little safer from Allen wrench and Fingernail file toting Airplane passengers.

In case you are wondering, the list is here of prohibited items and 'lighters' were just added to the list.  Now mind you, I'm not so sure that given that anything “I” can't stick in carryons I now place in checked bags that I want a butane lighter in a checked bag.... to me that doesn't sound too brilliant of an idea as well.  It's clear from the list that you aren't even suppose to check it.  So just remember folks... when traveling... check those cattle prods and brass knuckles.  It interesting that it does say that fingernail files can go in carryons.  Go figure.

Bottom line..just remember there are limits sometimes as to how truly portable you can be.

It's not too late for the Hottest Tour around!

It's not too late to catch the hottest tour around.  This tour ROCKS!  Get autographs!  Get a backstage pass and more!  Talk one on one with the tour members!  What is this?  What really cool tour is this?

Why the SBS Partner tour of course and there is only four venues left!  Tavis gives his recap of the tour on the stop in Michigan.

Seriously if you are 'into' SBS, thinking about SBS, interested in SBS you need to get yourself to one of these events.  You won't be disappointed. 

• March 28 - Omaha, Nebraska - 11802 Pacific Street, Omaha, NE 68154
• March 29 - Irving, Texas - 7000 State Highway 161, Irving, TX 75039
• March 30 - San Antonio, Texas - 4522 Fredericksburg Road,A79, San Antonio, TX 78201
• March 31 - Denver, Colorado - 4643 South Ulster Street,Suite 700, Denver, CO 80237

REGISTER NOW

Hey you know ..I haven't seen any photos from these venues... we're just going to have to see if someone has been taking some!

SEMINAR AGENDA:
The following are covered in the FREE, two-hour evening event:

• The Small Business Customer – Data and Trends
• How Partners are making money with SBS 2003
• SBS 2003 SP1 overview and what it means for you and your customers
• SBS 2003 demos
• Product strategy and roadmap

This is a FREE event sponsored by your local SBS User Group. Beyond the valuable and timely information that follows a TS2 event content, you'll also receive:

• 128mb USB pen drive – Microsoft Partner Program Branded
• Leather Pad-Folio embossed with Windows Small Business Server 2003
• Official SBS 2003 Partner CD from the Microsoft Windows Small Business Server team (just released!)
• An invaluable overview of the soon to be released SBS Service Pack 1 from top level SBS team members
• Helpful information on how SBS Partners make money in the SMB Space
• The latest research covering what and who the SMB customer is, and how you can reach customers based on this latest data
• An invaluable opportunity to network with other local, successful SBS focused Partners (and their local SBS Partner Groups)

How about just working?

With my “I'm going to be patient and see if this works today” cap on I'm surfing over to Fedex.com's web site to see if I can update my credit card today.  Last night I was about to throttle some Java web site coders.

I can log in fine, go over to make payments online...I can go into preferences, then into update my credit card.  I've entered my credit card information... here we go about to see if they got their stupid Java site working [I think it's java anyway...if it's some other web coding let me know..it appeared to be a jsp page]

Ah... yes as you can see below... they haven't fixed it.

Now while I can understand that their web site admin folks probably don't want to work on the weekend, but it is a bit annoying that their web site isn't working.

For all of our 'this has more security than that platform' religious wars that seem to go on around security, the bottom line is that Fedex is getting real close to losing my business. 

Right now I don't care about security, I don't care what platform you are on, just FIX it so I can update my credit card and ship what I need to when I need to.  {I still owe Charlie Russel a Microsoft Bob that I have that I've been meaning to send to him and just keep forgetting to do it}

Man do I hate logging in to all the online places and updating credit card information.  I've got quite a few 'auto pay' things set up and it's a pain in the rear to dig up all of the places to go in and update [assuming I remember the password I used for the site in the first place]

So Charlie?  As soon I get my credit card updated...and Fedex gets their web site working expect a Bob on your doorstep.

The RFC info is cool, but guys?  How about just working?

--------------------------------------------------------------------------------

Error 500--Internal Server Error

From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:

10.5.1 500 Internal Server Error

The server encountered an unexpected condition which prevented it from fulfilling the request.

DNS ...to forward or not to forward...that 'tis the question

First off I have to explain..I've been doing knock offs of Shakespeare ever since I briefly caught the interview of Denzel Washington on GMA in his role of Brutus in Julius Caesar on Broadway.....the “To Be or not To Be“ is from Hamlet anyway....we now return you back to the blog....

DNS ...to forward or not to forward...that 'tis the question...whether tis nobler in the mind to suffer the slings and arrows of potential DNS poisoning or to merely use root hints..... 

uh...sorry...where was I?  Oh yeah...

Muffy in the newsgroups indicates that when she ran the Connect to internet wizard that she 'did not' put in any ISP's DNS entries in there where the wizard indicated and the network is resolving to the Internet just fine.  Is this okay, she asks?

And yes, indeed as is showcased here it is truly not necessary to put in ISP forwarders...as the built in DNS root hints pick up the ball and just work.

In fact, many are now arguing that we should 'not' put in DNS forwarders anymore due to DNS poisoning attacks.  The only thing I have seen that we need sometimes is adjustments to EDNS0 support evidence by not being able to get to some websites.

So next time you are playing around with your test server... try taking out those forwarders...see what happens... you'll probably find like Muffy did that everything magically still works just fine.

P.S.  Check out Eric's comments for some items to think about when choosing between forwarding or no forwarding.

What's a server?

If you are the IT Pro...what's a server?

No, seriously...what is a server?  I would hope that you would say that it's an operating system that 'at least' had the name 'Server' in it and not XP Pro used in a peer setting.  I would hope that you would say something that specifically was tuned and optimized to be a server.

If you are the business owner...what is a server?

No, seriously... put your business owner hat on and put aside the geek propeller head hat.  What is your view of the server?  It's Outlook isn't it?  Or it's the shared file storage of Excel.  Or it's the business app you are using like CRM.  They have no idea, no care of what the 'plumbing' is used to do the job.  They just want it so that when they go to turn on the water that the water indeed comes out.  It's as simple as that.

  It's YOUR job as the propeller head to spec out the plumbing. 

Used to be that we only looked at SCSI drives for servers.  Raid 5 this.  Raid 10 that.  Now we're using SATA drives.  I personally thing the hardware side is the harder one to keep up with.  Maybe I'm just a software gal, but even with I go to Dell's web site invariably I can never put together a server that has the right parts in the right places and I get a “we're sorry you cannot put that backplane with that drive without major hardware issues” ...or some equivalent message.

I'd say most of the gang spec out a system that they get comfortable with and then 'stay' with that footprint for a while until it's time to reevaluate and start over. 

Just don't forget when talking to that business owner that they don't care about what size the pipe is our how the backflush device works.  They want a nice looking faucet and water that is hot when they want it and cold when they want that too.  Don't talk nuts and bolts about servers, show them how the faucet [server] works.  Turn on the faucet and show the running water.  Show them Remote Web Workplace and Outlook Web Access.  In fact, take your own laptop and showcase how 'you' can communicate remotely with 'your' office.  Making sure your own 'geek factor' is in place is probably the best sales tool you have.  Not to mention, it's a great way to keep up to date on interoperability of technology...and yes...before someone asks..keeping up with all the geek toys is indeed an ordinary and necessary business expense and thus the devices you would be buying to showcase mobility would be deductible.

SecCast anyone?

Oh this is too geeky... Security Topics and a Podcast all in one

ThePodcastNetwork :: The Gadget Show » Blog Archive » The Gadget Show #5:
http://www.thepodcastnetwork.com/gadget/2005/03/23/the-gadget-show-5/

This is so cool.  They have Robert Hensing and have Dr. Jesper Johansson's info on passwords,

hmmm...maybe it needs to be called a SecCast rather than a Podcast?

Issues with KB 891711 [MS 05-002 on 98/98SE and ME]

This just in from the Microsoft Security Response Center:

Microsoft has received reports about issues with KB891711 on Windows 98,
Windows 98 SE and Windows ME.  At this point, we have been able to
confirm these reports and are currently working on a resolution.  

Please note that by uninstalling the current update, the machine will
return to a vulnerable state.  At this point, we are currently not aware
of customer's being exploited by way of the vulnerability fixed in
MS05-002 on Windows 98, Windows 98 SE and Windows ME.  If you need
additional assistance regarding this update, please contact +1 (866)
PCSAFETY. When calling, please indicate that you are having issues with
a security update.

Folks remember that an issue with a Security patch is a FREE call.

I cannot stress enough how important it is to get feedback to PSS when stuff like this occurs.

The Green versus the Blue

A bit of background first from Steve Riley:

"Therefore, we admit we broke our promise and we added features to a service pack, but we did it because we believed it was absolutely necessary to improve the resiliency of the operating system to live in the hostile network that we have now that designers of software and even software as recent as Windows XP never really imagined that the Internet would become the hostile place that it is right now. And it's more imperative to software designers than ever before that they build in features that can increase the resiliency and security management, for example, so that it's easier to configure and maintain."

"The perimeter is, for all practical purposes, almost gone. Every machine is becoming its own perimeter."

"Moving the security decisions from the edge to the host, it's almost as if the host is now the edge."

Friends, Romans, Countrymen, Geeks, Blogreaders lend me your ears...or eyes as the case may be.....

XP home does not have the same security features as XP pro.  Specifically it is lacking these two that I think are very important ones:

Encrypting File System - protects sensitive data in files that are stored on disk using the NTFS file system.

Access Control – restrict access to selected files, applications, and other resources.

In this day and age where Aunt Nellie's system is apt to be turned into a attacking bot, where the home PC has PII [personal identity information] on it [credit cards, bank accounts and what not], where identify theft, phishing, etc etc is a daily occurance, I think the home machine needs as much protection as our most vulnerable web facing machines.  Therefore, why is there an operating system 'built for Home", ready for peer to peer networking, that has less security features than XP Pro?

Shouldn't the needs of a home machine, less controlled and protected than a XP pro behind ISA server [preferably in SBSland as well] not be identical to pro...or perhaps [gasp] even exceed a pro machine in its security needs?

If I have personal information on that box, I want encryption.  If I have junior on my same system doing who knows what, I want the ability to add security permissions and what not to files of a level possibly more paranoid than I do at work.

Why is there an assumption that Aunt Nellie at home needs less security than Uncle Bob at the office? 

Shouldn't all desktops be protected in the same manner?  Why is there [other than for stupid marketing and pricing decisions] the need for two client systems anyway.  Aren't the security needs of us all the same?

We in SBSland don't like the Green box because it means that we have to talk the owner into upgrading to the Blue box.  [remember XP homes cannot join a domain].  But heck I don't like XP Homes for their lack of security features.

As we go into Longhorn...how about ONE BOX.  One Security model...one set of tools and tweaks and protections and ....just one protection level.

I'm not talking about versions like Tablet and Media center and what not...but just don't have a version at home that cannot have the same security features as an Office version.

So Steve Ballmer or Bill Gates or whoever is in charge of making the decision of the client/desktop operating system.  Consider that Home machines need just as much security IF NOT MORE these days than office machines.  Don't make this a marketing decision...make the choice of ONE operating system a security one. 

Just say NO to the Green Box.

Oh Shoot! No...wait! It's okay!

One of the guys at my office was sort of at his desk today.  But not exactly.  You see he was actually in Arizona for a meeting but using Remote Web Workplace in the hotel room.  He needed a document to answer a question and it was a credit card statement.  So I told him on Instant messenger to hang on that I would email it to him [we have Live Communication Server 2003.. because of Software Assurance on SBS 2000]  So I go to our Konica scanner, scan it in and email it to him.

OH SHOOT!  I just sent a credit card statement with personal identity information over an unprotected email channel.  Dang and as much as I harp on people at the office about this, look what I just did.  No password, encryption nothing!  OH SHOOT!

OH WAIT!  No, I didn't.  I sent it to the internal email box at the office.  He's remoting in via RWW.  It never left the office boundaries.  I didn't send anything unencrypted. 

Remember, RWW protects the session over SSL [Class let's review the Tristan blog link again for the technology going on in RWW]

But you know what though... “IF” I was dumb enough to send email like this, why isn't the whole setting up of encrypted email easier than this?  Why isn't encrypted email just done as a normal process?

The Financial Crypto blog talks about digitally signed email and how folks just didn't understand what digitally signed email was all about.  Heck they aren't even talking about encryption..merely digitally signed email.

“The biggest result to my mind is that users simply didn't as a body understand what the signed emails were all about. “

I personally have sent out signed emails and gotten questions from clients.  So given that digital signatures are the first step towards establishing encryption...why isn't our Exchange server just set up for this...with a wizard?

Why doesn't external instant messenging have encryption [I mean ..it's pretty sad when AOL supports encryption natively and for my MSN IM I have to use a third party SIMP program]

So what do you think?  Should there be some sort of wizardized encrypted email setup.  As we go forward protected email should be just a normal thing...not a “what did you send me?”

Dear Mr. Best Products:

Dear Mr. Best Products [or is it Mrs?]

Thank you for ensuring that Peachtree runs in User mode but can you answer one question for us?  Why [exactly and be specific please] don't you support ACT 2005 running on SBS 2003?  Can you tell us why, when we have WMSDE or SQL server 2000 that you specifically say that you don't support SBS?

Once upon a time GFI Faxmaker also said we had a “non standard version of Exchange' and well... that just didn't sit well with me and thanks to Mir we got the issue straightened out so that GFI does now support SBS.

I guess the answer instead is to just use Microsoft's CRM package which IS supported [heck kissing cousins actually] on the SBS 2003 platform.  So much so there's a CRM/SBS bundle going on.

Okay so maybe you don't need the sales ...but I'd like to know why exactly you don't support SBS?

System Minimum Requirements for ACT! 2005 (Standard Edition): Operating Systems:

Microsoft® Windows® XP Home, XP Professional, 2000 Professional, 2000 Server, 2000 Advanced Server, Server 2003 Standard Edition, Server 2003 Enterprise Edition.Note: Citrix Servers, Terminal Servers, Windows Small Business Servers, and other unlisted versions of Windows are NOT supported.

We're movin' on up!

 Got the song stuck in your brain yet?

Reading the blogs tonight, I see that Ward Ralston on the Windows Server Blog is announcing in the next month some new Product and Program Managers to talk about ....... yup... Small Business Server.  Hey ...pretty cool huh... we're in there with 'normal' server folks, eh?

Now...what we need to do is get the same sort of community/buzz/backing whatever around ISA server 2004.  Now you ISA folks would probably say you do already and for the most part you do indeed.  But .... I have to tell you a true story.  Just today a tech journalist asked me “What's the name of the Firewall product?”....um...yeah... you see the problem here.  He knew the names of Exchange, Sharepoint, Live Communication Server, SQL Server and what not, but couldn't remember the name of the Firewall product.  Yeah.. it's ISA server.  Internet Security and Acceleration Server to be exact.

As I said earlier, Amy was absolutely appalled at the lack of knowledge about ISA server.  Folks... we have no excuse.

ISA server has an interactive training web site set up to help you learn ISA server.

ISAserver.org has an RSS feed   If you have Newsgator, right mouse click and add that subscription to your newsgater.

There are ISA server blogs:

• Tristan
• Amy
• And more Microsoft ISA bloggers here

ISA server books from the Dr. Tom.  You know... he probably has an ISA server protecting every computer device he owns, that's how much he knows about it.

Jim Harrison and the ISATools.org site.

See how strong the ISA Server community is out there and folks... ISA 2004 will be coming on SBS 2003 premium.  Just had a poster in the newsgroup asking about buying ISA Server for their SBS 2003 standard and ..dude... get premium.  You'll get both ISA 2004 AND SQL server 2000.

So why do we not understand it, take the time to learn it, out here in SBSland with all these resources?  I don't get it? 

Now I'll be the first to admit when I set up SBS 2000 ages ago I set it up with all/all/all and then realized that wasn't too bright and throttled it back.  Now days if I get stuck on some web site [some of the VOIPs are like this] I'll just temporarily open up ISA and then shut it back down when I'm done. 

But I'm really looking forward to having ISA 'in the house' once SBS 2003 sp1 comes out.

And Amy?  Just keep pluggin' because I think more and more folks will realize that ISA Server rocks just like SBS does.

Why do I suddenly get this vision of shirts with SBS 2003 logos on the front with “Protected by ISA Server 2004” on the back.  Leather jackets even.  Biker ones.  Ooohh...cool huh?!

So how plugged in are you?

So Amy and Tavis posted in about their SBS Partner group experience [Amy on the ISA server listserve, Taz on his blog] and what I'm reading into these messages is that you partners out here don't know.

• Aren't comfortable with ISA server because they haven't taken the time to learn it or understand it
• Don't know about all the benefits of the Microsoft partner program, partner/user groups.
• Don't know about how SBS and CRM are a win/win.

Now maybe if you are reading the blog you are already plugged in..... but come on folks... GET INVOLVED.

Did you see the last SMBnation newsletter?  Did you SEE all those Partner/User groups down there?  WOW!  And if you don't see one in your area, START ONE.  Go to the next TS2 meeting in your area and ask for like minded SBSers and just start one!

Well what the heck are you waiting for?  GET PLUGGED IN!

What fax can I use on SBS?

From the mailbag today comes the question from Liran from Israel:

“I do a lot of support for SBS servers but I still cannot tell what modems are recommended for the SBS 2000/2003 shared fax - especially compatible low end ones that cost up to $100.  Can you suggest a few?”

The best fax devices hands down are those old, tough as nails, USRobotics V-everything.  If you can't find them new, buy them used.  [um...ebay is world wide, right?]

The Windows server catalog lists those modems that are 'certified' for the server and thus Microsoft will support them on SBS. You can see that the US Robotics 56K Performance Pro modem is on the approved list.  Froogle lists it as US$79.52.

Brooktrout fax boards are also certified for Server 2003 and thus if you need a more robust fax solution may be the way to go.  Pricier, but they are the cadillac of faxboards.

Hope that helps Liran!

And hope that everyone remembers the next Israeli SBS2003 users group!

P.S. Remember Microsoft's support policy on hardware not in the Windows Catalog (Windows HCL):
http://support.microsoft.com/default.aspx?scid=kb;en-us;142865

Patching on the SBS 4.5 box

Please be aware that as of December 31, 2004, there are no support for the SBS 4.5 platform, I can't remember a dang thing about it and the newsgroup is about dead.

Technet Webcasts has a presentation on “Threat mitigation for 98 and NT” for those that are unlucky enough to be stuck on those platforms.

Phil in the newsgroups reports that patch 05-010 wacked off the licenses in the NT platform and wanted to know the best way to proceed.  Here's my suggestions:

1. Uninstall the patch
2. Now go into Control panel, or whereever the services is in the NT platform, disable and SHUT OFF the license logging service

With the license logging service OFF you will not be vulnerable to the security vulnerability that is addressed by 05-010 [KB885834]. 

Bottom line Phil, just shut the dang thing off.

Yes, you will technically be, slightly be, partially be in violation of some yellowed old EULA someplace that said we couldn't turn of the license logging service, but tough.  Who cares.  Your bigger issue is that you are on an unsupported, no longer patched platform.  I ran my 4.5 without the license logging service on, heck I had license logging turned off on SBS 2000 because for several months Veritas and Microsoft kept fighting over the licenses until that got fixed in Windows 2000 sp2 and I lived to tell about it.  SBS 2003 they've got our SBcore service tied to License logging so we can't turn it off.  The good news is that I was watching that patch real closely and have seen NO issues on the SBS 2003, nor SBS 2000 platforms.  There's so few SBS 4.5's left that even care about patching that you may be our only report out here. 

While I commend you for still caring about that SBS 4.5 platform... stop patching it Phil.  Even if they do release patches on the rare occasion in the future [if they think you as the platform attacked will also hurt others], I'd be looking in the section of the bulletins that talk about 'mitigation'.

In every bulletin there is a mitgation section, a place that talks about what to do in case there isn't a way to patch.  You, sir need to start reading that section.  Under “General information“, then under “vulnerability details“ then under the description of the vulnerability is the section “Mitigating factors“.  Start watching that section from now on.

The good news is that Microsoft is putting some of their best folks on to more things like that.  Robert [Mr. Incident] Hensing has moved over to this 'mitigation' information section of Microsoft.  Look for more info from folks like him.

Phil, please, if you can, try to look at your budget and get on a platform that didn't make me cross my fingers and toes, and squint with one eye each time I rebooted that sucker, a platform that isn't built for today's environment, heck you can't do the 'tarpit' stuff on Exchange, you can't do hardly any hardening stuff that we take for granted these days.  You certainly can't run the patching program you need for your desktops of WSUS on it.

And speaking of operating systems that has seen better days...Window 98 machines have no event viewer, and when they Blue Screen we hardly have anything to go on.  Make your life easier... put those NTs and 98's out of their misery. 

Show me a firm that is a vital, growing firm and they more than likely take a bit of their annual budget for technology.  I don't know your personal situation, don't know if its because of Line of Business applications that force you to stay on NT4, don't know if it's because you are a non for profit [and other than some EU places that don't sell SBS this way] that you don't know that you can get SBS 2003 VERY reasonably priced through Techsoup.org or Softwareone.com

So if you are on NT platform.... stop patching.  Start mitigation and start saving your pennies.  Don't do it even if you have the patches.  Start mitigation plans.  Spend your time and energy instead finding the funds, finding whatever is keeping you from upgrading.

You have a server that can't be patched anymore so watch that webcast and try to focus your area on putting walls and protection on desktops so they don't 'infect' the server.  You still running with Local admin rights on the desktop?  See what you can do to lock down your end users so you can protect that server better.

Bottom line Phil...save your time and money and don't patch anymore....not on the NT 4 box anyway. 

Sharpen that pencil if it's a budget problem.... tell the owner of the business to cut back on a martini or two.... if it's line of business software... work with that vendor and tell them to start supporting the harsh world we live in today. 

If worse comes to worse, isolate yourself and ensure that you have no Internet access.  Cut the RJ45 connection if need be.  If you can't get on a platform that can handle today's risks, then you need to isolate that machine away from the risks.

Mitigation. Protection are the words for the NT platform.

Because you can't patch anymore.

Disabling the License Logging service helps prevent the possibility of a remote attack. Customers that have disabled this service would be at a reduced risk to attack from this vulnerability. See the “Workarounds” section for instructions that describe how to disable this service. By default, affected operating systems other than Windows Server 2003 have the License Logging service startup type set to Automatic instead of Disabled.

Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

•

Disable the License Logging service Disabling the License Logging service will help protect from remote attempts to exploit this vulnerability. Note Do not perform this procedure on Small Business Server 2000 or Windows Small Business Server 2003. These operating system versions require the License Logging service. These operating system versions may fail to function correctly if the License Logging service is disabled. You can disable the License Logging service services by following these steps: 1. Click Start, and then click Control Panel (or point to Settings, and then click Control Panel). 2. Double-click Administrative Tools. 3. Double-click Services. 4. Double-click License Logging Service. 5. In the Startup type list, click Disabled. 6. Click Stop, and then click OK.

Laziness and the admin

I have some tasks that I do rarely and so I forget how to get to them, so I build shortcuts.

We use Trend Anti Virus here and sometimes the email gets quarantined for attachments and content.  I purposely block zip attachments and to make it easier for me to find the blocked zip files, I just build a shortcut on the desktop of the server so I can remote desktop back into the server and then find and rename the file.  Trend [my antivirus] stores it under \program files\trend\Smex\alert.  Drill down, and stick the shortcut on your desktop of the server to make it easier to find.

This next one isn't really a short cut but more of a 'heads up' in case this happens to you.  Every now and then in a program that 'blows up', like my lovely CCH tax prep program, it will leave the file 'open' on the server,  Rebooting the server is one fix, but obviously not something you want to do middle of the day.  So remote into the server, click on Server Management, then click on “Shares (Local)“ and you can see what files have been left open on the server. 

If you know that the program and file can handle this without freaking out, you can click on “view open files“, see which user has the file open, right mouse click and you can 'close the file' without needing to reboot the server.  Please note some software database files should not be closed in this manner and so use this carefully and always make sure you have a backup of the database and understand the consequences to the file if you do this.

So there you have it.  A few of my 'lazy admin' shortcuts.

How about I just put it in an envelope and put a stamp on it?

Email.  Ugh.

If we don't get spammed to death, SMTP auth attacked, attempted relaying, we can't send the stupid thing out the door.  Brian Livingston of Windows Secrets sent over a link that reminded me of something that we've been battling out here.

Just trying to get the email delivered.

First we had Verizon and their issues, now we've got about 4 or 5 ISPs that are making our lives interesting.  These appear to be causing some of the issues for us:

• BellSouth
• DirectWay
• Rogers
• Yahoo DSL smtp.sbcglobal.yahoo.com

In these four ISPs, we've found that we're having to put the ISP's IP address of the smarthost rather than the name of the smarthost itself. 

From the tech details:

When the Exchange server delivers the outgoing messages through smarthost, the server queries the MX record of the Fully Qualified Domain Name of the smarthost address.  If the MX [Mail Exchange] record of the smarthost is different from the A record [for example the FQDN is a Cname, and the Cname is pointing to an IP address that doesn't accept email] this will occcur.

Javier pointed out that he was trying to use a smarthost to mail.isp.com but if you perform a MX record lookup on the mail.isp.com you get a bunch of A records that are not that smarthost.  So, as long as a MX record exists on the smarthost and it points to a host that doesn't accept email... Exchange will have issues.

Ugh.

Brian indicated that his consultant found a slightly different variation of a fix for Exchange issues when using DNS to route email that put the ISP's DNS into the Exchange connector.

Somedays you just want to stick a postage stamp on that email and send it don't you?

The light at the end of the tunnel

Push, shove, pull, come on...you can do it!  Come on!  Just a bit more... you are almost there!

Don't mind me, I'm just standing on the sidelines giving support to Microsoft's patching program.  Two milestones today in fact.  First our Server based patching solution [WSUS now as it's called] just hit release candidate today.  RC status means that we can smell the cooking coming from the oven and we should start getting the hot mits out ready for taking it out when it's done.

It is still beta, but it's getting closer.  And while it's best of course on SBS 2003 because SBS2003 is better than SBS2000, I think that WSUS can go on SBS 2000 as well since all it needs is msde and heck... back on SBS 2000 everyone had SQL 2000.

The next thing that started beta today was the Microsoft update.  Right now this is more of a closed beta, but it's again another step in the 'one stop for patching'

Even the new stuff in the 'patch engine' is cool to see.  Okay... I'm weird... I need a life.

So SBSers... hang tight a little bit longer.... this is step one on our road to what we need in SBSland.  This won't push down our specific SBS patches but will go a LONG way to helping us stay nice and snug.

1-866-PCSafety

 1-866-PCSAFETY

Your hot line.

You know when bad things happen with security patches [which isn't that often but nonetheless] that it's a free call.  If you don't call and merely just ask your neighbor, Microsoft won't know there's a problem. 

I'm amazed that people don't realize that hotfixes and issues with security patches AND viruses are free calls.  Call and give feedback folks.  Get the message directly back to the channel that can then follow up and get you the help you need. 

I cannot stress enough how important the right feedback to the right place is. 

So call.

1-866-PCSafety

One last time.....It's a free call.

URLScan and OWA doesn't exactly go together [thanks Graeme]

Graeme reports in an issue he had with OWA and SBS:
 
Scenario: Small Business Server 2003 (Premium) 
Patching had tested good on a third non-production machine. 
OWA completely stops working after routine patching based 
on MS Baseline Security Analyzer. 
Reproduced on TWO machines. 
 
https://yourdomain/exchange was giving 404 Page not Found 
Using Remote Access and clciking on the OWA on the right side 
menu got a part loaded and stuck site. 
Googling and searching, MS Support and MS Groups 
and all the rest of the world offers solutions revolving 
around Sharepoint Virtual Server excludes (NOT the answer
 to my problem) and permission setting in IIS 
(again not the problem). There were also clearly plenty of others 
like me with the same unresolved problem. 
OWA didn't bl*%#y work anymore. On very vanilla installations. 
The fix: MS Baseline Security Adviser of an 
only SLIGHTLY earlier build recommended installing 
URL Scan 2.5 (which IS compatible with IIS 6 - MS say so). 
 
Guess what? Turned out that URL Scan 2.5 broke OWA 
and I have some evidence it only does it on 
Premium builds of SBS and not on Standard build. 
Remove URL Scan 2.5 and OWA returns to full 
fledged functionality. Also guess what? The newest 
build of MSBSA (1.2.4013.0) does NOT recommend 
URLScan. 
 
Even the "supported" version 2.5 and the 12 day old 
KB article that alludes to this mess is number KB280823 
Sigh! 
MBSA and SBSland has always been a bit...well...weird.  
The file is greater to or equal to what is expected.  Huh?
 
So if you want to beta test the 'next' MBSA, you can 
join according to the instructions below:
 
Announcing MBSA 2.0 Beta
MBSA 2.0 is the next version of the Microsoft Baseline 
Security Analyzer, which utilizes the 
Windows Update Services infrastructure for 
security update scanning. Please help us improve the 
quality of this release. We are currently accepting 
nominations into the MBSA 2.0 beta program. 
To nominate yourself for the beta, visit http://beta.microsoft.com, 
sign in to the system using your 
Passport ID and a guest ID of "MBSA20" and complete the survey.
And thanks Graeme for the heads up on this!

PubSub on THAT!

Scoble?  Robert dear?  You met Matt a VP of Sales that said sales of small business oriented servers were going nuts?  Don't just Pubsub on small business and servers.  Pubsub on “Small Business Server 2003“  Or set up a Google news search on “Small Business Server 2003”  Then head over to Technorati and Feedster and do the same.

• You'll find a firm doing a SBS promo.
• Novell saying they are coming out with a SBS competitor [I thought they had one?  and oh gawd ..not the 'it will install in an hour thing again'.  Desktops folks... you have to connect the desktops? Have you forgotten that install time]  Oh well I guess imitation is a form of flattery as they say.

In fact hey!  I think there's something in google news that I asked for!  A 'SBSized“ mobile device that would be ready to go!  Cool!

And yeah, CRM is starting to really kick up around here. In fact one of our CRM MVPs is an SBSer as well.

Yeah... we've always been a bit wacko around here in more ways than one.  So if 'going nuts' means that Matt was talking about SBS, yeah....we've always been a bit nuts around here in SBSland.

Do we truly want to be secure? I don't think we truly do.

"Only this mode is available because Windows Small Business Server 2003 always runs on a domain controller, and if you run Terminal Server on a domain controller, you may risk the safety of the server and the safety of your organization's sensitive data."

The Terminal Server component is not available in the Windows Components Wizard in Windows Small Business Server 2003:   http://support.microsoft.com/default.aspx?scid=kb;en-us;828056&Product=sbserv2003

There are time I wonder if we truly do want security around here.  Oh sure we say we do, we argue that Microsoft needs to be more secure, but when it really comes down to it, do we?  I mean do we really?  Do we really and truly want to embrace security, evaluate the risks and be more secure?  SBS 2000 did a dumb stupid thing that never should have been done in the first place.  It allowed people to set it up with Terminal server in application mode on a domain controller.  When Microsoft made the Security push for SBS 2003 there were two things that the security folks at Microsoft just couldn't let it do anymore.  The first was modem sharing.  The second was TS in application mode.  So off they went.  Good riddance in my book.  The things that we thought were secure before are not secure now.

But it amazes me that I get emails from folks holding off on installing XP sp2 because they've heard it blocks attachments that 'normal' people want and it makes their email unusuable.  I get folks asking for pictures back in Outlook 2003.  I get folks asking to stop the annoying 'Outlook would like to access your address book, is this okay?“.  People say they want security...but do they?  I mean do we really and truly want it?

Take least privilege for example.  When working right you would have to give admin credentials to those times that you need something working in an admin like mode, downloading approved software for example.  But even in the latest SuSe desktop, there's a little box to 'remember the admin password' so the user isn't bothered anymore by the prompting.

And then there's the blog post on here that even to this day gets postings and followups.  The Terminal Server in application mode post.  The one where many consultants there say that they 'can' make TS secure and I'm there screeching like an emotional banshee saying “Are you insane?“

Now you could argue that the platform of SBS 2003 breaks the 'best practices' anyway so why should be we so concerned about TS anyway.  And I would say that I hope that someday natively in the program each compartment of SBS, each application would be 'sandboxed' so that they wouldn't affect the other parts.  Now I'm sure Dana would probably say that sticking applications as we do on the server [like Sharepoint and what not] opens us up for risk too.  I'll agree.  But all of you that are arguing so hard that you can do what it takes to secure a server even if it's TS in app mode have missed a few points.

Security

First and foremost, let's review what “I” had to do to my member server to set it up in TS mode. 

• I had to take off the Michael Howard “Secure by default” Enhanced IE lock down that blocks active X and what not.  Surfing at a server in this day and age of malware is totally insane.  Robert Hensing's even talked about domain controllers being nailed by trojans with the admin surfing at the server.  What's the way to clean up a trojan?  Flatten it. Yeah, like I really want to do that to my server.
• I had to turn on themes so the desktops would look like XP.  Okay minor thing, right?  But nonetheless it introduces another service that might introduce a vulnerability. [yeah like I also want to let people use a hacked UItheme on my DC]
• I'm allowing users to log into the domain controller and use it as if it were a workstation.  The last thing I want is end users downloading anything willy nilly on my domain controller. 
• Remember I live in SB1386/AB1950 country, better known as 'notification' territory out here, where if something happens to my server I'm licking stamps and sending out postcards saying “Hi there, we've had a slight problem here“.  If I have a “Hensincident” [aka Robert Hensing], you'd better have the electrical paddles out giving my heart an electronic shock because I'm having a heart attack for certain. 
• Do I think that allowing TS in application mode should be allowed on 'normal' Windows 2003 Server if it were a domain controller?  Heck no, and if I were in charge of the universe there would be a code block on that too.  Make a server a domain controller and TS in app mode should be code blocked out.  I think it's pretty obvious that when the choice comes between business and security ...guess which one is going to win.

Scalability

• We already have a lot of stuff going on that server box.  As you know I already had to throttle my SBSmonitoring instance and Exchange is already used to doing what it wants with memory and now you are going to hang how many folks off of that domain controller and have them use it?  The best desktop experience for that end user is on a member server doing those functions.  Read the scaling document on TS.  I don't really want to start yanking memory away from my DC functions.

	Knowledge Workers	Data Entry Workers
Memory per user (MB)	9.5	3.5
System Memory (MB)	128
Total Memory	System + (# of Users x Memory per User)

Consultants out there?  Please listen to me.  You are guiding your customers here.  They depend and rely on your expertise and your guidance.  They trust you to recommend a solution that not only is secure but legal and supported.  Wanting to run Terminal server in application mode on a SBS box endangers your customer, your client.  It's not a good business reason to do this when you can add a second server/member server with only the cost of the Operating system [remember the cals for that box are covered by the SBS box].  Then for the TS Cals, which you will need anyway, any XP Pro you had in the office prior to 4/23/2003 have a redeemable TS cal.

Put users on a member server where they belong.  Scale this right and those owners and users will have a good computing experience.  If you need one or two remote sessions, buy a couple of desktops.  And hey, if you bought the SBS on Open licensing and/or SA, remember that even though I hate XP homes, you can buy XP homes, then get Open licenses for XP Pro and kick them up.

Scale it the right way.

Secure it the right way.

Your customers trust you.

Microsoft is stepping up to the plate.

Will you?

Hey Charlie! They got updated again!

Dear Charlie:

I regret to inform you that those two lovely SMB files that I nearly drove you crazy tracking for about 6 months have been updated again.  You remember, the ones that started us recommending wacking off SMB signing in the first place?  They were patched in Security bulletin 05-011 and then folks indicated that they saw issues in certain circumstances.  Today I found a KB with a new version of those files.  KB 895900 has just be released with new versions of those files that I drove you crazy about.  Looks like Mrxsmb.sys got the redo this time.

You cannot save a file from your Windows XP-based computer to a shared folder on a file server:
http://support.microsoft.com/?kbid=895900

Now mind you, these days I'm going on record as not needing to, nor doing the 'wacking off' of SMB signing like I used to. 

As usual thanks for putting up with me bothering you.

Susan

Figured this time I'd just blog my bothering him rather than bothering him directly.  Not to mention given the fact that 'I“ haven't seen any issues with this patch and beleive me, I've been watching this one closely due to the fact that it was affecting files that had caused me grief before.

Bottom line, I have not seen any file issues in my firm [full XP sp2, SBS 2003, SMB signing left 'at' defaults, nothing wacked off here], thus I would NOT recommend that you call for and install this hotfix unless you are personally seeing an issue.  I have not seen this issue in SBSland.

From what I have seen this has been seen on “Snap Servers” and peer to peer networks.   Now, mind you, I'm not sure I'd call 95/98's 'servers', so if you are using one of those in the 'server' position...how about you install a REAL server instead?  Peer to peer is 'okay' but these days where the fun is at is in a SERVER like SBS.

Cookies, spyware and I'd like a glass of milk with that please?

I was answering a question in the newsgroup on how the Microsoft Antispyware [still beta but extremely stable] went through an egress filtering firewall whereas I gave up on trying to get Adaware through the firewall.  The the poster asked if the Microsoft antispyware tracked/blocked cookies.  And the Microsoft anti spyware product found that end users got too confused with too many things asking the end user for action.   This is the same issue with the outbound prompting of the firewall in XP sp2.  People will just say “yes“ to something that they don't truly understand.  Thus it's actually better if the software makes certain assumptions for the end user.

Maybe I've had too much Mountain Dew flavored Microsoft Koolaid or something, but I just don't see 'cookies' as this huge threat that people see them as.  Many times they are quite helpful in that they remember settings in a web site, localities, and they certainly don't hi-jack browsers, install trojans or any other annoying software.  Microsoft's anti spyware in this beta took the position that cookies [the non malicious ones] are okay and you won't be warned about them.  To me that's just fine.

The Spynet.com page has some links for more information about how spyware is identified and labelled.  Many cookies are not 'bad' at all.  The ones that 'cross over' are indeed labelled as spyware and blocked.

But take my fav tech help site of Eventid.net.  I need that cookie in there to let me easily and quickly as a subscriber [and TRUST ME you want to be a subscriber] to launch from there to Microsoft and Google Groups and what not.  It makes it very easy to navigate that helpful site.

So to me cookies aren't a problem.

I like cookies... I'd prefer the chocolate chip kind personally, with a glass of cold milk too, but I'll take cookies.  The computer kind are just find to me and actually help me on the web sites that I need to work.

ummm....and while we're on the topic of Chocolate Chip Cookies....shall I also 'out' myself about another quirk that I have?  I like cookie dough.  Yup, raw chocolate chip cookie dough.  That might explain a few things about me, eh?  My vices are Mountain Dew and cookie dough.

Baselines and small businesses

Tim makes the point in the comment section that my issue with patching was totally caused by the fact that I didn't know what I had on that system.  I totally agree.

But I don't agree with his assessment that 'any sized business should flatten and install a baseline'. 

For one, down here, we may not even get true reinstall media with these suckers.  We don't buy volume licenses down here to install an image from.  Remember you cannot buy a desktop computer without an operating system, either retail or OEM so we tend to not buy the volume license media to allow us to install a baseline. 

In fact, let's ask the troups out here.... I truly do not get the impression that in SBSland that we flatten and reimage as much as we should.  There wouldn't obviously be those web pages with discussions of issues with Windows Update if people were not hitting this stuff.

The owner bought a system, my guess is you will have a hard time convincing them to flatten and start over.  Many firms get the Partner/consultant to “build” a box for them to get around this issue.

Small firms just don't see the value in Software Assurance and Volume licensing unfortunately, much to their detriment.  They buy a system from the OEM manufacturer and assume that the consultant will work with that image and not flatten and start over.  “I just bought this...what are you doing starting over?”

While it certainly may be a wise thing to do, with the current OEM software model, I just don't get the feeling that the consultants for the small business crowd are doing this 'best practice”.

You tell me.  Am I wrong?  I'll ask around and see.

The laptop is alive, the glass windows in the office are intact, the OEMs are now ticking me off

Following up to my 'Right about now a laptop” post, DJ says that they have a 15, sometimes 30 minute rule... if it takes longer than that, they nuke the laptop and start fresh with a Ghost image.  'Ain't' it true.  Computer issue take 15 minutes or 4 hours. There is no inbetween.

OEM.  I'm getting a bit ticked at OEM right about now.  Turns out there was some sort of Dell virtual drive something on this sucker.  My clue was the issue I had when I even went to manually install the patch and it was failing on me.  Googling gave me the hint that there was some sort of virtual drive software on the box.  Huh?  What virtual drive software?  I don't have my PGP drive on this laptop [which reminds me.. I do need to install that on this before it's next trip]  So off I got to the add/remove program and start searching.  In there are a couple of Dell entries for software that kinda sound 'virtualish”.  Hmmmm... last used is ages ago... off they go.  Reboot.  Windows update again.  

GRRRRRRRRR  it's works.  14 patches later I have a fully patched machine.

I'm getting a bit tired of OEM and their hidden 'presents' that they give us when patching.  The other day I realize a desktop [an Optiplex] that I thought was relatively  clean had a MSDE instance on it because the OEM version of Outlook was the BCM version.  It also has a Sun Java JRE that phones home to Sun for updates [doesn't work though with my egress filtering ISA on the server], and the new HP laser printer we bought loads up a Apache web monitoring tool.  Apache?  I have Apache software on a desktop that I need to monitor for patches now?  Come on DELL and HP, you are not making this easy one bit to keep these suckers patched and protected.  Can you TELL me what you are loading up on these guys so I know what software to watch out for?  Can you NOT load up software that interferes and totally blocks software updating?

I have to fix one workstation because right now the HP print monitoring program is totally filling the log files with stop signs.

To all those buyers of Apple that say their buying and using of computer experience is more pleasurable...like duh... Apple controls the entire chain from software, hardware to distribution.  What does Microsoft control?  Right now I would argue they don't even control the patch distribution channel well enough.

Look at today's experience for me.  The average person would be cussing Microsoft right now for making an application that breaks.  But who truly was the root cause of the issue?  OEM software not software by Microsoft.

The big firms buy select and enterprise licesning and can load a clean image of what exactly they want.  Us down here in small business get software that we didn't even know we were buying.  Mr. Dell?  Can I get a OEM system, Optiplex with 'just' Microsoft XP sp2 and Office 2003.  Nothing else.  No Sun JRE, no nothin'.  I'll even pay more to get an image of exactly what I want with no other special software that I have to worry about patching.

One patched, firewalled, antivirus up to date Laptop is now ready for the road.   

Right about now a laptop is really getting on my nerves

We have these 'floater laptops' that stay in the closet and come out when folks travel.  So some of them don't get the attention they need [patches, a/v whatever] until they are needed for the road. 

I think I may need to include these suckers on my once a month patch plan.  My inattention is now costing me.

Anyone want a laptop, Dell, Inspiron 8200 nearly new, only missing 14 security patches?  If you act now you might be able to get it from me before I'm tempted to chuck it out the window.

I've tried WU, AU, heck I even joined the stupid thing to the domain to Shavlik AND attempted to manually install these 14 patches and they all fail.

So now I'm in google error code resolution mode.

The error log from 'one' of the log files gives clues, as well as the attempted manual installation.  The manual install gives me “Setup cannot copy the branches.inf“.  I AM the adminstrator, I've tried it on several profiles with admin access, I've run anti spyware, grrrrrrrr.... right now I'm running the disk cleanup to find temp files and delete them.  I'll be working through this list of errors next.

Update:  Ran through that list... still no go...now looking at permissions on the drive.  A call into PSS may be in order but I think the XP division closes on Saturday a bit earlier [what is it that I get to the 'giving up' stage and they are closed]

I'll keep you posted as to why this is doing this.  Otherwise anyone want to come over and restrain me from throwing a laptop through a window soon?  The feeling is getting much stronger now.

1.382: ===========================================================
1.382: 2005/03/19 15:35:06.189 (local)
1.382: c:\492924401b9deff5d09f\update\update.exe (version 5.5.33.0)
1.422: Service Pack started with following command line: /passive /norestart /quiet
1.853: DoInstallation: CleanPFR failed: 0x2
1.873: SetProductTypes: InfProductBuildType=BuildType.IP
1.873: SetAltOsLoaderPath: No section uses DirId 65701; done.
2.003: DoInstallation: FetchSourceURL for c:\492924401b9deff5d09f\update\update_SP2GDR.inf failed
2.003: CreateUninstall = 1,Directory = C:\WINDOWS\$NtUninstallKB890047$
2.003: LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
2.013: BuildCabinetManifest: update.url absent
2.013: Starting AnalyzeComponents
2.013: AnalyzePhaseZero used 0 ticks
2.013: No c:\windows\INF\updtblk.inf file.
2.013: OEM file scan used 0 ticks
2.013: AnalyzePhaseOne: used 0 ticks
2.013: AnalyzeComponents: Hotpatch analysis disabled; skipping.
2.013: AnalyzeComponents: Hotpatching is disabled.
2.013: FindFirstFile c:\windows\$hf_mig$\*.*
2.013: KB890047 Setup encountered an error:  The  update.ver file is not correct.
2.013: KB890047 Setup encountered an error:  The  update.ver file is not correct.
2.013: KB890047 Setup encountered an error:  The  update.ver file is not correct.
2.013: KB890047 Setup encountered an error:  The  update.ver file is not correct.
2.013: KB890047 Setup encountered an error:  The  update.ver file is not correct.
2.013: KB890047 Setup encountered an error:  The  update.ver file is not correct.
2.013: KB890047 Setup encountered an error:  The  update.ver file is not correct.
2.013: KB890047 Setup encountered an error:  The  update.ver file is not correct.
2.013: KB890047 Setup encountered an error:  The  update.ver file is not correct.
2.013: KB890047 Setup encountered an error:  The  update.ver file is not correct.
2.013: KB890047 Setup encountered an error:  The  update.ver file is not correct.
2.013: KB890047 Setup encountered an error:  The  update.ver file is not correct.
2.013: KB890047 Setup encountered an error:  The  update.ver file is not correct.
2.734: AnalyzeForBranching used 721 ticks.
2.734: AnalyzePhaseTwo used 0 ticks
2.734: AnalyzePhaseThree used 0 ticks
2.734: AnalyzePhaseFive used 0 ticks
2.734: AnalyzePhaseSix used 0 ticks
2.734: AnalyzeComponents used 721 ticks
2.734: Downloading 0 files
2.734: bPatchMode = FALSE
2.734: Inventory complete: ReturnStatus=0, 731 ticks
2.744: Num Ticks for invent : 741
2.744: DoInstallation: LoadOrInstallBranchesInf failed to install; error=0x00000005.
2.764: Access is denied.
2.764: KB890047 installation did not complete.
2.764: Update.exe extended error code = 0x5
2.774: Update.exe return code was masked to 0x643 for MSI custom action compliance.

Graphically document how insecure you truly are!

Now you can graphically document how insecure your network truly is!

Okay just kidding...another of the ...oooh haven't tried but this looks interesting categories.  Visio + MBSA = Interesting!

Microsoft Office Visio 2003 Connector for the Microsoft Baseline Security Analyzer (MBSA):
http://www.microsoft.com/technet/security/tools/mbsavisio.mspx

Securing your network has just gotten easier. The Visio Connector for MBSA lets you view the results of a Microsoft Baseline Security Analyzer scan in a clear, comprehensive Microsoft Office Visio 2003 network diagram. You must have both Visio 2003 and the Microsoft Baseline Security Analyzer — a free security tool from Microsoft — for this connector to function.

Just give me the basics

From the mailbag tonight were two related questions.  One was from a fellow who was tired of the geek speak and wanted to get his hands around the bits and bytes himself and better understand the fundamentals that his IT folks would communicate with him about and end up NOT communicating with him about.  [We do have that problem in geek land don't we?]  The next one was from a gentleman who was getting a bit confused about DHCP, DNS and what not and wanted to get the basics better in his mind.  He asked which SBS 2003 book to buy.

Just don't tell Harry this, but we're not recommending a SBS book.  In fact I agree with fellow SBSer Handy Andy that it sounds like what these gentlemen need is a foundational server book.  I think I got my best geek foundations when I was studying for the Windows 2000 Professional and Windows 2000 Server MCP exams.  Sometimes you have to go back to these foundations to get a handle on the bigger picture.

There's a couple of other foundational places you can read up on:

Introduction to the Internet - Cisco

Introduction to TCP/IP - RFC 1180

Sometimes the basics are indeed good to ensure you have a handle on.

It just is, that's all.

Why is Office 2003 so good?  It's just an accumulation of the little things.  Patching is easier for one.  Colors and highlights.  Outlook Rocks.  Integration with Sharepoint is just soooooo kewl.

And Larry points out the best one of all.  Solid.

So go listen to Eric Ligman and the gang as to why you and your clients need to be installing it.

With the launch of Office 2003 almost 2 years ago, many customers ask why they should upgrade to Office 2003.  Many of these customers are running older versions of Office, such as Office 97 and don’t see the “value” of Office 2003. We’d like to invite you to the Why Office 2003? The Many Reasons to Migrate from Office 97 webcast, sponsored by the Central Region Small Business team, which also includes information on the Office Pro Promotion which could get your customers up to $20,000 from Microsoft just for purchasing Microsoft Office Professional!  

Thursday March 17, 2005
11:30am – 1:30pm CST
Recommended Audience: Small Business Partner (VAR, Reseller, Services Partner, System Builder, ISV, etc.)
To register, please go to:
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032271142&Culture=en-US
or call (877) 673-8368 Event ID 1032271142

[UPDATE THE RECORDED VERSION IS NOW ONLINE CLICK HERE FOR THE MSSMALLBIZ LIVE MEETINGS PAGE]

During this on-line briefing, hosted by Brad Billison, Partner Technology Specialist, Nick Stillings, Business Productivity Advisor and Eric Ligman, Development Manager, you will gain a deeper understanding of the many business reasons your customers should upgrade today by connecting people, information and business processes. Here are just a few:
 
§         Collaborate on Documents with Team Members- leveraging such technologies as Windows SharePoint Services
§         Organize Meetings and Events- save time by side-by-side calendars and meeting workspaces
§         Managing Document Changes- you can lock down a Word document to manage changes as you see fit
§         Controlling Access to Vital Business Information- with Information Rights Management (IRM), you determine who sees what and what they can do with that information

§         Outlook 2003 with Business Contact Manager (Small Business Edition only) - use Outlook 2003 with Business Contact Manager to manage your business contacts, track sales opportunities, and run reports.

§         Preventing E-Mail Overload- enhanced privacy features and improved junk mail filtering allow you to manage your Inbox

§         Organizing Your E-Mail Inbox- Quick Flags and Search Folders make finding that email so much easier
§         Improving Performance and Administration- Outlook 2003 connectivity performance enhancements make connecting easier and faster and never lose that document again with the document recovery feature

§         Working Mobile- handwriting integration with mobile devices
§         And so many more…

You will also learn about a very exciting rebate opportunity that you can use to get your customers up to $20,000 directly from Microsoft just for purchasing Microsoft® Office Professional Edition 2003!  Plus, you will hear about a promotion the Central Region Small Business Team is running for Open Value in Small Business in the Central Region that you can use in conjunction with the services promotion.

We look forward to having you join us for this session,

And my name is?

I have a name inside that is different than the name outside.  I want my name that I give to my trusted people to be different than the name I give to outsiders.  In fact, the shorter and cleaner it is, the better off I am to my admin.  What am I talking about?

Computer names and domain names.

In SBSland the computer names you assign to the workstations are the names that will show up in the Remote Web Workplace window.  Don't make those too cryptic for your end users so they don't know which workstation to connect to.

Don't make the computer name of your server so long and icky that for three years while you run your SBS 2000 box you curse yourself for naming it the name with a year.  Dumb.. so dumb... dumb!  [Yes, I'll admit to being that stupid about naming my server's computer name something that I regretted for three years]

And don't worry that the 'domain name' you name your network...that .local thingy or the .lan thing doesn't match your email domain.  It doesn't matter.  In fact the more generic you make this, the easier it makes it not be an issue if the firm decides to change or sell their name.  When the client comes to you and says “We just renamed our business from “This is a cool name for a business.com” to “This is an even MORE cool name for a business.com” all you will need to do to change the email addresses is to rerun the connect to internet wizard and change the information there. 

You can also change the 'branding' of the Remote Web Workplace as well with a reg edit. 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current\Version\RegisteredOrganization

But you never ever want to go into a Small Business Server box and change the computer name, nor run a dcpromo and change the domain name.  Too many 'active directory glue spots' will break.

[thanks Ray Fong for that RegEdit reminder!]

Um...Guys? I'm not connecting to my computer at work?

So you probably know by now that I have a fully functional SBS 2003 at home as well as at the office and there's just a couple of things that bug me about RWW.

I'm not connecting to my Desktop at work.

Okay so this is really dumb but the page that says “connect to your desktop at work” makes perfect sense here at the office but is dumb when the desktop I'm connecting to is at home.  Picky.  I know.  But I'm not.  It's my desktop at home.  Somedays I'm brain dead enough to need a reminder of which one I am connecting to.

Next... dual screens. 

I'm a dual screener here at the office [we even have a guy who has quad monitors] and I'm always moving the programs I'm running from one monitor to the other.  Here at the office when I RDP to the server [rather than just get the exercise I need and walk to the server and do admin stuff] I can minimize the screen and move it around to which ever monitor I need to slide it to.  RWW isn't so easy.  First I tend to forget to adjust the screen size so it grabs the big 19 inch flat screen before I've had a chance to grab it.  Next, if I do remember to adjust the screen size, it's never quite the way I need it and I'm ending up scrolling and yanking the page around to get to where I need. 

Reminds me of the guy who was asking about TSing using a pocket pc back into the server.  I've done it.  It can be done.  But unless you really get your kicks out of taking a stylus and dragging that window ALL OVER the place, it's not exactly the most efficient way to remote access into your server.

I told you these were dumb things.

The Server and Domain Isolation Using IPsec and Group Policy is available on TechNet

Just got notified about this posted to the Download site!

Isolating Network Resources to Better Protect Against Rogue Machines, Infections and Information Theft

·         How does one restrict sensitive traffic to specific machines within the network?

·         What happens if a new virus or worm reaches your network and your desktops become infected?

By utilizing capability built into Windows XP and Windows Server, you can easily implement a logical isolation strategy. This strategy can help to better protect your domains, servers and desktops, from these threats.

The Microsoft Solutions for Security (MSS) team has released the Server and Domain Isolation Using IPsec and Group Policy. This is Microsoft's first guidance for the selection of appropriate IPsec components and the first thoroughly documented prescription of how to implement. 

This solution demonstrates how IPsec transport mode can be leveraged as one of the best means currently available to protect corporate networks. This protection can minimize losses due to information theft, compromise of credentials, and administrative costs. This solution also clearly contrasts IPsec transport mode from the more widely known IPsec tunnel mode, one of the prevalent VPN technologies today.

The Server and Domain Isolation Using IPsec and Group Policy is available on TechNet

The book, the Man, the Team, THE EVENT!

You've seen the ads, some of you have seen the PDFs, now, the book, the man, the team, the event.  And once again it has me tempted to book tickets to Australia. 

REGISTER NOW for this special event only in Australia!

The training session are a FREE one-day workshop at Microsofts offices in North Ryde and Brisbane. The workshop features SBS 2003 business and advanced technical topics Harry Brelsford will speak on the SBS franchise model and VoIP on SBS networks. SBS-MVP Dean Calvert will deliver an E-myth\SBS presentation. SBS-MVP Wayne Small will also speak on advanced topics. Plus much more! Order your Advanced SBS 2003 book at www.smbnation.com.

Harry Brelsford is a noted Small Business Server 2003 MVP from Seattle and author of many SBS books. Following previous very successful visits to Australia Harry is extending his worldwide SMB Nation tour to Australia for just 2 days. This SMB reseller training is focused on SBS 2003 provides a mix of business consultancy training and additional technical training on the new HP ML110 server and security.

Official Worldwide Advanced Book Launch: Sydney, Australia on March 29, 2005 at Microsoft!

We are delighted to announce that we will use a one-day Aussie SBS 2003 workshop to officially launch the Advanced Windows Small Business Server 2003 Best Practices book. Australians who ordered the book by March 18 may pick up their signed book copy at this one-day SBS continuing education day.

Sydney Agenda

8.30 am HP ML 110 introduction

9:30am to 10:45am: Running an SBS franchise.
* Using the small business solution accelerators to standardize your practice
* Due diligence: current analytical research on SBS and the SMB marketplace. Why this is such good news for Australia!
* Hints: Small Business Partner Initiative and more!

10:45am - 11:00am BREAK

11:00am - Noon: Adding third-party telephony to SBS 2003

12:00 pm - 1:00pm Lunch

1:00pm - 2:00pm: Applying the e-myth to your SBS 2003 consulting practice

2:00pm - Trend Micro training + extending SBS Security

5.30pm close

Brisbane Agenda

1pm – 1.30pm Introduction and Welcome

1.30pm - 2.45pm: Running an SBS franchise.
* Using the small business solution accelerators to standardize your practice
* Due diligence: current analytical research on SBS and the SMB marketplace. Why this is such good news for Australia!
* Hints: Small Business Partner Initiative and more!

2:45pm - 3:00pm BREAK

3:00pm – 4pm: Adding third-party telephony to SBS 2003

4:00pm – 5pm: Applying the e-myth to your SBS 2003 consulting practice

5:00pm – 5.30pm: Tea (pizza) prior to SBS User Group

5.30pm – 7.30pm SBS User’s Group
 - Introduction – Stuart Applegate
 - Brookstone CRM Solutions
 - Extending SBS Security

7.30pm close

Microsoft Sydney Office Theatre 1 Epping Road North Ryde, Sydney New South Wales 2113 Australia	HP SMB Reseller Training - Sydney 29 Mar 2005, 8:30 AM to 29 Mar 2005, 5:30 PM AEST 1 Day Internal SMB Partner Session
Microsoft Brisbane Office Theatre Level 9 1 Eagle Street Brisbane Queensland 4000 Australia	HP SMB Reseller Training - Brisbane 30 Mar 2005, 1:30 PM to 30 Mar 2005, 7:30 PM AEST Half Day Internal SMB Partner Training Session

Webcasts anyone?

1. Yes.  ALL are available at a later time.
2. I have that problem too.  Seems to be that one plug in.
3. Open up ISA in an all/all/all and it works [which is what I normally do].
4. You can download the PDF inside the presentation by clicking File, Save As.
5. It's on his blog.
6. Not yet available.  I'll be posting the link when it goes live.  Stay tuned to this blog and Chad's.

Any questions? 

Ummmm....

You probably want to know what the questions are that are answered by these items, I'll bet.  Okay here goes:

1. Was the webcast recorded and will it be available for later playback?
2. I cannot connect to the audio track and it seems to be the one VOIP plug in versus the other [but I can't remember which one works and which one doesn't.
3. How do you get it to work?
4. Is the PDF for a webcast available to be downloaded?
5. I saw Chad's presentation today, where's the info on that “poor man's CRM“?
6. Where is the link for Chad's presentation?

Kudos to Chad on an informative and thought provoking session on how we can all use Sharepoint better.

And don't forget this cool IFilter roundup that was on the Sharepoint blog.

Blogcast, Podcast, Geek out here we come!

Gordon emailed me about a new uber geek site with some cool tech videos [or podcasts as the blog world calls them]  Located at Blogcastrepository, it's a Vault for free technical videos.  They even have a cool 'how to' do these videos and how to upload them.  Right now they are a bit SMS heavy, but it's not bad for just opening up not too long ago.

You know how they say a picture is worth a thousand words.  Take a look at the Outlook productivity one.

Oooh oooh....ohhh... SBSers are you thinking what I'm thinking? You could do YOUR OWN podcasts for your clients!  You know how we keep saying that we need to have better 'how tos' for your clients to fully understand and get the bang for their buck in your services.  Just think of what you could do like this!

The moral of this story is ....use USB external harddrives instead

Event ID 133 is logged in the Event Viewer if you use the Ntbackup.exe with a Certance Travan tape drive in Windows Server 2003:
http://support.microsoft.com/?kbid=894255

RESOLUTION

See it's like this.... don't mess with "My Business"

Answering another question from the mailbag tonight.  Part II actually.  One about Scripts and I thought I'd also mention our other annoying 'feature' of SBS.

Let's face it SBS has a few ... well... eccentricities.  One that “LanWench” from the newsgroups loves is how SBS really doesn't want you to mess with a couple of things:

• Scripts [well you can but there are certain guidelines] and
• Organizational units [one of our built in ones to be exact]

Heaven forbid you should rename or move SBS's main Organizational unit.  You see quite a few scripts and wizards on SBS 2003 depend on that so just 'leave it alone'.  It's way better to create a new organizational unit in group policy and go from there.  So don't mess with the My Business OU is our first eccentricity.

Our next is our login script.  The SBS_LOGIN_SCRIPT is located on the \windows\sysvol\domain\scripts subdirectory and right now, mine contains just this:

\\DOMAIN\Clients\Setup\setup.exe /s DOMAIN
\\DOMAIN\OFCSCAN\AUTOPCC

That second one is the script for Trend in case you are wondering.

Kevin has the exact how to for adding 'more things' to that script on his blog.  Don't forget you can also use Con2prt.exe to connect to network printers via scripts.  But don't delete it... work with it and add to it like Kevin showcases.

Work with our eccentricities and you find you'll soon learn to get at least used to them .

Patching anyone?

From the mailbag today comes the question.... how do you let workstations automatic update and still be restricted user at the same time.

Answer.....

You can't.  Not that I've found anyway.

Ah, great there Susan, you are the one advocating restricted user and now it makes me MORE insecure?  Ah, no.  There's a way around this.  Several options in fact.

You see there's this thing called SUS and soon to be WUS or MUS or whatever the marketing folks decided this week to call the current and future centralized patching tool.  As long as you set the updates to automatically install at a certain time, the machine is turned on, the patches will deploy [you'll have to check the event log files or scan the machines with MBSA to confirm the install.

Right now SUS is fully supported, WUS is in beta.  My strong guess is that sucker will be shipping before July of 2005 come h-e-double toothpick or high water.  [Spell it out, my mother taught me never to swear...not on blogs anyway they get caught by my Trend e-manager filters, I lose more Rory blog posts  and get the 'Removed by Exchange content scanning service' notifications to know that those filters cross over from my inbox into my newsgator folders ] 

Why you ask?  Because if I were in Steve Ballmer's shoes I wouldn't be going back in front of a crowd of Microsoft partners at the WorldWide Partner conference another year without something ready.  He first announced it when SBS 2003 was launched in New Orleans in October of 2003.  Now that that very vocal rant is out of the way, you are probably asking what the other method is....

Shavlik.  My FAVORITE once a month control thrill is my Shavlik Patch tool.  With it on my desktop I can insert the domain credentials and remotely patch ALL workstations in my office.  As long as those machines are merely turned on, they are patched.  I even deployed my XP sp2 in this manner and only had one 'gotcha'.  [Nvideo digital video card driver, rolled it back to the SP1 version and all was well]

With these tools you don't have to have local admin rights on the desktop, and in fact can patch remotely.

SBS Chat Live - Handy Andy at 4 P.M. PST

CHAT: SBS Live! 

** Tuesday, March 15, 7 p.m. Eastern 
Got Small Business Server and want to get help administering it 
or help others to get the most out of it? Share you SBS stories 
with others this Tuesday, March 15 at 7 pm; Microsoft MVP and SBS 
expert Andy Goodman will be there as master of ceremonies: 

http://mcpmag.com/chats/ 

To join, to learn how to join a chat, to read the rules of conduct, 
or to obtain a transcript of a past chat, go to 
http://MCPmag.com/chats. If you're using a chat program, such as 
Microsoft Chat 2.0 or mIRC, you can join by going to the 
#MCPmag.com room on the chat.mcpmag.com server. 

LimitLogin tool

Hmmm...haven't tried it but I wonder if we can use this to build a report of logons and logoffs?

Hmmm... may have to play around with this  

We are happy to announce the availability of LimitLogin v1.0, an
application that adds the ability to limit concurrent interactive user
logons in an Active Directory domain. It can also keep track of all
logins information in Active Directory domains (without necessarily
enforcing logons quotas).

The challenge of limiting concurrent logons in a distributed
environment is huge, and although LimitLogin is not a "bullet proof"
solution to all the aspects of this challenge, many customers might
still find this tool helpful, as this capability has been highly
requested by different customers (banks, ISPs, libraries etc) in
numerous RFPs etc.

LimitLogin capabilities include:
- Limiting the number of logins per user from any machine in the
domain, including Terminal Server sessions.
- Displaying the logins information of any user in the domain
according to a specific criterion (e.g. all the logged-on sessions to
a specific client machine or Domain Controller, or all the machines a
certain user is currently logged on to).
- Easy management and configuration by integrating to the Active
Directory MMC snap-ins.
- Ability to delete and log off user session remotely straight from
the Active Directory Users and Computers MMC snap-in.
- Generating Login information reports in CSV (Excel) and XML formats.
Please keep in mind that this tool is Not Supported (similar to a
resource kit or support tool).

The public download location is there 

But....But... I was "stealth" before and now I'm not?

From the mailbag comes today a question about ports open and what not:

Joe had a peer to peer network before and on the Grc.com web site was fully 'stealth'.  Now that he has a network he is listing ports 80 and 25 open.  Closed is port 21.  He was used to having everything “stealth” before and now it's slighly freaking him out that ports are open.  He's concerned about being an open relay and all that.

First off Joe, a couple of things.  “Stealth“ is a GRC.com terminology and it doesn't mean that you weren't out there on the internet not able to be nailed before and now you have a server sitting out there on the Internet with a bulls eye.  Like anything in life there's a bit of things that you have to do in order to 'do business'.  If you want mail coming in via SMTP with gives you the ability to be the most flexible in spam filtering with IMF and what not, port 25 must be open.  If you are using POP, while you then don't need either port 25 or port 110 open, know that with the SBS 2003 pop connector it CANNOT go less than a every 15 minute pull. [And please, please, please, please... make sure you patch your server!!]

We normally say just to be a smidge more paranoid that you can easily close up port 80 and then just train your employees to type in https://yourdomainname.com/remote and get to the Remote Web Workplace.  While in SBS 2000 we were [heck I was] quite the nervous Nellie around IIS 5, IIS6 has been extremely solid.  While they are already working on IIS7,  I've personally been very very pleased with IIS6 and the fact that while I've been putting down my Mountain Dew and dashing off to the Shavlik to patch Internet Explorer these days, I've been quite pleased with IIS 6's track record.

Joe was also concerned about being a mail relayer and remember that OUT OF THE BOX SBS 2003 is not a mail relayer when you use SMTP  [unfortunately I cannot say the same for SBS 2003 when using an unpatched POP connector setup....for POP see the comment and link about how we indeed are a mail relayer when using POP and cc'ing a large email]

There are some things you 'can' do to tighten yourself up a bit especially when you are using full SMTP mail...

• Follow Les's suggestions for adjusting NDRs and what not and
• Tarpit yourself

Mark O'Shea had a couple of articles on security in SBS 2003 and I had a prior post about the ports needed for SBS.

Remember to only open up those minimal ports you need for 'doing' business.  If you are using POP and you want external remote access you can get away with merely ports 443 and 4125 open through your router/firewall.  443 is the port you need for secure web access to the Remote Web workplace web site, 4125 is the 'control' port.  Remember that port 4125, while needing to be 'poked' through your firewall, is a dynamic port that 'only' opens up after you authenticate on your system.

And I hate to sound like a broken record here but PASSWORDs, I cannot stress how important that password are in any firm.  Chose them wisely, and make the Administrator account passwords a 'passphrase'.

Oh and one last thing....that Pop connector patch?  It ISN'T on Windows update because unfortunately SBS is a bit of an oddball.  We're not just the Server OS ,we're just about the entire product line of Microsoft on one box and at the present time, patches that don't have to do with the base operating system won't come down on Windows Update. 

Now personally, I don't quite understand out Sharepoint patches are on Windows update, but our pop patch is not, nor do I understand how our SBS 2003 QFE that enabled the controlling of the firewall is on Windows update and not our pop patch, but at the present time, that's unfortunately the way the WU....WU's. 

I cannot stress enough to all those consultants out in SBSland ...if all you use to update your system is Windows Update, you still have an unpatched box.  In the near future SBS 2003 will be getting SP1 which will include all these fixes, but in the time being, click on www.microsoft.com/sbs and then click on downloads.

And Joe?  I hope I see you in the Communities of SBS!  Welcome to SBSland!

Read any good EULAs lately?

About a year ago there was a AICPA Tech Conference session that was titled “Privacy is good business”

There are times when you look at a firm and scratch your head as to why they are doing business practices the way they are. 

So tonight on the blogosphere I'm seeing a few people post the terms of service of AIM and are a bit concerned about this section in particular:

From AIM Terms of Service

You may only post Content that you created or which the owner of the Content has given you. You may not post or distribute Content that is illegal or that violates these Terms of Service. By posting or submitting Content on any AIM Product, you represent and warrant that (i) you own all the rights to this Content or are authorized to use and distribute this Content on the AIM Product and (ii) this Content does not and will not infringe any copyright or any other third-party right nor violate any applicable law or regulation.

Want to know more about XP sp2?

Microsoft TechNet Radio:
http://www.microsoft.com/technet/community/tnradio/default.mspx

On the Microsoft TechNet radio is an excellent discussion of the addition of XP sp2 to Microsoft themselves and how Microsoft manages their own deployment of XP sp2.

Remember that in our own SBS 2003 environment we are automagically ready for XP sp2, it's deployed for optimum functionality in our networks.

Take a listen.. very interesting stuff in there!

Interesting tid bit... XP sp2 with the firewall on 'inside' the network are not vulnerable to the recent LAND attack. Also in that radio broadcast  "There is one form of outbound blocking that we do [block] and that's spoofed traffic. The firewall will not allow your computer to generate packets with a destination address of its own IP address, which is a good thing, so that someone can't use you to spoof somebody else. Or, that someone can't spoof somebody else with you"

Um...so how do I "know" when something is running slower?

HANG LOOSE - THIS PATCH ISN'T INSTALLING AND A FILE INSIDE OF IT APPEARS TO BE A VERSION OLDER THAN WHAT WE ALREADY HAVE ON THE SYSTEM.  I'VE ASKED FOR CLARIFICATION ON THIS PATCH

FIX: Performance is slower on multiple-processor computers in the .NET Framework 1.1 Service Pack 1:
http://support.microsoft.com/default.aspx?scid=kb;en-us;884041

SYMPTOMS

CAUSE

What to do in case of.... and "The effect of the PIX"

So the menadering contents of this blog post all started when Steven Banks asked me what should a person do if their IP address was spoofed.  So I asked my security guru buddies of the various steps one should take if something happened and one of the comments that “Mr. ISA” Dr. Tom said was that there was an hypnotic effect that a Cisco PIX had on people.  You know..the glazed look in the eye and the chanting....“Oh, I must be safe, I have a PIX“

It's true isn't it?  So many times I hear people want to take ISA off of our domain controller because 'oh it's not safe' but I'll bet those same folks have local administrator rights and Windows 98 machines in their offices.  You could have a firewall that is built like Fort Knox and as long as “Joey” can surf out to “Malware-R-Us” and has the rights to download and you don't have software restrictions or other limitations in place, neither that “ISA on our domain controller' or a Cisco PIX will help one bit.  For all those folks that want ISA off of our domain controller... go take those workstations in those offices, kill off Windows 98, and move to restricted user on the desktop.  Once you have THAT in place, then we'll talk about taking ISA off of our domain controller.  In fact in the upcoming book by Dr. Jesper Johansson and Steve Riley, there's a chapter and a section that talks about ISA server and it's risk on a domain controller and how it rides low in the TCP/IP stack.  When I read the sentence in the preview of the book I could have hugged them.

Stick a natting router on the outside for good measure just to thin down the ISA logs on the inbound side and this [ISA on our DC] is not the security issue that TS in application mode is.  Sorry but me wacking off the Enhanced IE lockdown and letting stupid users work and surf on my domain controller as if it were a workstation is just a lot more insecure no matter how much you think that you as a consultant know better and can lock it down.  With the nasty malware on the web today?  Get real folks.

You know what freaks out a lot of SBSers right now?  SMTP auth attack pings on our port 25.  Guess what folks, if we move from RRAS to ISA server to Cisco PIX, you will STILL have those same port pings on port 25.  The port opening is still there no matter what firewall you have.

A hole is still a hole.  And if the firewall you have [whatever brand] has the hole open, you have a risk no matter what the name of the firewall is.

Without further ado..here's what to do if something happens:

• I have spam and I want it stopped!

Invest in a good antispam filter, but the best protection is to invest in a solution that gives you negligible or non existent false positives, easy administration, and little to no interaction on the end user side.  [Like Gavin says the IMF still needs work]

• I'm getting port scans and I want it stopped!

Port scans will happen. Solutions range from the drastic (impractical) measure of disconnecting your systems from the internet, through investing in a Firewall solution that can detect and drop the probes. If you are a targeted victim, then your option is to trace back to the source(s) and chase them all the way to their upstream provider and get it to stop. Tedious, but there really isn’t much you can do.  Now this is going to start up a conversation from folks in SBSland I'm sure... but unless you want to have someone track down and report to each ISP an abuse report, this is life on the lnternet.  Personally I think at some point in time, Exchange will need/will get some sort of proxying something in front of it so that we don't have our port 25's quite so exposed.

• Help!  I think I'm a mail relayer!

First off know that SBS 2003 is not a mail relayer.  Well... okay in full disclosure... if we haven't patched for the POP mail issue .... we turn ourselves into one pretty efficient mail spammer. I joked one time that the folks that think we can't handle everything on one box should realize just how efficient we are ... 3 boxes sent out 6 million pieces of email... not bad for 3 little SBS boxes... that's definitely doing more with less!  Seriously, I cannot stress enough how important ...and how all of us should just routinely think of second Tuesday as patch day.  We can suffer from NDR attacks so you may want to tarpit your box as well.

• Help, my email address/IP address is being spoofed!

While you have open up the email and possibly track back the sender, your best solution is like the above, a good antispam solution.

• Help, I can tell from the  speed of the attack attempts in my log files that some 'person' not a bot is attacking me!

When a 'bot' hits an open port and you see the effects in your security logs [yes, this is why we have 'em to know what is going on out there], you'll see it 'bang on the port' in a very rapid succession.  If it's a very slow methodical attack... then it's probably 'not' a bot.  That's when in SBSland you should gather up all the log files, IIS, ISA, security events and start tracking back to see who is hitting you.  Look up the attacker in the Whois database and contact the ISP's abuse department [normally in the IP record]

• Help I think I'm really screwed, I opened up annoymous FTP and now can't delete files...or... someone downloaded Kazaa and now my internet connection is still blinking....or... I've got a really sinking feeling something is wrong with my server and I've been hacked!

First .. don't panic.  I've seen people on security listserves think they've got backdoors and rootkits because their Word documents are entering words by themselves and it turns out the voice recognition part of Word was turned on.  Most of the time in SBSland we're 'roadkill' out here.  We get nailed because of our stupidity of not setting something up right... which is WHY I love the wizards...especially in ISA server.  Unlike the Cisco PIX, SBS helps you set up the firewall correctly.  Most issues with the firewall are from misconfigurations.  Next, if you truly have done something stupid and you want it investigated, Call PSS and ask for their Security investigations.  Robert Hensing talked about it on his blog.  Again, one of the VERY important parts of the investigation is log files.  So again... those PIX fans out there... looked at your log files lately there? 

Troubleshooting an issue

There it goes again.

Rats, it's affecting the server again.

And it's happening on a regular basis.

“It“ can be anything from hardware to software issues on your server and many times 'it' is caused by the interaction of all that hardware and software with the Small Business platform.  A post in the newsgroup reminds me of something that a fellow MVP went throught to track down an issue.  His server would get sluggish after 7 days and needed a reboot like clockwork.  He happened to be around the server right before it 'froze up' and discovered that it was due to CA Etrust antivirus.  One updated etrust driver later and all was back to normal.

So how do you troubleshoot stuff like this? 

You rule out things it isn't... check RAM and make sure it's not a bad strip, check the harddrive [see if your system has 'health utilities'] and what not but sometimes, just come out to the newsgroups and ask... explain your situation, what your symptoms are and just ask.

We just might know what it is.

How do you sell to a small business customer?

Dave and I are lucky.  We work in offices where technology is not a line item on the budget that we nickle and dime to death, but rather one that is seen as helping our firms grow to where we are now.

A conversation started on the Microsoft Small Business community about the differences in selling technology in a break/fix setting, or technology in a 'this is a part of our firm' way. 

There's firms like mine and Dave's that 'get' technology and 'get' security and realize how it adds to the bottom line.  These are your A+ type customers.  The ones that aren't the break/fix type, the ones that want you maintaining and watching that box. 

It's funny but I've found too that there is the typical SBS consultant out there that knows he or she can handle just 'so' many SBS boxes and then they don't install anymore because they stay loyal to the customers they are supporting. 

There's a difference, a longer sales cycle and a different revenue stream from the “Oh we just want a server” to the “we need a business solution and need you to be here for us over the long haul”.  Accounting, Retail sales and CRM package installations take much longer to 'sell”.  Both from a technical setup standpoint, but because while installing/migrating/ripping out hardware and networks is bad enough, there is something out messin' with how a person has been keeping track of the accounting of widgets for 20 years just better not be messed up by that installation of that new fangled gadget.  

There's an article on the New Small business web site that I found via the RSS feeds and while it has some valid points, the author has two things in there that has me scratching my head [and yes I already pinged Eric Ligman on it saying that I wasn't too pleased with the content of the article]

Scratching my head number one - the author says that the Tech firm 'upgraded the computers from Windows 98 to Windows NT”.  Uh...note to tech firm... NT had a 'end of life' last June and the server platform just ended in December so I sure hope that they didn't 'upgrade to NT”.

The next scratching my head, is the phrase “trunk slammers”.  There's a lot of SBS consultants that could possibly be lumped into that 'trunk slamming' category.  But honestly, they are some of the best SBSers around. 

I personally think this is an old article that may have been re-used.  SBSers may work out of small shops, out of their homes and what not, but these days, working out of your home is actually part of big business too.  Heck the whole remote web workplace idea is that you don't 'have' to be in an office to get your job done.

But this does bring up the argument of exactly how DO you get a client to move from 'break/fix' to “maintenance plans'.  Sometimes it's an event...loss of data, a disaster that makes the client see why they need prevention and not a fix.  Sometimes it's regulation.  Sometimes it's multiple shops and multiple locations that make the owner need something more than the part time computer guru or neighborhood kid.

Similarly in the software assurance argument, my profession [accounting] and Dave's [legal] are used to a subscription model for software.  Thus for our professions, moving to a SA purchase plan is a no brainer.

When do you tell your client “I'm sorry, you won't buy yourself the tools you need to be a viable business, I cannot support you any longer”?  Sometimes you will spend more time monkeying around with an old piece of equipment to make an computing experience 'just like' what they had before. 

So... now it's your turn... how do you get your 'break/fix' clients to move up to A+ clients?  The ones that trust your decisions, the ones that see technology as a part of their firm's growth and thus a needed element?

I found one...they DO exist

You know how I always tell my story about how a Microsoft Gold Certified Partner tried to talk me out of SBS and so it was better to go with a “Registered” Microsoft Partner because they were SBSized?

I found one tonight.

They DO exist.

A Gold Certified Partner that IS a SBSer.   

You know the other day in the newsgroup a DIYer came in and complained that SBS couldn't be built for small businesses because even with the wizards it was over his head.  And then he went on to say that he just didn't have the budget to get someone to install the server.  You know that sounds like the same argument we get with “Linux is free“.

You do have a budget for installation, you just don't realize it.  It's your time and energy that is spent by installing the system.  And if you are like most DIYers you'll never use that information you are gaining again.  Don't get me wrong, I do think it's do-able.  Heck I'm here today because I decided I could do it myself.  But I'm in a firm and a profession that uses this knowledge and expertise all the time and in other ways.  If you make your money building widgets, and you would spend your spare time and energy reading books, newsgroup postings and step by step how tos rather than spending time with your family, or better yet, building more widgets...maybe you need to remember that YOUR time is valuable.  I'm not saying it's not impossible, but just like that “free” operating system of Linux... knowledge and expertise have a cost...YOUR time and energy in obtaining that ...and once you do... can you use it again..is it of value to the firm?  Maybe it would be better if you could find a SBS partner that would let you help out with perhaps some of the mundane stuff [attaching desktops and what not] and you could watch them setting it up so that you'd feel more confortable doing daily tasks and even such tasks and getting quanantined email and what not.  I was the annoying customer who sat behind the shoulder of the installer the ENTIRE time during out SBS 4.0 installation.  You learn a lot in that 'back seat driver' position. 

Not to mention, these days... I would argue that you would want someone who you knew truly understood SBS, followed the wizards and set it up right and could confirm that only those ports they wanted open were open.

So thank you John for being a SBSer AND being a Gold Certified Partner to boot!  It's very nice to meet you and you give me hope that there are and will be more Gold Partners that “get” SBS. 

SMB signing... in or out?

Last month's security bulletin 05-011, Windows SMB client transaction response handling vulnerability holds a special place in my heart...why you say?  Because I personally probably drove SBS Release Manager Charlie Anthe crazy over a several month period tracking two files:

• Mrxsmb.sys
• Rdbss.sys  

Back on the SBS 2000 platform, back when Windows XP sp1 first came out and then shortly thereafter Windows 2000 sp3, I first met up with those two files.  Due to issues we had with Word and Excel files locking up, I had to adjust off [I call it wacking off] SMB signing on my SBS 2000.  Now on the SBS 2003 platform with XP sp2 I have not needed to do this.

So why is this blast from the past bubbling up again?  eEye's 'workaround' for Windows NT machines that do not have a patch for 05-011, SMB is to enable and require SMB signing.  Now in SBSland if you are still running SBS 4.5 [meaning Windows NT] I'm going to be mean to you and say while I can understand that budget can be tight, but please, push the pencil lead and get off that platform.  If you are a not for profit, check out the NFP pricing at Techsoup and Softwareone. 

What we are finding is that more often than not these days, slow 'fill in the blank' is due to a couple of things:

• Incorrectly set up DNS so that the XP machines are not pointing to the internal IP address of the server [use DHCP]
• Drivers and NIC card settings as explained by Chad
• And getting updated bios for those computers [Jim Behning had this yesterday, updated the bios and the speed connecting to a web enabled SQL database increased..go figure

So I would say in SBSland these days... don't knee jerk disable that SMB signing anymore...check around for other reasons.

And if you are on SBS 4.5...still?  Push that pencil lead and find the budget.  Upgrade, migrate, get off that platform.  It's served it's purpose and done it's duty.

[please note not all worldwide locations receive NFP pricing.... call your local Microsoft office and ask [..uhhh ...or complain as the case may be]  Beancounters and Attorneys definintely put a damper on things being universal in SBSland that's for sure]

P.S.  Hey Charlie!  Those two files changed again! [just had to drive him crazy one more time...this time via a blog rather than via email  ;-)  ]

A Haircut, a manicure and a computer

Tonight was the night for my own 'patch maintenance', haircut and nails.  You know us high maintenance gals.  But tonight I also picked up a bit of maintenance of another sort.  My manicurist brought in her computer for me to take with me and fix.  In chatting with her she has a family member that uses Bear Share and Kazaa to download music on the family computer.  Given that news reports have said that these peer to peer file sharing/music sharing platforms are notorious for spyware and malware, it's no wonder her machine is near impossible [if not impossible] to use. 

So it's here at home where I already plan to probably replace the harddrive [so we can retain some photos and what not on the drive], and format and start over if need be. 

I'll first isolate it from my network ensuring that it won't be anywhere near my network, and then I'll give it a quick try to clean it, but honestly, I'm totally ready to put in a new harddrive [so I can hang on to the data from the old one], flatten and start over.  I recommended that she use the Microsoft anti spyware beta, which worked for a bit, but it soon lost the war.

As I was chatting with my hairdresser and my manicurist, they both talked about the same thing...what I take for granted and understand... is confusing to them.  Something pops up in the right hand corner saying to scan something, and they really don't know if that 'thing' that is prompting them to download this, update that, scan whatever is a good thing or a bad thing.  They don't care about patch Tuesday...they just want it handled.  They don't want spam, nor popups, nor malware.  They don't want confusing interfaces, just things 'handled'.

It's hard to say where the blame best lies.... the spammers and phishers and spyware folks that entice us or Microsoft's operating system for being too open and willing to download software because even in Windows XP, it acts like Windows 98.  It amazes me that in the year 2005 we're still all paying the price for having our desktops run like Windows 98.  Yeah let's lay blame on Microsoft for painting us into this corner...but lets also blame ourselves for letting our vendors that provide us with software to not be held to the fire as well. 

Chicken and the Egg, which came first? 

Restricted user and vendors that won't support it?

How about we ask all computer vendors [and not just Microsoft] to step up to the plate and help fight this mess we're all in?

Tomorrow night is THE kick off to the SBS 2003 Partner Group Tour!

Near Seattle or Redmond?  Tomorrow night is THE kick off event for the SBS 2003 Parnter

Windows Small Business Server 2003 (SBS 2003) Partner Group Tour – Microsoft takes to the road. 

Taking the Partners and Microsoft Team Members to the next level of partnership and creating even greater success with SBS 2003 going forward

The Microsoft SBS Product and Development teams have announced plans to visit 14 U.S. cities this March as part of the first U.S. SBS Partner Group Tour. The goal of this tour is to take the Small Business Partners and Microsoft Team Members to the next level of partnership and create even greater success with SBS going forward. In an effort to better connect with the SBS Partners, Microsoft team members will be guests at each of 14 Partner group meetings. As an attendee at this two-hour free event, you will learn first-hand the benefits of moving your customers to SBS 2003 and the opportunities that await you. Microsoft will also be soliciting your feedback on your future needs. Make a connection with the Microsoft team, see the potential of SBS, and make your voice heard! 

SIGN UP NOW

Cities on the tour are:

• Cincinnati, OH 3/22/2005
• Denver, CO 3/31/2005
• Independence, OH 3/24/2005
• Irving, TX 3/29/2005
• Louisville, KY 3/21/2005
• Omaha, NE 3/28/2005
• Pasadena, CA 3/18/2005
• Phoenix, AZ 3/16/2005
• Portland, OR 3/14/2005
• Redmond, WA 3/10/2005
• Sacramento, CA 3/15/2005
• San Antonio, TX 3/30/2005
• San Diego, CA 3/17/2005
• Southfield, MI 3/23/2005

Normal.dot Have you customized yours today?

One of the best, most efficient things we have done in our office was done by a Office Power user several years ago.  One day I was walking by Tina's desk and saw her use some customized menus in her Word document program. 'What's that?” I asked as she was able to quickly and easily open up those documents that she used on a regular basis. 

What she had done was to customize the normal.dot  in Word to have a customized pull down menu.  She then built macros to open up the file on her local 'My documents”.  Well obviously copying the “My docs” to each workstation wasn't scalable so she re-wrote the macros and menu system to look at a mapped harddrive on the server.  I then used this normal.dot template and copied it to each workstation in the office.  She also built documents that have an upper 'form' section that they copies what you enter to the bottom section.  We use these for reminder sheets for certain documents and the ability to enter the information once and then copy it to the bottom section, means we're more efficient.

The result?  Each workstation can quickly and easily get to standardized Word documents that we use on a daily basis.  These standard tool bars make it much easier for all.  Check it out!  Customize your own normal.dot!

Here's to a SBSer getting a bit of html to call SBSized

I don't mean to be this way.  But I am.  I don't know why.  Haven't really stopped to analyze it.

Show me a fellow SBSer who truly 'gets' SBS and chances are, they will be the same way.  There's a fierce pride in being an SBSer.

Don't call me a person who knows Windows Server.  Or Exchange.  Or ISA Server.  Or SQL.  Or Office.  Or Outlook.  Or Windows XP.  But here's the crazy thing, I can answer questions in a lot of those categories.  But that's not what I am.  I'm an SBSer.

Call SBS 2003 a 'limited version of Windows 2003 because it doesn't have Terminal server in application mode' and I'll tell you we're the smarter more secure version of Windows 2003.  But lump SBS 2003 in with Windows 2003 in a tech forum and I'll call you crazy.

To all of you out there who hang out in forums that are traditionally not SBSized where I hang out... I have to truly give you credit for putting yourselves on the line.  One such person is fellow SBS MVP Nick Whittome, who day in and day out in the Mark Minasi forums puts up with a bit of ribbing about SBS and for a long time had to constantly defend the product.

Another is a fellow California resident like me, Jeff Kane who is over in Experts Exchange trying to get them to open up a SBSized forum.  Looks like right now they have no SBS forum so the questions are posted all over the place rather than a separate forum.  I don't mean to be mean, but if you guys over there are truly supposed to be a forum where “experts' exchange information, I must say when I've googled SBS solutions and hit the answers in that forum, I've cringed at times.  It just drives me totally insane with folks coming from the Enterprise space down to SBS do not follow the wizards, do not take the time to read the documentation, think they know what the heck they are doing and end up screwing up a SBS install.  I'm not saying that all the posts are like that but truly, I hope that the folks at Experts-Exchange do listen to Jeff.  We're getting to be a big enough marketplace that they need to have a forum for SBS.  While we “ARE“ the same, we “ARE' different and there are times that folks too used to the manual way may not set it up the SBS way.

The post that Jeff points to in fact... where someone without a SBS box is giving advice on setting up Outlook over http when the step by step information is inside the SBS box and further expanded on by M&M on the Smallbizserver.net website, is an example where people who don't understand the product are making it harder than it should be. 

I'm not saying that we SBSers always get it right in telling our fellow SBSers how to do things, in fact I was telling someone tonight in fact that I'd rather have someone nicely wack me upside the head when I screw up and get something wrong, and I certainly couldn't answer questions on Server clustering or Front end/back end Exchange and what not, so having your own 'place', your own space where you know that you'll get the appropriate answer from folks who understand where you are coming from goes a long way to end some of the frustrations out there both from the client and the customer. 

To Nick who single handedly does the SBSized forum in Minasi's web site ...attaboy.

To Jeff... I wish you luck my friend in getting your own space for SBS.  If you get it... let me know... I just might visit there.  Until then, I'll stay in my communities where we're a lot more SBSized.

A smidge of technology... a ton of efficiency

Today I got an email.  No biggie right?  But it was an email from an Attorney firm that had the attachment that was a transcript of a deposition in a case that my firm is working on.  Still no biggie right?  But the deposition was just a few days ago.

Today the data transcriber typically transcribes in near real time.  Most of the time when you see a transcriber she or he has a screen that you can actually watch them transcribe as the case is unfolding in front of you.  With technology, no longer do we have to wait for the data transcriber to convert the work, it is instantly converted to a text document.  They can then decide to go back and adjust [to get a more polished transcript] which they they send off to us where we save it on our harddrives in the proper place. 

Typically with this transcript we'll get a word index with the program automatically includes in the transcript.  Summation is one such company that supports realtime transcribing.

I still remember when I was a teenager and we traveled to Washington DC and toured the capital.  All Congressional actions are recorded manually and transcribed.  You know the court reporter that sites quietly at the table below the Judge you've see in TV?  There was one Congressional transcriber who actually stood and walked around the House chambers with the transcribing box on a platform with a strap around his neck.  As the House member spoke, he would walk over closer and take down what the member was saying.

Funny how things like that stick in ones mind.

So on another note, a geek buddy of mine, Ted Humphreville on another listserve was reading a book on Mindmapping by Tony Buzan and Michale Kridel [another geek buddy] brought up a software that I've never heard of before.  MindManager.  He says it's like Visio for the right brain hemisphere and they use it in litigation to visually map case fact patterns.

Allocated Memory Alert - part deux

You remember my allocated memory alert problem?  My SBS Monitoring would start growing after I rebooted for monthly patches and would just keep notching up until I would get umpteen annoying alerts in the system telling me that something was wrong.  Mine was easily solved by 'throttling' the amount of memory that my system would take for the MSDE instance of SBSMonitoring. 

There are those out in SBSland that are instead seeing that Sharepoint is the one doing this 'ram memory' suck.  Now first I will state that I am personally NOT seeing this, but if you are a heavy SQL user, you may or may not.  SQL, like Exchange is designed to give and take the memory that it needs.  However, if SQL starts 'sucking' so much that the alerts start freaking you out ...here's what I would do if it's Sharepoint that is the one causing the RAM to 'tick up'.  [again remember, for SBSMonitoring I have NO ISSUE is just saying follow the blog post from before and take a look at the 'RAM' values in your daily performance alerts and SBS monitoring is probably going to be in the 125-150 range [your actual RAM value may differ].  For those where it's Sharepoint, I want you to get a better 'feel' for your system as there isn't a real good 'one size fits all' answer and you need to 'build a baseline'.

As always, you are wandering into the area that I would STRONGLY advise customers to call Microsoft PSS, and partners to use the Partner support resources.

• Step one - establish the baseline - like in the prior blog post, the best thing to do is to establish that it is truly Sharepoint doing the 'sucking' of the RAM.  If it is, reboot the server and record the amount of RAM Sharepoint is now using 'after' the reboot.
• Step two - build a baseline value - watch the Sharepoint instance for a few days, how long before it starts 'ticking up'?  You can get a 'feel' for where that 'throttle value should be by watching it for a few days.
• Step three - do you have enough RAM in the machine?  For SBS 2000 I had 2 gig, for 2003 I have 4 gig.  Most are comfortable at about a 2 gig level on SBS 2003 [I tend to overbuy]
• Step four - is your page file large enough?  If you have the RAM in place at the time of building the machine, your paging file is about 1.5 times your physical ram.  If you add RAM later, you'll need to adjust this manually.
• Step five - ask yourself, are your applications truly slowing down by this?  Do you see true performance impact?
• Step six - Is it just that you have a lot of things going on in your box?  Les has a box that throws off these allocated memory alerts but he's got like three Virtual machines running under it, look at the services running on that server and none of them look bad at all.  What you are truly looking for is one of the services not 'settling down' as I would call it.  Again, if it's just SBSmonitoring, I'd adjust that with no hesitation.  For anything else, I'd monitor and call.

You should be aware that Mariette on the Smallbizserver.net site [which yes, is a real live production SBS 2003 under the hood handling that traffic], she did 'throttle' the SQL/Sharepoint to be 250 megs of RAM which she says appears to be enough BUT [and here's the caveat] she's smart enough to know what she is doing and used Performance monitoring tools to make sure she set it right.

Bottom line if you aren't comfortable with SQL [as I would not be at this stage, whereas Mariette is very capable], I would call PSS or Microsoft partner support if Sharepoint is the service that is making your memory alerts go too high and start to annoy.... and I mean REALLY annoy.... really and truly annoy..... Annoyingly annoy....

Kinda reminds me of the annoying Perf errors we used to get in SBS 2000...ah what memories...

AHHH OOOOHH GAAAHHHH - Chad Gross, SBS MVP presents a Sharepoint Live Meeting

So what's an 'up to date' server anyway?

So what makes up an up to date SBS 2003 server 'at this time' [pre Windows 2003 sp1, anyway?

The process is

• Visit Windows update and get all the patches from there
• Visit www.microsoft.com/sbs click on downloads and install the patches from there

When you do that you will end up with a box that is

• Windows 2003 RTM 
• Exchange 2003 sp1
• Sharepoint 2003 sp1
• ISA Server 2000
• SQL Server 2000 sp3

I do notice a couple of problems on the download page

1. ISA server 2000 sp2 is not listed for premium customers to install.
2. Sharepoint sp1 is listed and that comes down via Windows update

After our SBS 2003 sp1 we'll get Windows 2003 sp1 and ISA 2004 sp1.

Can we clear up a few misconceptions over Service packs on SBS?

Over on CRN is an article on SBS sp1 that just doesn't ''quite" get it right and I'd like to specifically comment on a couple of items listed:

• One new feature in SBS SP1 will help partners with the client issue: The client setup feature in SBS SP1 will support Windows XP SP2, Microsoft said.

Not quite following what this sentence is referring to?  You can set up XP SP2 machines now with no sweat you just add your connectcomputer web site to the trusted zone and all works wonderfully, if that's what this sentence is all about?

• Microsoft, Redmond, Wash., said partners should use the enhanced Configuration Wizard in SBS 2003 SP1, and not attempt to use the Security Configuration Wizard in Windows Server 2003 SP1. Doing so would remove some of the "glue" that integrates the server components in SBS 2003, causing server crashes and other headaches, Microsoft said.

...huh?  ....um... as far as I know we don't 'have' a 'enhanced configuration wizard in SBS 2003 sp1' versus the normal Windows 2003 sp1 'security configuration wizard'.  Mind you I purposely installed Windows 2003 sp1 and ran the SCW [you know the one we really shouldn't run on our box and chose the defaults] on the server that I'm now typing via this blog and as you can see... my server isn't crashing.  It didn't DO anything worth running the wizard for... it shut off IPsec services which now makes an alert email to be sent to me daily and it truly didn't harden anything, but it certainly isn't causing server crashes.  Honestly SBS 2003 is pretty darn well tweaked as it can be for running what it does.  It's my understanding that the icon for the SCW just won't be on the desktop and in the readme file ... you know the thing we never read... it will say we're pretty tweaked, hardened and secured already [well, if we kill on Windows 98s we would be anyway] and we don't need to run the SCW. 

• Most partners are aware of the "do not install" rule for Windows Server 2003 SP1 on SBS, said Jason Harrison, president of Harrison Technology Consulting, Nashville, N.C. Harrison explained that individual Service Packs available for Exchange, SQL and ISA may not work well with SBS management tools.

Huh?  On my PRODUCTION [yes that's Production with a P] real live server a the office I've installed Exchange 2003 sp1, ISA 2000 sp2, Sharepoint SP1 and obviously during the install of SQL, SP3.  Now because 'this' install is a bundle of ISA 2004 and what not, that's why they are recommending that we wait for 'OUR' SBS 2003 sp1, but as I stated, I installed Windows 2003 sp1 RC on this testing machine at home.  My management tools are just fine. 

We are normal parts.  Let me repeat that.... SBS 2003 is made up of normal parts of Windows, Exchange, SQL, ISA, Sharepoint, etc. and normally you can install any Service pack for a 'part' to us.  Do not get the idea that individual service packs are not supported on a SBS box.  In fact if you merely Windows update, you get Sharepoint SP1.  In fact last month's patches included a patch that you HAD to be on Sharepoint SP1 before it installed. 

For this time only because of the bundle with ISA 2004 for premium, because of it being so close to being shipped out to 'normal' Windows 2003 sp1, we're saying 'wait for 'our' Service pack'. However, do not think that you cannot install the normal service packs of the 'parts' of SBS ON SBS.

The best thing to harden a SBS network is to upgrade every last one of your Windows 98 machines to Windows XP sp2.  I know that my life is truly easier being all borg.  I only have to worry about patching Windows xp sp2 and Office 2003 at my office and thus my 'radar' for watching for potential issues is very focused.  I can understand folks that use LOB apps that can't run on the new stuff, but for other folks... honestly, you'll make your out of pocket costs back in the lack of rebooting of that Win98 platform and gain of productivity.

Bottom line folks, and you are talkin' to a veteran of testing patches on SBS boxes and patchin' SBS boxes and ensuring that they are kept in working condition and kept well patched, there isn't a service pack for a 'part' of SBS that I haven't installed on my office network.  I've never waited for a 'specific' SBS service pack.  I'm only doing it this time for the Windows service pack part because 'ours' will come out in close alignment with the Windows 2003 sp1, and we're specifically getting ISA 2004 [for premium customers] with 'our' SBS 2003 sp1.

So I get this email the other day

So it all started when in the mail the other day I get a letter and card from Microsoft saying “RE:  Your Open Value License Agreements”.  Hmmm... that's interesting...this is the first I've gotten that.  And it tells me to check out http://businessconnection.microsoft.com/US454 for info on benefits, deployment resources, software release calendar, etc.  Then a couple of days ago I get an email from Tom Saccomando with Softwareone.com and he sends along a confirmation of my SA benefits...the ones that I HAVEN'T yet taken avantage of.  So I hop onto my Microsoft Volume licensing page, where all my codes and what not are located and sure 'nuff I now have some Conceirge benefits and elearning coming my way, ones that I had missed getting activated.

I must say that now that I let Softwareone handle the issues, I'm not as confused about licensing. Don't get me wrong I still think sometimes because Microsoft tries to be flexible for the big guys, it ends up being confusing for us little guys. 

The problem is down here we are 'as the joke goes', an inch wide and a mile deep, and thus cannot be the experts in EVERYTHING.  Sometimes using external resources is really the true way to better understand rather than taking your valuable time and energy.  

Before I forget it, I HUGE thanks to Eric Ligman who first turned me on to the Softwareone.com folks. 

Hey!  I'll mark this post another in the “Vendors who get SBS” because Softwareone.com truly do.    

So what's the security of Remote Web Workplace?

A poster in the newsgroup asked about the comparison of the security of Remote Web Workplace with and without ISA [Standard versus Premium].  But you see, both of them have the HOLE open.  So from a standpoint of looking at it from a 'which one has a safer hole open', the answer is neither.

P A S S W O R D S

That right now is probably the biggest weakness in Remote Web Workplace, in my opinion.

Both rely on users AND administrators picking GOOD passwords. 

And furthermore, don't think 'passwords' think passphrases.  Are those passwords using blanks, funky characters and what not?  Remember our lessons from Dr. Jesper Johansson, here and soon to be here.  

1.  Remember that port 4125 ONLY opens up on the SBS 2003 standard and premium versions AFTER the person authenticates on the system.  Thus while you 'can' change it from 4125 to something else inside of RRAS interface. the port is not open 24/7 and listening.

2.  Remember too you 'can' have a fully functioning Remote Web Workplace with only a port 443 open all the time.  You can close down port 80.

3.  What does ISA give you that RRAS does not?  Monitoring and logging ..a LOT more monitoring and logging.  If the port is open on either the Standard or the Premium the same risk of openings are there.  However, with ISA your 'who, what, where, when, why' is dramatically increased.

4.  Right now I have not seen Remote Web Workplace 'auth' attacks and instead what we see is SMTP auth attacks.  If you have ports statically open like port 25 for mail, we are indeed seeing 'attacks' on these ports, especially on the administrator port.  You "can" if you like for a level of extra paranoia, follow the guidance in the first 'to do item' in the SBS 2003 and rename [including the description] of the admin account, setup a 'new' admin account and use that instead for admin access.  Personally I've not done that, I've just ensured that I have nice strong passwords on all accounts.

5.  Last but not least in full disclosure we do have 'google' parts but this only occurs if you've been stupid and opened up the ENTIRE web site.  ONLY open those pages that you need and close up what you don't. 

Okay so maybe I had just a little to do with the topic in David's column

 David Coursey today has a column who's topic is near and dear to my heart.

Restricted user...least privileged user...LUA ....whatever you want to call it.

Today in David's column he talks about how 'Least privilege can be the best'.  And while there are those that will say LUA or restricted user is not the 100% panacea for all that ails us as you can still be infected by worms and things even if you are running as user and the 'infector' has the ability to 'increase it's rights' or 'attack a service that then uses that as a means to enter the system, the reality is that at least today, it very much helps in ensuring that at least the end user doesn't do something dumb and click and download something.

Steve Friedl is working on hacking a registry to get Quickbooks to fully operate as a least privilege user and he and I were chatting about how it was weird that I was able to do it one way at home, and practically had to hack up the entire classesroot at the office to get it to work.  He's banging his head on the same problem.  And while there is blame to Microsoft, there is just as much blame to the vendors, and quite frankly, last but not least, blame to us.

Shame on us for putting up with this.

Shame on us for not making this a 'feature' that we want to see in our applications.  The AICPA released today a document for a “Privacy Incident Response plan“.  Basically it's a document that if you lose your laptop, data gets hacked, whatever, this is a guideline of 'what to do'. 

I'd like to add one major important thing to the FRONT of this document...which is... check with your vendors that do a reasonable measure of helping you protect your data from the get-go.

Supporting both least privilege and encryption of all sensitive data fields would go a long way to help us out here not HAVE to inform those parties affected by a Privacy Incident in the first place. 

The power of Word...the REAL power of Word

Word.

Noun.

A sound or a combination of sounds, or its representation in writing or printing, that symbolizes and communicates a meaning and may consist of a single morpheme or of a combination of morphemes.

Microsoft Word

Noun.

Annoying program that when it works, it's wonderful and when it doesn't want to cooperate with you and instead number pages is some bizarre sequencing pattern, and no matter how many section breaks you insert or delete, you still can't get the last three pages of the report to be numbered 16, 17 and 18.

A word processor is a very powerful program.  Singlehandely it is making me

• Forget how to spell
• Forget grammer
• and increase my blood pressure with it comes to headers and footers

Okay, here goes the rant for a Friday.....

My bug a boo....my one sticking point with Word that if it gets really bad we've got like two or three people in one person's office trying to get something fixed is ... Headers and Footers.

Click View....Header and Footer.

When they work..heaven.

When they don't...grrrrrr

Now in Excel this same sort of headers and footers is in a totally different menu drop down so if you are a beancounter that's your first thing you have to get used to is where the thing is... then... if you need the pages to count in a non-sequential manner, make sure you have a lot of Tums and aspirin on hand.

Today was one of those days when our Word Expert Extraordinaire and myself could not get the last three pages of a document to number as we wanted them.  We finally gave up and printed those three pages separately.  Even if you turn on the paragraph indicator [and there are people that leave that annoying view turned on ALL THE TIME] and we still could not see the offending 'bit' that was causing the issue.  We deleted page breaks, we inserted breaks and still we could not get the last three pages to 'skip' a number and then go on it sequential numbering.

Word Perfect even did one better and exposed almost a 'code level' view in a dos-window below.  I've been in Attorney offices and there those split screens are being typed on.

I've even had Word documents that I've put in 'placeholder' pages because it was easier to stick in 'placeholder blank pages' and have them numbered than it was trying to insert breaks and what not.  Is it any wonder that we are killing more trees for paper these days than we use to in the past?

Final Score

Susan - 0

Microsoft Word - 1

Things to do next Tuesday

So for all those within earshot of this blog...listen up.  You've got a free day next Tuesday as there is no Security patching to do.  Now you 'could' go outside and enjoy the [insert whatever weather you get in your region] or you could be a real geek and do one of three things....

• You could be an absolute maniac and walk the streets of your city in search of SBS boxes that are unpatched for the POP connector patch that turns them into spamming machines.  Now then keep in mind that you just might be arrested for screaming at the top of your lungs “Do you have a SBS box“, so if you want to pass on this suggestion, I'll understand.  But if you happen to meet up with an SBSer, do try to mention in passing that they should visit the www.microsoft.com/sbs page, click on downloads and GET THEMSELVES PATCHED.  When someone comes to the newsgroup and says 'I'm fully patched', you'd better truly be 'fully patched.'
• Next, you could take your day to make sure a XP sp1 machine is ready to go for XP sp2.  The press is making a big deal that come April 12th the XP sp2 patch is coming down, like it or not, but here's the scoop, you have to have automatic updates turned on and you STILL have to click through a EULA so all my beancounters that are worrying that XP sp2 will install just as they are attempting to finish tax returns have nothing to fear.  The wise thing to do is just install it now anyway [like WHAT were you waiting for anyway?]  A nice guide is located here.
• Last but not least, you can take the day to make your computer 'genuine'.  This is a process where you go through an ActiveX page and make sure your system has a geniune license.  Yeah yeah I know that you did buy it, but in places of this world, that isn't always the case.  So can you take the time on patch Tuesday to confirm your box.  Remember you will ONLY get the MS antispyware when it comes out if you have been deemed 'genuine'.   I found that when I was on a system that had a volume license or retail box product key installed it went through without a hitch and 'found me legal'.  For OEM operating system, this wasn't the case and I had to do a bit more proving of who I was.  I clicked on the genuine page and it asked me for a Product key code.  Now, here's the problem...the code on a Dell Tower is ON THE FLOOR, upside down.  I crawled on the floor, wrote down what I thought it was and got the key wrong.  On that page there was a “alternative ways to validate“ link [trust me... right hand side..keep looking] I clicked, and entered that I had a Dell, bought from Dell, it made me enter a “captcha“ confirmation [like in the blog comments section] and voila.  I'm genuine. 

Now, here's the problem I see.... I don't think they are kicking up the communication on that last one enough.  Let me restate that.... Volume license folks and Retail box folks go through just fine, is OEMers are slowed down by a bit of an annoying entry method. 

If anyone out there is Microsoft land is listening, I'd really start a communication process on the OEM genuine process.  I think a lot of folks that buy through the OEM channel are going to be a bit miffed that they have to 'prove' that it's their machine.  I know that I wasn't too keen on crawling on the floor and will definitely use the 'alternative method' on my systems that are OEM.

On the Microsoft Genuine page it says “The validation process determines if you have activated your copy of Windows. If you have not activated Windows, you will be asked to enter the 25-character Product Key printed on the Certificate of Authenticity (COA) you received with your PC or software purchase. If you have already activated Windows, the validation process will sense that the PC has been activated, and will not request Product Key entry.”  I'm sorry but that's just dead wrong in my book in the OEM experience.  Two out of Two OEM computers that I've tested wanted the product key code.  I'm assuming because the OEM 'activated' my machine and not officially me...but none the less...

....and sorry one more rant for the evening before I go to bed... the word 'richer'.  There are over 11,500 uses of the word 'richer', and over 81,600 uses of the word 'rich' on the Microsoft.com web site.  I'm actually surprised about that number.  I thought it would be higher.  When we finally get the OS with the horns... can we find some other word to describe things other than 'richer' and 'rich'?  Just start thinking about a new descriptive word please?

A bit of colloboration in your coffee?

Partner Channel Builder enables Microsoft's Gold Certified and Certified Partners to collaborate with one another by calling out opportunities to form new alliances and deliver complete end-to-end solutions for customers and by identifying potential revenue opportunities that enable them to grow their business in new markets and geographies.

http://www.integratedmar.com/ecl-usa/story.cfm?item=19267

In the Echannel news they talk about a Partner Channel Builder tool that allows partners to collaborate on projects.  But on a daily basis there's a bit of collaboration that goes on in the communities of SBS. 

Today I got a email from a person asking to join the blog.  But the thing is, this blog is just really my online filing cabinet of odds and ends.  In reality, I just bubble up things from the newsgroups and communities I hang around in. 

If you want to 'join the blog' what you really want to do is join the 'communities of SBS'.

I think I'd start first with the Microsoft Small Business Community site.

Check it out...a lot of collaboration going on there.

Toronto North SBS Consultants Group

The initial meeting of the Toronto North SBS Consultants Group has been scheduled and planned!

If you are local to Toronto, Newmarket or Barrie, please join our site at:

http://groups.yahoo.com/group/SBSCanada/

And register for our first meeting at:

https://www.clicktoattend.com/invitation.aspx?code=101891

Next Tuesday...no patches

No patches next Tuesday

[but if you are still on Firefox 1.0 remember there is an update to fix some security issues and both browsers still have security issues] 

********************************************************************
Title: March 2005 Microsoft Security Response Center Bulletin 
Notification
Issued: March 3, 2005
********************************************************************

Summary
=======

As part of the monthly security bulletin release cycle, Microsoft 
provides advance notification to our customers on the number of 
security updates being released and the products affected. This is 
intended to help our customers plan for the deployment of these 
security updates more effectively. The goal is to provide our 
customers with information on soon-to-be released security updates.

On 8 March 2005 the Microsoft Security Response Center is planning 
to release no new security bulletins.
Although we do not anticipate any changes, the number of bulletins, 
products affected, restart information and severities are subject to 
change until released. 

In an effort to continue to provide consistent support and service 
to customers around security issues, Microsoft will offer the 
monthly technical webcast, even though we will not be issuing any 
new security updates, on Wednesday, March 9th, at 11:00 AM PST. 
Registration is available at this link 

We will use this opportunity to make Microsoft subject matter 
experts available to answer any questions customers may have about 
previous bulletin release cycles, the monthly bulletin release 
process and the role of the Microsoft Security Response Center in 
testing and distributing security updates.

********************************************************************

Support: 
========
Technical support is available from Microsoft Product Support 
Services at 1-866-PC SAFETY (1-866-727-2338). There is no 
charge for support calls associated with security updates. 
International customers can get support from their local Microsoft 
subsidiaries. Phone numbers for international support can be found
at: http://support.microsoft.com/common/international.aspx
 
Additional Resources:
=====================
* Microsoft has created a free monthly e-mail newsletter containing
  valuable information to help you protect your network. This
  newsletter provides practical security tips, topical security
  guidance, useful resources and links, pointers to helpful
  community resources, and a forum for you to provide feedback
  and ask security-related questions.
  You can sign up for the newsletter at:

  http://www.microsoft.com/technet/security/secnews/default.mspx

* Protect your PC: Microsoft has provided information on how you 
  can help protect your PC at the following locations: 

  http://www.microsoft.com/security/protect/

  If you receive an e-mail that claims to be distributing a 
  Microsoft security update, it is a hoax that may be distributing a 
  virus. Microsoft does not distribute security updates via e-mail. 
  You can learn more about Microsoft's software distribution 
  policies here: 

http://www.microsoft.com/technet/security/topics/policy/swdist.mspx

Have GFI and not getting mail?

Using GFI and all your mail being Quarantined or Deleted ?

http://www.theregister.co.uk/2005/03/02/gfi_beserker/

Quote----
GFI's Mail Security anti-virus product threw a wobbler Wednesday
afternoon (2 March) when an update to BitDefender Engine Module caused
it to delete the body content of every incoming and outgoing message.

Okay Symantec had a security vulnerability and needed a patch, Trend had a security vulnerability and needed a patch [which I think should automagically come down today] and now GFI. 

Sophos and Panda folks?  Keep a look out ... at this rate you guys are next....

Yes? You knocked? Hello?

Whereever you are reading this... stop.  Listen.  What do you hear?  A computer fan running?  Cars driving by?  Depending on where you live either snow plows, rainy streets, birds chirping?  It's noise from outside of your house that just goes on all the time.  You can't filter it out.  Like you can't stop people from driving by your house.  Or even worse, knocking on your door and running off.

In the SBS communities, in the Internet in general, we temd to be a bit sensitive to “seeing things“. 

Right now if you are seeing 'failure audits' in your security log file that shows that usernames of '33333333' or '44444444' or 'Webmaster' or 'Administrator' are trying to log into your system, we're seeing this as well. 

Remember that the auditing in SBS 2003 is different than SBS 2000.  It's much more alert to things going on in your network.  So while 'this time' I can say, yup, we're seeing this too, don't worry, what's the best way to handle 'stuff'' like this?

Here's my opinion and I“m sure others will jump in with more....

First ...don't panic.  If you know your passwords are strong enough for the Dr. Jesper Johansson seal of approval, you know that it's going to take probably insider knowledge of that password to crack anything so the first rule is

• Know thy quality of passwords

Next, what ports do you have open to be causing these port pings?  The less you have open, the less you need to keep an eye on.  So when you are running that connect to Internet Wizard, if you don't need to open it up to the outside... DON'T.  Then go to grc.com's site and TEST what you have open such that only what you think is truly open, is indeed open.

• Know thy openings

Know and understand and get a feel for your network's performance.  My servers' DSL connection is in a network room that I walk near every day at about eye level.  If someone is streaming some video [namely me] or someTHING weird is going on in the network, I can see the DSL connection.  Keep a log of when you install stuff, and honestly I don't allow auto updates on the server and autoreboot of the server because I truly want to know when something happened.  That said, the log file does indeed give clues about when the server is being patched and what not

• Know thy normal network operations

Also understand that in case something just doesn't feel right, ASK.  Just like the poster in the newsgroup did tonight, when something like this happens, and there's some bot or spam pinger out there doing a random scan of everyone, we're ALL going to see this.  Next know the right resource.  Remember [and I cannot say this enough], hotfixes are a free call to Microsoft, issues caused by a security patch is a free call to Microsoft and virus issues are a free call to Microsoft.  If the event is more of a Live Forensic analysis like Robert Hensing does, it will be the more normal server call pricing structure.  But the key here is when you think you might be under attack, start calling in the troups and seeing if 'we' out here the the communities are seeing it.  If it's not normal, kick it to the appropriate place to take action on it.

• Know thy resources and visit the SBS communities and ASK

Sharepoint blogs, you say you want Sharepoint blogs?

I'll be the first to admit that the first thing on my to do list after busy season is really getting into Sharepoint.  After I posted my “Exchange blogs” post the other day someone from the mailbag asked about Sharepoint blogs

So here you go:

http://www.sharepointblogs.com/

http://www.spsfaq.com/blogs.htm

Actually better get.. grab this OPML file and stuck it in newsgator.  Okay SeanDaniel.com today gave us a lesson in RSS... I'm going to one-up him by doing a OPML.  OPML is a way to quickly and easily share your feeds with another person, another computer, etc.  OPML is a file format that can be used to exchange subscription lists between programs that read RSS files, such as feed readers and aggregators. So rather than you clicking and subscribing on each individual RSS feed, you can suck in the 'entire' Sharepoint blog listing in one she-bang.

On a final note.... I would just like to ask does anyone else routinely tend to spell Sharepoint, Sharepoing?  There's something about the g and the t being close that I end up with the wrong keys sometimes....

Excuse me.... it was my database first!

I order things from Office Depot and so does the Office Manager at my office.  I buy stuff for home.  I personally feel it's perfectly normaly to buy a whole box [10 reams] of paper.  And because I'm normally a geek I regularly use the online ordering system.  Log in before 5 and the order is delivered the next day.  Then I just have to twist someone's arm into putting in my car and I've got paper for home. 

So the other day I log into the Office Depot site to review a past order to get a reimbursement on it as it was partially business.  And I'm looking down the listings of orders going....okay....something doesn't look right here...these aren't my orders...they are the firm orders.  I check the account name and sure enough it's been fully flipped to the office address and name. 

Okay that's odd and call up Office Depot.  Well you see they track their database with a telephone number and because in my online account I have a office/business phone number of ..where else... my office and I normally don't like to put my home number in the database, especially since during the time they are delivery I am....hello....at the office..... so guess what.... you guessed it ...they mooshed the databases of my orders and got it mixed up with the firm's orders, even though the firm's account said 'no online ordering'.  So now I need to set up a new account because every time I do something in the online account it thinks that's the firm account. Nice huh?

So.... I don't have my online history anymore and my firm that didn't want any of this info online has it tied to my account. 

As we move forward databases are going to become more and more important...and proper handling of them even more so.  Someone/some program obviously consolidated databases and someone/some thing decided that since me and my firm had the same phone number, we MUST be the same database!

This happens to me and my sister a lot too.  We share a house and thus we share a phone number and thus we share a database identifier.  We've given up trying to straighen out the databases. 

If I send an email via a web interface I'm not 'Susan' I'm 'Karen'.  Other things, the account is in my name not hers.

Bottom line... if there's a database attached...just say Susan/Karen... I'll answer to both. 

How good of a SBSer are YOU?

Take the SBS Assessment

Introducing the Individual Assessment for Microsoft Small Business Server 2003

http://www.microsoft.com/learning/assessment/ind/

..and take the “Susan” Bet.  From now until March 31st, the first annual unofficial Susan Sponsored, see how good of a SBSer you are, SBS 2003 Assessment Contest is now open.  The SBSer with the HIGHEST score will win a 6 pack of Mountain Dew [Regular, Code Red, Live Wire, Pitch Black, or AMP, if you want the Baja Blast flavor I'll have to send you a gift certificate to Taco Bell]

Contest is open to all SBSers, INCLUDING Microsoft employees, SBS Dev, SBS PSSers, in other words if SBS is “your thing“, now's your chance to see how truly SBSized you are.

Email me at sbradcpa-at-pacbell.net, or post to the blog, what your highest score is.  The winner will be announced on March 31st.  In case of ties, I'll buy another flavor [Wayne said they are flavors, not versions] for the winners that tie.

Do you have what is takes to implement, deploy, and support Microsoft Small Business Server 2003? Assess you skills for FREE and increase your knowledge and ability by following the personal learning plan and suggestions created as a result of your assessment.

Speaking of SBS Partner Groups

You guys and gals DO remember what is upcoming in March in the USA don't you? [and for those of you near the USA borders...consider that March is lovely weather for traveling to the states]

Beginning March 10, the SBS Partner Group Tour kicks off in Seattle Washington, from there they start heading South --

I hear from Roger in San Diego that spots are filling up so sign up now folks!

Cities on the tour are:

• Cincinnati, OH 3/22/2005
• Denver, CO 3/31/2005
• Independence, OH 3/24/2005
• Irving, TX 3/29/2005
• Louisville, KY 3/21/2005
• Omaha, NE 3/28/2005
• Pasadena, CA 3/18/2005
• Phoenix, AZ 3/16/2005
• Portland, OR 3/14/2005
• Redmond, WA 3/10/2005
• Sacramento, CA 3/15/2005
• San Antonio, TX 3/30/2005
• San Diego, CA 3/17/2005
• Southfield, MI 3/23/2005

Next time, Barbara, just call me

Barbara Darrow in the Unblog on the CRN site talks about the new online  “Small Business Center”.  Reading the post reminded me of a happening just this weekend.  

In her post it talks about the demo of the new site had the person putting in that he or she was a 6 computer shop and they ended up getting referred to Tectura and  Avondale.  Now I'm not 100% sure they would turn down a 6 person computer job, but I guarantee you Tectura would not do as well as my buddy Steven Banks or any one of his fellow SBS partner user group in Seattle.  AH HA after doing a bit of digging and clicking through I did find Steve down under the registered partner level.  The initial 'landing place' only offers up the Gold Certified partners [you know, the partners that at least two of which back in the SBS 2000 days of mine tried to talk me out of SBS]. 

I guess I'm always trying to swim a bit upstream or something but at a time when CRN is talking about some partners seeing Microsoft 'over recruiting new partners', I'm trying to drag more registered partners in the door.  Just this weekend in fact, someone emailed me and asked if I knew of an SBS consultant in Orange County and with our SBS user group ties, sure 'nuff I did.  Guaranteed installer of SBS networks, in fact, courtesy of our SBS Group network.

So for all you registered partners out there reading this blog... click on Products overview, Solutions Advisor, answer a few questions and make sure you are in the database.

For you SBS consultants that aren't even a registered partner... get your buns on over to www.microsoft.com/partner and register yourselves!

For you Gold Certified Partners that may get some potential SBSers calling you, make sure you treat those SBSers right.  If any one of them find their way into the SBS newsgroup and I hear you tried to talk them out of SBS.... just remember... they could end up turning into me.....that'll keep you awake at night, won't it?