THE OFFICIAL BLOG OF THE SBS DIVA

Eriq Neale graciously updated his MAC/SBS information and gave me permission to just point all you guys over to his fantastic site that has all the full details!

Very cool!  Thank you Eriq!

Small Business Server 2003 – Backup and Restore
Join experts from the SBS team on June 30th 2004 to discuss tips, techniques, and best practices for SBS backup and restore.

June 30, 2004
2:00 – 3:00 P.M. Pacific time
5:00 – 6:00 P.M. Eastern time
21:00 – 22:00 GMT
Enter Chat Room
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000015

So my Threat Modeling book came in today from Amazon.com [I've only preordered it for ages] and even before I've started reading it I'm doing a bit of “threat modeling/risk analysis” here at the office today. 

Internet Explorer.  Unless you've been living under a rock, you'll know that IE has a bit of issues lately.  Per newsreports, one of the web sites that was unpatched for 04-011 and thus was vulnerable to being overtaken and used in the browser attack was Kelley Blue Book.  That sort of hit a little too close to home.  Since that would be a business site that I would consider “trustworthy” I'd probably be adding that to a trusted zone if I needed it to work. 

First and foremost as administrator I need to ensure that the firms data remains secure.  If I can't control what is going on on my workstations, I'm not controlling my network.  My workstations are where my vulnerabilties are.  Jeff Middleton just said it yesterday.  Security isn't about following a
"readers digest how to" book, it's about *administration and control.*

So I made a risk analysis.  I know that I don't have my entire office running as user because either the applications I run won't support it, or in my role as network enabler, I'm unwilling to push my office workers into a “painful” and loss of productivity position.  So I've done things like running with IE in high security, adjusting the Trusted site zone to be no lower than medium.  I have certain positions locked down, but not my IT workers who aren't ready for a lack of control.

Today I decided to roll out XP sp2 to my higher risk workstations [like mine].  I know that I'm going to have to work something out around Shavlik.com's patch progam that needs outbound NetBIOS connections [and inbound return responses], but right now I've not been seriously hampered by running a firewall inside my firewall.

Off to check out the Threat Modeling book....

UPDATE - another mitigation alternative is to run this IE registry tool here from eEye. This “kills“ the adodb bit.

Closing the adodb issue closes the possiblity for this latest zero vulnerability from running, as it requires it to run. Microsoft has not considered the fact that the adodb issue allowing code to be run in the "My Computer" zone to be a security problem, however multiple issues of this have been made.

...and he's not finding anything......

....because it's not in a KB.  It's in a whitepaper! 

SBS 2000 ~

Microsoft TechNet: Adding a Server to Your Existing Small Business Server 2000 Network:
http://www.microsoft.com/technet/prodtechnol/sbs/2000/maintain/addsrvrs.mspx

SBS2k3 ~

Download details: Deploying Windows Server 2003 Terminal Server to Host User Desktops in a Windows Small Business Server 2003 Environment:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0A06E845-57EF-43EB-802F-F274FD937400&displaylang=en

The moral of this story is YES you can add a second server, a member server, a backup domain controller [remind me to blog on the “Myths of SBS by the way”] and here is the exact instructions on how to do it.

The myth belief in the public is that SBS can only have one domain controller and thus it's a platform “prone to failure”.  Poppycock! Rubbish! Steve Foster [SBS bud] would say.  First off, knock wood, I've never had an issue only having one Primary domain controller, and two, if you want a backup domain controller, stick one on there dude!  There's nothing stopping you!

Just remember that while you can log in, your email is still down.  Also remember that unless you have disabled cached credentials, you can get on that profile even if the network is offline.  It will find the network once it finally comes back.

Don't panic when you read that the SBS platform only has one domain controller.  That SHOULD read one “PRIMARY“ domain controller.

New this week

841773 - BUG: SQL Server Setup stops responding when you upgrade an instance of SQL Server Desktop Engine (Windows) to SQL Server 2000:
http://support.microsoft.com/?kbid=841773
841211 - The updated "What's new in Exchange Server 2003" guide for Exchange Server 2003 Service Pack 1 is available:
http://support.microsoft.com/?kbid=841211

Updated

836413 - You receive an "unexpected error occurred" error message when you try to access resources on a Windows-based network from your Macintosh computer:
http://support.microsoft.com/?kbid=836413
833992 - Scheduled POP3 connector e-mail message downloads may not occur on your Windows Small Business Server 2003-based computer:
http://support.microsoft.com/?kbid=833992

"We're on the home stretch for Windows XP SP2! I can't begin to tell you what a relief it is to see it almost done." says Michael Howard on his blog.   I agree.  In looking over the Secunia advisories for Internet Explorer... IE is getting pretty nasty these days .....

The following are unpatched:
Secunia - Advisories - Internet Explorer File Download Error Message
Denial of Service Weakness:
http://secunia.com/advisories/11868/

Secunia - Advisories - Internet Explorer Security Zone Bypass and
Address Bar Spoofing Vulnerability:
http://secunia.com/advisories/11830/

Secunia - Advisories - Internet Explorer Local Resource Access and
Cross-Zone Scripting Vulnerabilities:
http://secunia.com/advisories/11793/   <<< this is the Russian IIS one
that is currently being exploited>>

Secunia - Advisories - Microsoft Internet Explorer and Outlook URL
Obfuscation Issue:
http://secunia.com/advisories/11582/

Secunia - Advisories - Windows Explorer / Internet Explorer Long Share
Name Buffer Overflow:
http://secunia.com/advisories/11482/

Secunia - Advisories - Internet Explorer/Outlook Express Restricted Zone
Status Bar Spoofing:
http://secunia.com/advisories/11273/


.....you get the idea..... basically walk down the IE advisories and see which ones don't point to a security bulletin.....but even then, I think I'm going to keep running in high security.  There's no reason that web sites should do “stuff” without my permission.

Remember the 10 laws of security?  I'd say IE is letting rule number 2 to get broken.

	Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
	Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
	Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
	Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
	Law #5: Weak passwords trump strong security
	Law #6: A computer is only as secure as the administrator is trustworthy
	Law #7: Encrypted data is only as secure as the decryption key
	Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
	Law #9: Absolute anonymity isn't practical, in real life or on the Web
	Law #10: Technology is not a panacea

http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

So over on Mary Jo's blog she's been talking in the past about how Microsoft is making a bigger push for supporting ISV's [you know,  Developers, developers, developers....] and just today the “blog” worked in a mysterious way.  The other day I posted about how to get hotfixes.  And I admit when I call, I'm normally getting one hotfix at a time AND I'm in the USA where I can call an 800 number 24/7.  Today in the comment section, I got a post from Mica about how he was an ISV/OEM and he had gone through the KBs and tracked down a whole bunch of hotfixes that he needed for a project that he is developing.  He had called PSS and the contact there had asked Mica to email him the list of patches.  The PSS contact forwarded the request to the Windows 2003 server group and that's where the ball got dropped. 

Bottom line Mica never got his patches.  So I asked Mica for the PSS contact and then started a series of follow up emails and bottom line Mica now has his patches that he needs [thanks Brad].

But here's the /rant part of the email:

It shouldn't be this hard.

Why can't there be a web site that an ISV or OEM uses an authenticator ...say passport [yeah I know, we all hate to use it for authentication but get over it] to get into and then can download whatever hotfixes they need.  We all know they aren't regression tested.  We all know that we should test them first [for the record I've historically had more good experiences with hotfixes than Service packs ...but that's another story].

Make it easier for ISV's and OEMs to get these hotfixes.  I totally understand that there is no such thing as “perfect“ software and never will be, but I would want my manufacturer to have the ability to ensure he's got the latest “whatever“ he needs to build me the best system ever.

http://www.trendmicro.com/en/support/npf/overview.htm

Be sure to apply the Service Pack or upgrade to a product version using the new pattern file numbering format by September, 2004. Trend Micro currently estimates that it will be able to continue releasing the old 3-digit pattern files until September 2004, at which time support for the 3-digit numbering format will cease and new anti-virus pattern files will be released in the new multi-digit format only. This date is subject to change, however, based on the volume of new computer viruses and the resulting demand for new pattern files. Accordingly, Trend Micro customers are strongly encouraged to apply updates or service packs as soon as possible.

....and either I'm blind or not googling properly... we do have our MVP friend Mike Walsh's site that is specficially WSS, Home - WSS FAQ: http://wss.collutions.com/default.aspx but now I'm searching for webcasts [under the theory a picture is worth a 1,000 words] and finding a lot on Sharepoint PORTAL server but not on WSS.

I found this blog, but it lists SPS not WSS.  MSDN has some stuff, but no pictures.

AH HA... this might just be what I'm looking for... I found this on the Sharepoint customization site.  But I think there still needs to be more content specifically “for” Sharepoint on SBS.  We do have a couple of unique things.  So far I haven't found any “basic” documentation on the web that helps a newbie get a handle on it.

I'll keep looking....

Before installing Service Pack 1 - make sure you install this patch

831464 - FIX: IIS 6.0 compression corruption causes access violations:
http://support.microsoft.com/default.aspx?scid=kb;en-us;831464
[I said in another post that it's part of Exchange 2003 SP1 and it's not ... it's just that you can't install it WITHOUT it]

Then install

Microsoft Exchange Server: Service Pack 1 for Exchange Server 2003:
http://www.microsoft.com/exchange/downloads/2003/sp1.asp

Then install

Exchange Server 2003 Service Pack 1 (SP1) Online Help:
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/sp1help.mspx

[once again hats off to Les is more!]

You can always tell when an Enterprise person comes into SBSland.  The first thing they want to know “Do you have to use the wizards in Small Business Server?”  Well.  No.  If you really want to to do it manually... you could... but why in the world would you?

So I “could“ manually set up the firewall settings, and I “could“ setup the Exchange domain name, and I “could“ set up the SMTP virtual server settings and I could do the necessary settings for socket pooling and I could ....... but why?  When all I have to do is utilize the wizards inside of SBS?

Les [poet of the SBS group tonight] gave a great analogy...

It's like being offered a ride to the place you want to go, but not knowing
what that place is or how to get there, saying "Oh no, I'll wander around
and hope I find it instead."

Accepting that ride requires you trust the driver. We're giving the driver a
good recommendation, you can trust him/her/it.

Take the ride. Learn the route in the process, and then should you decide to
instead take the walk sometime, you'll be able to do it.

If you are an Enterprise kind of person just picking up the Small Business Server platform, leave your Enterprise learning at the door.  Welcome.  You are in SBS Land now.  We do things with a little bit of trust and pixie dust around here.  Oh and a whole lot of scripts and wizards too  :-)

UPDATE - What You Should Know About Download.Ject:
http://www.microsoft.com/security/incident/download_ject.mspx

I normally have as my “home” page the Incidents.org web page.  Today they are indicating that there is a possible Spam/vulnerability attack going on. 

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis:
http://www.incidents.org/

I recommend that you check out the posting and in particular.....

 "What we DON'T know, and can use some help in figuring out, is how the malware is installed on the IIS server to begin with. Is there a zero-day floating around? Is it via a known vulnerability and the use of agent.exe as mentioned above? (Ed Skodis, one of our handlers, suggested that perhaps the IIS system admin used a local copy of IE to browse a site and pulled down hostile JavaScript. Does that jive with anybody's findings?)

Our concern is that there might be an IIS zero-day floating around. We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched.

[original diary entry follows]

A reader pointed us to an IIS discussion group (microsoft.public.inetserver.iis.security) where several IIS administrators discovered some strange .dll files on their web servers in the past 24 hours. According to the discussion on that list, they are all 1kb .dll files. They were deposited in the \winnt\system32\inetsrv directory with names like iis7xy.dll where x is a random number that appears to be between 1-3 and y is a random character or number."

Don't use your server as a workstation.  Don't introduce an unnecessary threat by surfing at your server.  Be safe.  Be paranoid. 

All is not lost.... courtesy of “Les is More” 

Moving Data Flolder for Windows Small Business Server 2003 (download)
http://www.microsoft.com/downloads/details.aspx?FamilyID=A1D0AF69-1287-4225-BD8B-59C89F44984B&displaylang=en

The paper contains instructions for moving:

Users Shared Folders (command line)
Sharepoint Databases (command line)
Monitoring Databases (command line)
Sent Faxes (wizard)

For moving Exchange logs and database (GUI), and Clientapps (regedit
required), there are no instructions - the KB articles are referenced.

821915 - How to Move Exchange Databases and Logs in Exchange Server 2003: 
http://support.microsoft.com/default.aspx?scid=kb;en-us;821915


830254 - How to move the client programs folder to another location in Windows Small Business Server 2003: 
http://support.microsoft.com/default.aspx?scid=kb;en-us;830254

Initiatives - Awareness:
http://www.cyberpartnership.org/init-aware.html

And specifically this guidance for Small Businesses....

http://www.cyberpartnership.org/CommonSenseGuideBus.pdf

Check it out

But if you have Windows 98 machines still connecting to your SBS 2003 [cough cough ick], call and get this hotfix:

323466 - Availability of the Active Directory client extension update for Windows 98:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q323466

And then do the following for maximum connectivity ~

 Registry change:

Add the following registry key on the Windows 98 clients to force them
to use NTLMv2:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa (you may need to
create the Lsa key)

Value Name: LMCompatibility
Data Type: REG_DWORD
Value: 3

windows xp sp2 rc2:
http://blogs.msdn.com/jeffdav/archive/2004/06/21/161789.aspx

Some interesting regedits in there...and more tweaks than I realized....

The various aspects of pop-up manager are controlled by values in the registry under HKCU\Software\Microsoft\Int ernet Explorer\New Windows.  The registry values are all dword values, unless noted.  Values are all either 0 or 1, unless noted.

PopupMgr - Whether the pop-up blocker feature is enabled or not.  This is the checkbox on the privacy tab of the Internet Control Panel.
PlaySound - Whether or not a sound should be played when a pop-up is blocked.  This sound is set in the Sound Control Panel.
ApplyToWebOC - Applications hosting the webbrowser control only get pop-up blocking if they opt in.  This forces pop-up blocking on non-opted-in apps when true.
UseSecBand - Whether or not pop-up blocker notifications should appear in the Information Band.
AccUserInitOnClick - Turns off or on an app compat work-around for some Accessibility Aids.  This is on by default.
Balloon - Set when the balloon notification has been shown.  Not a very interesting value, listed here for completeness.
BlockHTMLDialogs - Whether or not to treat HTML dialogs as pop-ups. 
UserInitTimeout - Number of ms in the timeout period when the UseTimerMethod value is set (see below).