THE OFFICIAL BLOG OF THE SBS DIVA

So I'm reading Dana's blog and he's ranting that SBS doesn't allow ISA server to “work” unless there are two network cards on the server.  If you only have one server, as you run the wizard it won't set up ISA [or RRAS on the Standard SBS] to be a firewall and you must be dependent on an external hardware firewall.  I'll be the first to admit that I run at the office with two firewalls, my outside little non beefy, no where near like ISA Server, hardware firewall and THEN I run ISA server.  Why?  For one thing I like to have two walls, one to thin out the log files and then I want ISA server.  A firewall integrated with active directory, so much logging that it gives my auditor background happy, and on a platform that with a push button I can patch.  I can't do that with my hardware firewall.  And these days with the Secunia web site throwing out as many firewall vulnerabilities as operating system, the idea that the software on a hardware box is more secure is silly unless it's like as someone said the base of OpenBSD right after boot up when you have a command line prompt and nothing else.  We add on the cutesy wutsey GUI to make people like me happy and you start introducing vulnerabilities.

The knowledge base article that talks about two network cards is here:

825763 - How to configure Internet access in Windows Small Business Server 2003:    A two-network-adapter configuration connects one adapter to the local area network and connects the other to the Internet. A one-network adapter configuration connects a single network adapter to the local area network.

Then in this KB it clearly states

323387 - How To Connect Your Company to the Internet by Using an ISA Firewall with Windows Server 2003:
Install the ISA Server

To install an ISA firewall, you need a computer with two network adapters. You must connect one of these adapters to your internal network and the other adapter to your Internet service provider (ISP). Your ISP can help you make this connection. A firewall acts as a security barrier between your internal network (or intranet) and the Internet by preventing outside users on the Internet from gaining access to the confidential information on your intranet or your computer.

Thus you need two network cards to enable the ISA firewall.  Dana responds to my comments that any firm that is doing a virtual firm would want this setup.  He may have a point, but I'll refer back to the first time Dana posted into the community newsgroup and was like “Dana Epp, THE security blogger Dana Epp? You aren't the normal “SBS“ customer“.  And beleive me, I mean that in the MOST complementary way.  Dana is not the normal SBSer and the wizards are built for the rest of the 99.99999999% of the marketplace.  SBS is flexible, but this is where the Enterprise folks say they don't like the wizards... because they force the “best“ practice or the “best“ balance.  As I've blogged before, the wizards leave behind an audit trail.  They do the heavy lifting for you.  They want to help you make the best choices.... like.... two network cards.

Hmmmm... a virtual organization SBS network.  Interesting.... we are certainly doing more and more things “virtually“ rather than physically these days.  I know I've been collaborating with other folks from around the world and we certainly get a lot done without physically being in the same room.  I think I'll email Dana's blog post to some folks that just might be interested in that.

~Susan

Typing up the SBS news of the week and was on Microsoft's just opened Small Business site and linked off to upcoming webcasts and found a couple of good ones!

Dr. J will be presenting TechNet Webcast: “Ask The IT Security Experts” Series: Preventing Network Hacking Level - 200   on September 21st and his webcasts are always entertaining AND informative. [I can never spell his last name right two times in a row, so it's Dr. J]

Oooh Steve Riley will be presenting on XP sp2 on Thursday.. save me some popcorn for that one too!

Bottom line check out those webcasts.  A TON of good stuff this month and don't forget the MSDN webcast blog too to keep you up to date on what is coming up!

So I ordered a replacement for my SCSI harddrive and the item that arrived was ddy”f”-t36950 not ddy”s”-t36950.  And then Ken and I are trying to confirm that it's a 64 pin not an 80 pin.  [Can you tell I'm a software gal not a hardware gal?]  Finally we spot in little tiny writing 64P.

Bottom line, my poor server is sitting there with it's sides all hanging open as I order the “right” drive.  In addition to a source on the web, I ordered one from ebay.  Knowing what you have, having spare parts around [and that's my fault on that one], that's what I don't think we SBSers really do enough of.  We want “true fallover redundancy when all we really need is to ensure that we have the right part on the shelf.  That's another thing that I'll be talking about at SMBNation.  How really easy it is to find out exactly what hardware you have to ensure that you don't get stuck.

Watch the tape backup log email that you get.  Make sure it backs up.  Test it every now and then. 

I've given Jeff Middleton the task to build my next server.  So why am having one built rather than buying a Dell or a IBM or a HP?  For one, I trust Jeff.  Two, I've just had [knock wood] good luck and a good feeling about the parts in my servers.  Adaptec controller cards.  Intel.  The players may be changing a bit these days and some folks may argue that S-ATA drives are coming into play, but bottom line, when you have a part from a known manufacturer and with “history” behind it, I just feel better about it that's all.

So anyone want a ddyf-t36950 drive?

BBC NEWS | Technology | Surf the net while surfing waves:
http://news.bbc.co.uk/2/hi/technology/3812357.stm

... and the sad thing is... my only complaint is that you can't truly surf the 'net and truly surf the waves at the same time .... but other than that ......

I can just hear the tech help desk now... “Help desk, do you have a problem?“

“Like wow man I just had a wipeout“

“You wiped your harddrive?“

“No man, like I came on this like gnarly pipeline at Banzai Beach but when I like ..... wiped out ....man... total wipeout “

“You have a BSOD?“

“No man, the waves, totally awesome, but just can't get the right carve today, and keep mullering, can you help?“

“Uh, sir, we do computer tech support here.“

“Dude, you aren't the surf support hotline?“

“uh...no sir.“

“Well here on the stick below this screen was your 800 number“

;-)  ~Susan

PcMag and other magazines came out with an article on the “vulnerabity of the Security center” and Larry Osterman has a post on the issue.  My take is that it's a risk analysis issue.  What is worse?  That a malware is going to get in and overwrite the security center application or that the person is still running the same Norton Antivirus definition files that came with the computer two years ago when the computer was new?

Yeah, we need to stop making people be local administrators, but you know what?  The ENTIRE INDUSTRY hasn't woken up to this issue yet.  Least Privilege is HARD to do and it should be soooo much easier than it is now.  Every single application developer should be reprimanded if they are writing an app today that will have an impact in the future and it is not “least privilege” aware.

We've taught our end users that they need absolute control of their box and haven't given them enough training at all to be able to handle “RunAS” or “SuDo”.  At the same time, I would not be as computer enabled as we are today if Windows 95 demanded that we RunAs. 

I've said this before, I'll say it again, what I consider to be acceptable risk today, will not be acceptable risk tomorrow.  Someone said to me that they call end users “dear Muggles”.  I think we do need to have a wizard, a protector, a defender behind every user.

The polluted Internet | The Register:
http://www.theregister.co.uk/2004/08/27/polluted_internet/

"People shouldn't have to be computer experts to own a computer. But without a firewall, router, mega patches, anti-virus and anti-spyware, my auntie Fern has little hope."

... sad but true.....

If you don't know who Jim Allchin, VP at Microsoft is, you need to be introduced to him.  There's a reason why he has white hair.  He makes a lot of the technical decisions about the operating system that most of us use around here.  The blogosphere is a buzzing over the changes to Longhorn just announced.

Jim Allchin is on Channel 9 talking about it

Mary Jo Foley is blogging about it

Along with Joe Wilcox

Jim Allchin has been at the MVP summit and in front of the audience he's made statements like “We screwed up”.  Once of the many reasons why I have a lot of trust in the man.  He has the honesty to go in front of a group of people who are good at being blunt and honest and do likewise.

~Susan

... so like when are we getting it?  seems to be the big question in the newsgroup

 [I just got an email on this as a matter of fact]

Patience.

We need Windows 2003 sp1 to come out before be can get our wizardized ISA 2004 which will be included in Small Business Server Service Pack 1.  If you want to put ISA 2004 on your server, remember that .....

a.  You won't have help from the newsgroups ... I'm staying with what is official for our platform which is ISA 2000.

b.  You will have to get help from the folks at ISAserver.org and trust me... sometimes those ISA guys are not exactly SBS friendly  :-)

c.  You'll have to buy the product outright and get the necessary cals if you want it NOW.

“Already know you that which you need“... Yoda

Stay with the force... patience,  young padawan, patience.

ETA is 2005.

Ah ...the lovely sound of God's computer department telling me that “no, you are not going to do what you thought you were going to do, you are going to quickly arrange for a fast down time for swapping out a SCSI hard drive tomorrow that suddenly died today.  Second drive of my Raid 5 drive decided that today it would go into “DEAD” mode.  So while the other two are “OPTIMAL”, the one is quite, irretrivably, dead.  So because the drive is on a Adaptec RAID card it nicely alerts you to this potential failure you have on your hands with this blood curdling screeching noise that about makes you go deaf.

So I was planning to migrate over to a new server and take this server and make it a member server a bit later in September [after SMB Nation].  God's computer department just moved that time table up.  I was spec'ing out servers anyway but it just puts a bit more urgency into the situation. 

Oh well life in the computer age......

Check out the netstat -b command and how it can show you what executibleis creating the connection and listening port.  Oh what fun... we might be able to better see trojans and malware  :-)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]

  -a            Displays all connections and listening ports.
  -b            Displays the executable involved in creating each connection or
                listening port. In some cases well-known executables host
                multiple independent components, and in these cases the
                sequence of components involved in creating the connection
                or listening port is displayed. In this case the executable
                name is in [] at the bottom, on top is the component it called,
                and so forth until TCP/IP was reached. Note that this option
                can be time-consuming and will fail unless you have sufficient
                permissions.
  -e            Displays Ethernet statistics. This may be combined with the -s
                option.
  -n            Displays addresses and port numbers in numerical form.
  -o            Displays the owning process ID associated with each connection.
  -p proto      Shows connections for the protocol specified by proto; proto
                may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s
                option to display per-protocol statistics, proto may be any of:
                IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
  -r            Displays the routing table.
  -s            Displays per-protocol statistics.  By default, statistics are
                shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
                the -p option may be used to specify a subset of the default.
  -v            When used in conjunction with -b, will display sequence of
                components involved in creating the connection or listening
                port for all executables.
  interval      Redisplays selected statistics, pausing interval seconds
                between each display.  Press CTRL+C to stop redisplaying
                statistics.  If omitted, netstat will print the current
                configuration information once.

This looks fun!

~Susan

Chris Quirke (new address) wrote:
Stop me if you've heard this one; consider this the formal heads-up!

This is a serious bug, as most affected users who install SP2 will assume
the system cannot be salvaged, and will wipe and rebuild from scratch.

Cari and I have both hit this issue, and found references to it elsewhere
in various forums etc.  We know it affects some systems based on Intel's
865 and 875 chipsets, which have been bulk products for a while now.  We
suspect it only applies to Prescott generation processors.

AumHa Forums:
http://forum.aumha.org/viewtopic.php?t=7447

Obviously I don't have Prescott processors  :-)

I was called today by a reporter getting my experiences with XP sp2 given that TODAY was the start of pushing  out to the masses day.  I told the reporter that I had manually installed service pack 2 and on one laptop I had issues with it being installed due to the fact that it has two versions of AOL on there [version 7 and 9] and it corrupted the tcp/ip stack...mainly because AOL 7 in particular was back in the day when AOL build it's own funky dialer.  I went on to say that my experiences with using my patch management tool Shavlik were flawless, no runs, no drips, no errors and that the rollout on the desktops went without a hitch.[Thank you Eric and the gang at Shavlik by the way] As I was talking to the reporter and he started saying things like “you would think that Microsoft would have tested this with AOL” and I could just imagine the headlines. 

I'm not putting the blame on AOL exactly and especially not on SP 2.  I mean like stuff happens.  And especially on an older laptop that used to be Windows 2000, then updated to XP, Office XP with a layer of Office 2003 on there and previously on AOL 7 and had a second copy of AOL 9, it's no wonder it did what it did.

But anyway, the rollout with Shavlik's HfnetchkPro did go very very well.  Get a patch tool folks, it makes your life WAY easier.  And it gives folks like me who are control freaks a thrill when I can remotely push and reboot my computers in my network.

So if you read an article where it says “XP sp2 doesn't work with AOL”.... uh.... well.... you see.....it's like this.....

The other day I blogged about the new Small Business Community opening up today and the blog post was picked up by Scoble and by Bink.  It then ended up on the CRN site for breaking news.  I had to laugh about the statement by Jennifer Bogdalek who said “it's a result of a grassroots effort”.  That makes it sound like they are baking cupcakes and doing a bake sale or something.  So, you know me, I went off in search of the definition of “GrassRoots” and I found this web site.  On the site they state that the site is:

@GRASS-ROOTS.ORG tells the stories of the most innovative grassroots programs in the United States and the local heroes who've found effective ways to build their communities, fix what's broken and make them better.

Wow.  I think I like that.  That IS what this is all about.  It's all about building a community around those VARs and VAPs and resellers and vendors who support small businesses, about fixing what is broken about the current system and making it better.

The American Revolution was Grass Roots too, wasn't it?  But if you think about it, isn't this was a small business would do anyway?  Remove roadblocks and provide for collaboration tools in their small organization?

I'd invite everyone to check out the new community web site.  Participate.  You get out of things when you give.  It's as simple as that.  Woody Allen said that 80% of success is showing up.

Sign up.  Go into each section and click on the “Alert me” on the left hand side.  You'll get notified of when thing change.  Hang out.  Lurk.  Post.  Chat.  Share successes and failures.  Learn from a person who is half way around the country or half way around the world that doesn't compete with you but knows exactly what you are going though.  See you there.  I'll be the one munching on the Chocolate frosted cupcake.  ;-)

Susan

CRN is reporting that Oracle will be coming out with a competitor to the Microsoft Small Business Server platform.  Except that in their description of the program I think they forgot about email?  They just talk about the server, a web app server and a portal server?

[update note] And it's not just that mail needs to be inside or outside the server, it's the whole integration package with the mail client on the desktop.  What mail client will Larry recommend?  Outlook Express?  [just kidding]

Also Larry, if you don't also have the wizards of SBS, the “tao”, the “Yoda” of the box, you don't have what this market needs.  Wayne Small was attending the Australian Partner conference and reported that many partners there didn't know about the wizards.

Jeff Middleton once again put it the best...

“The IT Pro needs to be assured that the wizards are not there to dumb down the product as much as to get you into the game, at a documented and known point of installation where the true skill tasks are needed.

Nobody takes a Windows CD and copies the files individually, then uses a remote machine to edit a clean registry to add the services and devices manually. We don't do that because there's no point.

With SBS, bringing all those applications to a point of ready to use is only the start of the challenge that still requires significant skills.“

 It Admins Not 'Trusting' SP2 Security:
http://www.eweek.com/article2/0,1759,1638531,00.asp

Why don't those admins just run with IE in high security and shut up and install it? Geeze we're never going to have absolute security but at least we can be as protected as we can be.

This came down on the download site and Joe Wilcox of Microsoft monitor indicates it includes scripts for testing as well [haven't checked it out myself personally yet....]

Windows® XP SP2 introduces new security technologies to better enable Windows XP computers to withstand viruses, worms and other kinds of attacks. This guide will assist IT Professionals to test and mitigate application compatibility issues arising from these more stringent security technologies.

http://www.microsoft.com/downloads/details.aspx?familyid=9300becf-2dee-4772-add9-ad0eaf89c4a7

Want to get into the ground floor of a new community?  The Microsoft Small Business Channel Community is about to open it's doors on Wednesday and you are getting a sneak peak if you read this blog posting.  Log in, request a user ID for the site and join the yahoogroups listserve.

'The purpose of the SharePoint site will be to build a repository of information,  links, reference materials, etc. for the Small Business channel members to use and share with all members of the community. It will also be a place for us and them to share marketing ideas, how to sell information, etc. (Such as those currently and shortly to be listed under the "Sales Tools" section of the site now)

The purpose of the User Group will be to provide a real-time communication vehicle between all members of the community from around the world and the Small Business channel partners from around the country and world that wish to participate). Community members will be able to post questions and ideas to the entire Community and anyone in the Community will be able to read and reply to that post/inquiry directly with feedback and input in "real-time”.'

If you are a seller, consultant, reseller, VAR/VAP, whatever you want to call it to the Small Business marketplace, you need to join in this community.  The news says that Microsoft is stepping up to the Small Business push... well they aren't kidding.

Oh... this makes me feel “vaklempt“ as the Coffee Talk lady would say.  It's the same feeling I get whenever I watch this commercial on “Build your Business“ that is all about building a small business. 

Sniff...Sniff.. excuse me.. I need some kleenix  :-)

P.S.  If you are reading this... pass this link along to those in the world who you think might be interested in this new community... I've already joined and I'm looking forward to interacting with folks from around the world who are all interested in small businesses. 

[Update.. rats!  I almost forgot.  Once you log in and get your username and password, log into a section of the Sharepoint site and on the left hand side, click on “Alerts” and sign up to be alerted when pages get changed.  Consider it like an RSS feed like for the site so that you can go to the site when pages get updated!]

<See this blog post for info on the CRN article on the new community>

So on yesterday's blog I linked to a story on RWW from MS AU division.  But I'm looking for a more “weedy” article on remote web workplace.  Why?   Because I don't think there is enough technical information on the pros and cons of RWW versus VPN.

So I was emailing with Jeff Middleton about RWW versus VPN and he brought up an interesting point.  The good thing about a VPN connection is that it builds a secure tunnel back to 100% of your network.  The bad thing is that it builds a secure tunnel back to 100% of your network.  With a VPN connection, you are at risk that the user will bring in viruses, unpatched machine connections as Jeff pointed out.  As he said,

As you can see, you aren't making the same kind of tunnel back to your network with a Remote Web Workplace connection.  The problem is that in the documents that talk about the features and benefits of both RWW and VPN technologies, they don't talk about both the risks and advantages well enough.

Is it a risk that you will set up RWW and expose it to the web?  Sure, but don't do that [Charlotte PSS Jason taught us DDT, remember?].  And if you are exposing your web site to the net [which you should first step back and evaluate risks and backup and recovery strategies on that], then make sure you put in Alan's robot exclusion file.

On a side note, I asked Ben Smith, the author of Assessing Network Security what he would take with him if he were stuck on an island with a computer....and he said the Internet and google. 

Information is powerful, isn't it?

Gavin's Fragments - Maintenance required:
http://interprom.blogspot.com/

David Hibbeln's Tips:
http://thenorwichgroup.blogs.com/davidhibbelnstips/

If you want to extend the timeout value in the RWW, the value that controls this is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SmallBusinessServer\RemoteUserPortal

Value : PublicTimeOut

The number of minutes will be listed in ( ).

Just remember that if the person steps away from the remote computer on the other end, this may be a security issue.