[There's a reason that Yoda is the unofficial mascot of SBS.  Size indeed matters not.] October 2004 - Posts - THE OFFICIAL BLOG OF THE SBS DIVA

October 2004 - Posts

It's two months and counting.... to what you ask? 

To End of Life of Windows NT Server.  So for anyone still running SBS 4.5 [or heaven forbid SBS 4.0] the clock is ticking folks. 

Microsoft Monitor talks about the latest Steve Ballmer memo about Windows versus Linux and he says it's related to the end of life of Windows NT and the announcement of Dell and Novell's SuSe Linux.  For the small biz space, I still don't see a huge move towards Linux especially as the main domain controller.  Medium firms, larger firms, but not down here.

So get ready to say goodbye to DIP switches.

Goodbye to no plug and play.

Goodbye to closing my eyes and thinking happy thoughts as I would reboot my SBS 4.5.

Goodbye to a platform that served us well, but it's time is now over.

 

My apologies, it's a little hard thinking geek topics tonight when I'm standing here in a purple gown, flowing sleeves that keep getting in the way, a long red wig and a “Princess” hat on.  You see tonight is the tradtion of “trick or treat” called Halloween.  So at my door cats, witches, and other assorted characters come to my door asking for candy in exchange for yelling “Trick or Treat” at the door.  We decorate our house and I always dress up in a costume to answer the door. 

So right now in between “treak or treaters” I'm on the wireless, typing on the laptop and shoving up my sleeves.  But I think if Princess Aurora was around today, she'd be on the Internet and she and Prince Charming would be making sure they stayed in touch with their subjects.  You don't have to be a member of the Geek Squad to be “online” and “in touch”.  She'd have a MP3 player, I think, along with a dvd player, either a TIVO or a Windows Media edition, and of course so she could swap photos with Snow White, a digital camera and what not and probably be a “mobblogger“.  She'd have a smart phone for certain.  She and Prince Charming would have RSS feeds of the latest happenings of the Kingdom.  You know... the latest of what's up with Flora, Fauna and Meriweather and what not. 

Seriously, look at the technology that is now used in animation and entertainment that we take for granted.  Pixar has a product called “Renderman“.  Heck, who 'da thought that “Ray Differentials and Multiresolution Geometry Caching for Distribution Ray Tracing in Complex Scenes“ was uber geek speak for “this is how we do that really cool animation at Pixar“.  Shrek 2 was done with faster better computers, and George Lucas used newer technology to update Star Wars.

So as I go to answer the door again, just remember that technology is all around us and is even entertaining us.

Happy Halloween everyone!

Posted Sun, Oct 31 2004 19:02 by bradley | 2 comment(s)
Filed under:

Note to all... if you have a sudden problem with one or two workstations in your clients' offices that insist on booking appointments an hour off of everyone else, make sure they have the box checked “automatically adjust for daylight savings time“ by clicking on the time in the system tray and checking the second tab on the time screen that pops up.  I swear that EVERY OEM Dell I've ever purchased does not retain this setting, yet every workstation that I've personally installed has kept that setting.  Yet Dell support reps blame Microsoft, yet I know that cleanly installed XP machines retain this setting.

Bottom line, if you've bought a new Dell since April, double check this little box, otherwise that workstation may think it's an hour different than everyone else.

Remember we're changing the time tonight!

Posted Sat, Oct 30 2004 23:26 by bradley | 1 comment(s)
Filed under:

Issues that may occur when you use Outlook Mobile Access with Sony Ericsson mobile devices in Exchange Server 2003:
http://support.microsoft.com/?kbid=871194

You may receive an "Error 1920. Service RtcSrv (RtcSrv) failed to start" error message when you try to install Live Communications Server 2003:
http://support.microsoft.com/?kbid=883320

"The following user settings are private" error message when you try to migrate a user's profile to Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=886210

"HTTP 500 - Internal Server Error" error message when you try to open the Companyweb Web site after you perform a disaster recovery in Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=886618

Low disk space may occur when you use the Remove E-Mail Attachments feature in Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=828058

Small Business Server 2003, Standard Edition does not support dial-on-demand USB networking devices:
http://support.microsoft.com/?kbid=829045

How to Reinstall the Small Business Server 2003 Consoles:
http://support.microsoft.com/?kbid=829622

How to move the client programs folder to another location in Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=830254

Users cannot connect to your Small Business Server 2003 computer by using Remote Web Workplace:
http://support.microsoft.com/?kbid=886206

The Backup Configuration Wizard ends and you receive an "Unspecified error" error message in Small Business Server 2003:
http://support.microsoft.com/?kbid=886297

Some administrative shortcuts may be missing from the Administrative Tools menu if you perform an in-place upgrade of Small Business Server 2000 to Small Business Server 2003:
http://support.microsoft.com/?kbid=885956

Fax send fails when you try to send a fax from a Windows XP-based client computer through a Windows Small Business Server 2003-based computer:
http://support.microsoft.com/?kbid=885123

I was on the phone earlier tonight talking to a gentlemen about security and the impact of it on the Value Added Reseller and Value Added Provider marketplace.  As I was talking to the gentlemen, he was saying that consultants tended to install the networks and then just go on to the next network.  Hmmm... not the consultants that I hang around with.  Sure there is always the revenue from the new projects, but networks need maintenance.

Now before you say, well that's because you run a Windows network.  No.  It's because I run a NETWORK, period.  A living, organic, working environment that needs vigilence. 

Today in the Encase, Computer forensics class, the instructor was asking one of the students about his position and the student said that most of the time his job included “firewalls”.  So the instructor said well you probably just set them up once, right?  And the student said, “No actually on a regular basis we have to examine intrusion attempts, ensure that remote access to the network has only been done by authorized employees”.  You don't just set things up and walk away. 

Take today for example, I got a couple of alerts about Bagle varients, next month, second Tuesday we will have another Patch day to review the patches for, and on a regular basis, I would argue that you should make sure that no one has changed the network you have configured.  To ensure that a network is secure, passwords and passphrases should  be changed, the network should be scanned for rogue wireless access points, to just make sure that everything is as you left it.

Look around us.  What we consider to be secure today will not be secure tomorrow.  Already RSA has announced a Small Business push for two factor authentication.  May of the folks in the class that worked for larger firms already do this.  That's something I'm interested in checking out.

Think about the last few years.  What we take for granted now, we did nothing like this a few years ago.  Look at just what happened Thursday in the USA.  A law went into affect called “Check 21”.  No longer will you be getting copies of your paper cancelled checks, instead you will get a “digital” image.  This of how much we email, fax, send electronically, order over the web now than we did a few short years ago.

You know what this business is like, the things you did ten years ago, five years ago are not what you do now.  Heck, did we even know what Voice Over IP was a few years ago?  And now more and more businesses are intregrating it into their networks. 

Security is not an end goal.  It's a process.  We don't get a map, a final destination, it's like life.... we keep growing, learning, changing, evolving.

Over the last four days, I used computer tools to search for emails that were deleted, for documents printed.  I remounted drives that were fdisked.  I made hashes of certain files that I was looking for and ran an exam against the hard drive to see if those files that weren't supposed to be on that hard drive, were in fact, on there.  I learned that as we were there using the Internet on our lab machines, traces of our activity, our email from our offices were leaving there traces in our Internet temp files [just another reason to never use Internet kiosk machines to check email and to only use your own computer], that while one piece of circumstancial evidence might be explained away, that the patterns and history I was finding left trails behind.

Our “digital lives“ need constant attention.  Setting networks up, of any flavor, whether Linux or Small Business Server flavors, is not just about setting them up securely right NOW.   Keeping safe on the Digital Information SuperHighway age means that you will reevaluate that network on a regular basis.

Heck look at me now, sitting in a hotel room, connected wirelessly typing up this hopefully somewhat coherent post.  It wasn't too long ago that I was pretty much dialing up on the road.  I haven't used the phone cable in my laptop bag in ages. 

So getting back to the point of this rambling post, I don't think you guys just set up networks and walk away.  I think more of you guys out here are the other kind of VAR/VAP.  The one who is the Outsourced Chief Information Officer and not just “the guy [or gal] who installed the network“.

Went out to dinner tonight with Jim Locke [founder of the LA SBS User/partner group] and we were talking about how we didn't know if there was a web site resource that listed ALL of the products that had “SBS” versions that we had come across.  We were talking about how I had sent Dana to talk to Jim about the SBS marketplace and how it was really hard to find out sales numbers for our marketplace out here to give as a “carrot” for vendors to start coming into this space.  The best I”ve found is some Yankee Group research, but even then a lot of vendors have to, I guess go on faith.

I'd like to start blogging about those vendors that have made the effort to join the SBS family.  Kind of a way to keep track of those folks that have taken the time to be SBS family members. 

We already talked about those vendors that came and supported SMBNation

In Googling “Small Business Server 2003 version“ let me see what I can find:

Hmmm... got a little problem here Vern.  I'm not getting hits of programs that have SBS versions.  But I know they are out here.  I know for a fact that Yosemite Tape Backup has a SBS version.

There's got to be more than this.

Okay folks... help me out here!  If you know of a third party program that has a SBS version, either post it in the comment section or email me at sbradcpaATpacbell.net and I'll accumulate the programs that you've found to be “SBS Family members”.

 

<oops realized I screwed up my email address -- it's sbradcpaATpacbell.net>

Posted Thu, Oct 28 2004 22:00 by bradley | 7 comment(s)
Filed under:

Microsoft Small Business Community (http://www.mssmallbiz.com) Update

Topics in this October 28th update:

1) Tuesday, November 19th Microsoft Small Business Channel Licensing Training Session
2) New MS Small Business Community User Guide Posted
3) Coming next week – Exchange Server 2003 SP1 and the Intelligent Message Filter Session posting
4) Microsoft Across America Events you can participate in for FREE
5) NEW – Microsoft Small Business Partner Engagement Program



1)
MS Small Business Licensing for Partners - Microsoft Small Business Channel Training Session

Many of you have asked for this session, and now it is here!

Join us for this exclusive, Microsoft® channel-only event.  The “MS Small Business Licensing for Partners,” sales training session is being offered to our Small Business Channel Community to provide you the information and resources you need to differentiate yourself and win more business.  This session was developed exclusively for our channel partners based on feedback and requests from the highly-rated “Triple Your MS Sales in 2004,” and “SA for Channel Partners” sessions we ran earlier in our Midwest Area.  Consider this a MUST ATTEND event if:

1)       You sell to companies with 75 PCs or less.

2)       You want to know the real differences between OEM, Retail, and Volume License software and which is right for your customers.

3)       You want to understand the differences between Open Business and Open Value and when to use each.

4)       You want to learn what Software Assurance REALLY is and how to sell it

5)       To learn about current rebates, promotions, and tools you can use to drive more business today

6)       You want to know how your customers may qualify for FREE Microsoft® Office licenses, or FREE training on Microsoft® Office or Server products they purchase from you.

7)       You want to build customer relationships that have them coming back to buy from you over and over.

8)       You want to learn about the NEW Microsoft® Small Business Channel Community


Knowledge IS power. 
Come learn how to win more business today! 
Presented by: Eric Ligman - Microsoft
® Business Development Manager – US Central Region

Don’t just take our word for it…  Here are just a few comments from other MS Channel partners that have attended these sessions in the past:

- “Your presentation outlining licensing and software assurance clarifications was quite the epiphany.”
-  “Excellent session.  I would like to attend more as everything makes more sense after attending.”
-  “Outstanding presentation.  Very happy I made the trip.”
-  “This session REALLY helps.”
-  “Wow – fantastic information…  Today was time well spent!”
-  “Excellent presentation.  A lot of information in a short amount of time.”
-  “Great session.  Lots of content at summary & detail level.”
-  “All partners should be required to attend a meeting like this.”
-  “Great presentation!  Very informative regarding licensing.”
-  “Topics covered were excellent, learned a lot.”

Tuesday, November 9, 2004 from 11:30 AM (CST) – 1:30 PM (CST)

To register or for more information on this session, please go to:

http://msevents.microsoft.com/CUI/EventDetail.aspx?culture=en-US&EventID=1032263703 or
http://www.microsoft.com/usa/events and enter Event ID 1032263703 in the Search box or call 877-MSEVENT and provide them with Event ID 1032263703.  Be sure to register today!



2) New MS Small Business Community User Guide Posted - We have posted a new Small Biz Community User Guide document in the MS Small Biz Shared Documents section of our site (http://www.mssmallbiz.com) describing how to do many of the most common questions we get asked.  Be sure to check it out and provide us your feedback on anything else you would like to see added to this Guide.

 

3) Coming next week – Exchange Server 2003 SP1 and the Intelligent Message Filter Session posting - Be sure to check out the Announcements section of our site next week (if you don’t already have an Alert set up on it) as we will be posting the registration information for Brad Billison’s (Central Region Small Business Technology Specialist) upcoming Exchange Server 2003 SP1 and the Intelligent Message Filter LiveMeeting session that he will be conducting in November.  The feedback on Brad’s Windows SharePoint Services session in October was great and the Exchange session is bound to be fantastic as well!

 

4) Microsoft Across America Events you can participate in for FREE - Did you know that you have the ability to participate in a local Microsoft Across America event in your area for FREE?  This is free marketing for you and an opportunity to meet new prospects, be highlighted as a Microsoft Partner, and give you more exposure in your local markets.  Participation can range anywhere from having a table in the back of the event to show your services to having a timeslot on the NEW Microsoft Across America mobile Technology Vehicles to bring your customers and prospects through and show off the latest Microsoft technologies!  And the best part…  it’s FREE!  Be sure to go to the Microsoft Across America section of our site for information on how to sign up, locations in the Central Region that we have openings for you to participate in and more (including pictures of the NEW mobile Technology Vehicles listed above.  (http://www.mssmallbiz.com)

 

5) Microsoft Small Business Partner Engagement Program - Enroll in the Partner Engagement Program for Small Business!  Designed for re-sellers with small business clients, involvement in this program will support your marketing and sales efforts for Microsoft® Windows® XP Professional (with Service Pack 2), Office Small Business Edition 2003, and Windows Small Business Server 2003.  As a member of the Microsoft Partner Program, you're well-positioned to provide your customers with services designed to improve their business productivity while generating incremental revenues for you. To start expanding your service and revenue opportunities right away get involved and sign up for this Small Business Engagement Program!  Click here to learn more: https://partners.microsoft.com/Pep/default.aspx

Posted Thu, Oct 28 2004 14:22 by bradley | with no comments
Filed under:

From today's mailbag, James asks “What type of emails do YOU or others send to the companys employee's to get them excited about the install that is coming soon?“ 

Good question.  I know in my firm we have training sessions to ensure that folks know how to use the new stuff and while the SBS box sends out an “welcome to your new server“ email, it certainly isn't something that folks probably take the time to read. 

I know that Chad does indepth training in Outlook [and Sharepoint] for his clientele but I don't know if he sends out emails “ahead“ of time. 

This is part of that “managing expectations“ process.  There does need to be a process where you communicate with your clientele and ensure they are aware of the process. 

In my firm, before the install is rolled out, I normally don't send out notifications ahead of time, I do the training once the install is rolled out. 

So I'll ask the community out here.... do you send out emails ahead of time to let the employees know what is in store?  How much training do you budget ahead of time for your install?

I see folks on the web talk about how you MUST validate your Windows before downloading some things like the Microsoft Time zone tool.

That's actually incorrect.  You can say “no” to validation and still get to the download page.  Personally, while I understand that any corporation needs to worry about piracy and what not, what I don't like is how it penalizes those of us who are trying to do the right thing. 

At this point in time you “can“ say no.

In our MVP community several people have noted that even on OEM installs it has failed to validate the operating system and they've had to either “opt out” or dig up the product key code to make it validate properly. 

Before you penalize those of us that ARE trying to do the right thing, make sure this is bulletproof... especially for those OEMs, okay? 

And another thing.  While I'm in rant mode here tonight, can we do a little bit better job of communication when you bring out new initiatives like this and the new KB search and Microsoft support pages? 

I don't know if it's that Microsoft sends too many emails or not enough, or not the right kind, but I must have missed the memo about the changes to the Microsoft support web site and to the Validation initiative. 

A little less on some stuff and more on stuff that truly touches me, okay?

So in the Encase class today we're discussion hashes and file signatures.  And we discuss how you can change the file name but you can't change the hash value.  So Gater.exe would still be identified as a bad program no matter what you renamed it.

So I'm chatting with Eric F and he brings up that much of this can be done with group policy.  So off to google I go to check and sure 'nuff, we can block this stuff like this.  So why aren't we?

The article “To create a hash rule” talks exactly how to do this in Software restriction policies.  Now granted it would probably be tough to do this, and might be easier to build the “here's the good program” database and just put in those programs that CAN be run, but why aren't we utilizing more of this power that we have already under the hood?

Like all the running around with our heads cut off we've been doing for the gdiplus.dll issue.  Couldn't we build a restriction policy to either allow only the good one to run or the bad one not to run?  Or am I oversimplifying this?

NIST has hash files that you can subscribe to along with other sources on the web.

I just think that as we go forward more of the “kewl” stuff like this will be more integrated and automated.

 Last week I posted about how you guys in Australia were getting Wayne Small, Dean Calvert AND Jeff “Mr. Swing It!! Migration” Middleton at a HP and Microsoft SMB conference throughout Australia.  Well it's only fair that we in the USA get something nice this week, don't you think?

I just found that there's a new TechNet Magazine that is free to techies in the USA

I just ordered my copy and you can review some of the articles online.  Dr. Jesper Johansson and Steve Riley are working on a book together and a sneak peak is included in the first edition of TechNet Magazine.  Anatomy of a Hack talks about what you need to know that the “bad guys” already know.

I'm in Pasadena this week at Encase/Guidance software training and one of the key elements they discussed was an AUP.  What?  Don't know what an AUP is?  It's your guideline to your employees..it's called an Acceptable Use Policy.  the SANS.org web site has a whole list of policies that I”ve linked to before. 

So ...do your clients have a security policy?  Do your clients require their employees to sign the policy?  Does it document what resources they have the rights to access?  Is it less than 10 pages?  This is approximately the size that will result in 15 minutes of attention.  If employees cannot read it in 15 minutes it's too long.

I'm listening to a recording about the subject and one of the recommendations they make is to make sure that the boss is aware and in agreement of the policy.  Do you ask your client if they have a policy?  Do you recommend that you help them craft a policy.... one that they can live with? 

One of the discussions we got into today is what is acceptable for one firm, may not be for another.  A guy from a software firm that does databases [and no it wasn't Microsoft] was saying that they use internal and external IM because for their environment they need this type of “collaboration” enviornment.  So for him, he can't restrict IM.  Another firm who is an insurance company has to worry about HIPAA and any ePHI can't go over IM without protection and logging.  So for her environment, IM is not acceptable.  At least not “normal” IM that most of us use. 

I realized today... as I was in the class that had Internet access on the desktops, that I would try out the web based MSN IM and realized that it appears that the traffic for MSN IM goes over port 80.   You know port 80?  What the experts call the universal firewall bypass port? 

It's clear to me that if we don't have the written policies in place to help the people know exactly what they can and cannot do, even in our small firms, we're not properly matching up policies with technology.  Even in our firms, have both in place.  We have risks just like big firms.  Your security policy should be a clear roadmap of what your risks are.  If your clients, if you, have as your biggest risks worms and viruses, if your security policies do not include limitation or blocking of web based email, you are not aligning your policies with your risks.

So the next time you are in your client's office, ask them what their “pain point“ is... what are the biggest risks they face?  Now have them grab their security policy.  Compare that policy with what they just said their risks are.  Do they line up?

Posted Tue, Oct 26 2004 21:38 by bradley | with no comments
Filed under:

While the advertisement of the hotel only said “dataport” the nice surprise was that it had Wireless Access in the rooms.   Right now I”m not my “baby laptop”, my Acer Tablet PC just about ready for bed.  Tomorrow will be day one of a four day geek fest.  At the hotel I”m on a 172.16.x.x network here and one thing I forgot to do to this laptop just to do a smidge more security by obsecurity....not that I don't already have Windows Firewall enabled and Trend micro's turned on ...and no matter what Trend Micro's installer says, the two cohabitate just fine..... is change the Workgroup name to “not” be workgroup.  I try to make laptops that I use for the road to be “just for the road” and I don't have them as domain units.  If I'm hanging out in wireless all over the place, taking the laptops to security venues and loading gawd knows what tools on here, I don't like them anywhere near my production domain.

I consider this the ulimate “air gap”.  I will use a USB pen drive and what not, but my machines that are my “test beds” I like to stay separate from the real network. 

I also make sure my laptop is up to date on patches and anti virus def files if it's going out on the "highway".

What about you?  Do you take extra precauctions in your role as consultant to ensure that you don't get infected when connecting to others?

 

 

 

Posted Tue, Oct 26 2004 0:14 by bradley | 1 comment(s)
Filed under:

I'm going to be a bit offline the rest of the week and checking with the hotel where I am staying, it looks like it only has dial up.  Ugh!  I'll be in search of a Starbucks for sure.  But it's all for a good reason.  The firm that I work for [you know, the day job] specializes in litigation consulting and for awhile we've been “dabbling” in forensics and are seeing a need going forward.  So I'm off to Pasadena tonight to start four days of training at Guidance Software/Encase

David Coursey went to the training and talked about it at Eweek recently.  NIST even has a paper on PDA forensics.

Personally I think I'll end up being even more paranoid than I am now... which may or may not be a good thing.  Friday night I went on a candlelight historical tour and one of the mansions that I walked through is now re-used as an office building by Attorneys.  What do I remember most about that building?  Not the wood staircase or the vaulted ceilings.  Oh no.  I remember freaking out that as part of the public tour they had us on walked right by their Windows 2003 server for the firm.  [And not an SBS box at that too!]

Nice physical security there.  We're making sure in my office that our new server that is being added to our network is in the locked network room, the patch panel is also under lock and key.  Our workstations have locks as well. 

After I get back from Encase training, I'll probably never let anyone save anything ever again. 

:-) 

Many times in the newsgroup the question gets asked “I just loaded up SBS and am looking at the network connections tab and there's no Internet Connection Sharing.  Where is it?”

It's not there because we just something better.  We have a RRAS firewall in SBS 2003 Standard or an ISA firewall in Premium.

<Click here for a larger view and click here for Handy Andy's step by step>

See that “Connect to the Internet in the “To Do“ list that loads up after you finish the SBS install?  THAT's where our wizard lives to help you connect your server to the internet.  None of this wimpy Internet Connection Sharing stuff - we have a better way to connect.

And is everyone aware of the Chat coming up on this?

Windows Small Business Server 2003 Configure E-mail and Internet Connection Wizard

Join Microsoft experts on October 26, 2004, 2:00-3:00 PM PDT, to discuss how the SBS 2003 Configure E-mail and Internet Connection Wizard (CEICW) can help you configure your network.

 

Add to Calendar

October 26, 2004

2:00 P.M. Pacific Time

Additional Time Zones

Enter Chat Room

A game of picking passphrases? 

Okay here's the rules.  Think of a passphrase that you would use.  Say.... Mountain Dew comes in five flavors!  Now send that to passstud@microsoft.com.  In the latest installment of Passwords versus Passphrases by Dr. Jesper Johansson he asks:

In this installment of the passwords article series, we took a first a step toward analyzing passwords and pass phrases. As you might have noticed, however, we do not know much about the pass phrases people use. In order to understand more about this, we would like to ask you a favor. If you would like to help us, think of a pass phrase you might use (preferably not the one you are currently using!) and e-mail it to passstud@microsoft.com*. We hope to get enough samples to be able to perform some analysis on pass phrases and understand how they are actually formed.

Sounds like fun!

I don't want Rolex watches.  I don't need V_agra.  I don't need P_nus enlargement.  I don't want an IBM laptop.

When I go to the HP web site and look at the 3d version of the zd7000 notebook, I didn't give you the right to suddenly load something called Viewpoint.

If I load up AOL's IM client, I also didn't allow you to load this up or whatever else you allow to tag along.  You have this ad campaign on that says you care about stopping malware.

To whatever software....I didn't give you the right to install Wild Tangent.

I didn't give you the right to install WexTech Answerworks either.

And ZDnet, after I specifically opted out of newsletters and email, I still ended up with junk mail from you guys.

Apparently you as vendors think that we're stupid enough just to put up with this?  Maybe we are because we aren't putting up the fuss we really should be doing.

And the sad part is how much effort we put into cleaning these boxes up.  We can't trust them anymore.  Yet we spend so much time and energy in malware tools when we should be flattening them and rebuilding the systems.

I was just chatting online with a guy who just rebuilt a system yesterday, loaded up AOL IM [for friends and family] and ended up with Viewpoint.  So I'm recommending that he loads up Trillian instead that plugs into multiple IM clients.  Mind you he's re-flattening a system he just built because he's in an industry were security is important and having programs “do thing” that he didn't authorize is just not his way. 

Maybe that's the thing to do.  “Vote” with our feet and walk away from vendors that do this.  Or email them.  Or talk to their representatives.  Or.... well you get the idea.... start speaking out against this.  If we don't, we won't “own” our systems anymore.

Fredly posted in the newsgroup asking a question about Watchgard versus ISA and where ever he crossposted to responded back that he had gotten another response that said this:

“The best thing you can do is to get a firewall as Watchguard or another box
and remove the ISA. Its never any good ide to run a firewall on the same as
your production server. I cant think off any explanation why MS dont removed
the ISA when they removed the TS on SBS2003, its a bad ide to have firewall
on your production server, very bad. But if you have the Watchguard you will
be safe, and then you only need one network card. But if you only are runing
ISA, DHCP and DNS and not excahnge or other stuff, then you can use your SBS
as a stand alone firewall and thats ok, but maybe a litle overkill to have a
SBS box for that and not only a standard server with  ISA.”

To whom it may concern that posted that:  The best thing you can do is to understand that right now my vulnerabilties, my threats, my weaknesses are not my ISA on my domain controller but the fact that many of my line of business apps want local administrator.  Having a firewall on our little boxes is not where my security threats are coming in from, dude.  It's my blasted desktops that cause me my grief.  A firewall is a speed bump.  A Watchgard firewall is also just “software on a box“.  And right now with my Shavlik, I have a patch tool for my firewall.  Watchgard needs patching just like anything else. 

As long as you are running Windows 98 or XP's in local administrator mode, the number of NICs, the position and make/brand etc of your firewall is irrelevant. 

My threats are not attacking my domain controller.  They are attacking my desktops

As long as we don't understand where our true vulnerabilities are.... we will be arguing while the house burns down in flames behind us.

UPDATE:  Bruce Schneider has a blog post on this subject:

http://www.schneier.com/blog/archives/2004/10/security_inform.html

“Again and again, it tells customers that they must buy a certain product to be secure. Again and again, they buy the products -- and are still insecure.

Firewalls didn’t keep out network attackers -- in fact, the notion of "perimeter" is severely flawed. Intrusion detection systems (IDSs) didn't keep networks safe, and worms and viruses do considerably damage despite the prevalence of antivirus products.

The key to network security is people, not products.”

   

Oh man, am I envious of you guys in Australia.  You have a very special event coming up in the next months.  Combine that with three VERY special folks involved in it, I'm tempted to move to Australia.  Jeff Middleton, SBS MVP and migration guru of SBSMigration.com will be in Australia.  HP and Microsoft are presenting the HP and Microsoft SMB Reseller Summit in various locations in Australia.  He'll be discussing his Swing It!! Kit which includes the Swing It!! Reference Kit and the Swing It!! Technician Kit.

The “Swing IT!!“ migration is a method that Jeff [and many of the larger partners] have been using for years - a way to ensure that you keep the domain name and don't mess with the desktops.  As Jeff puts it, you don't have to plan for only weekend installs anymore.

Then you have both Wayne Small AND Dean Calvert, again, both SBS MVPs presenting there as well!

Now what's funny about this is we always joke that Jeff is about two years ahead of the marketplace and he does most of his consulting and what not remotely.  Given that he crosses the international date line in the process, Henry was joking that Jeff can actually pro-actively support his clientele the day before something happens in their networks.  ;-)

Seriously though, this summit looks to be fantastic and one that I'd be definitely going to.

Perth

Thursday 11th Nov 2004

Hyatt Regency Perth Hyatt Regency Perth

99 Adelaide Terrace

Perth WA  6000

 

Adelaide

Wednesday 17th Nov 2004

Adelaide Convention Centre Adelaide Convention Centre

North Terrace

Adelaide  SA   5000 

 

Sydney

Tuesday 23rd Nov 2004 

Sydney Convention Centre Sydney Convention & Exhibition Centre

Darling Drive

Darling Harbour

 

Melbourne

Wednesday 1st Dec 2004

Crown Towers - Melbourne Crown Towers

8 Whiteman Street

Southbank  VIC  3006

 

Brisbane

Tuesday 7th Dec 2004

Brisbane Convention & Exhibition Centre Brisbane Convention & Exhibition Centre

Cnr Merivale & Glenelg Streets

South Brisbane  QLD  4101

 

Posted Sat, Oct 23 2004 14:36 by bradley | 1 comment(s)
Filed under:

Charlie Anthe [SBS release manager/Volleyball guru] comes through once again with a gem of a post.  And he showcases how Microsoft really uses the Dr. Watson “dump” technology to understand what is going on under the hood.  Interesting that hardware is one of the issues that they are seeing.  I've [knock wood] chugged on my SBS 2000 because of the hardware I chose.

Eric F also loves dump files.  You can be pounding your head on an issue and you contact PSS [Eric is “uber PSS” i.e. he's called in on the really gunky “weedy” stuff] and within seconds/minutes after uploading that file they are telling you what is going on with your system.

You hit the “send this to Microsoft” when the crash program prompts you and you help all of us.  Now that said, I still have people think that they specificially track the crash that got sent up such that “I” can just call Redmond and say “Hey we just hit the send button and can you look up the dump crash our system just sent you?”  Doesn't quite work that way.  If you are having issues, call Microsoft Product Support Services and they can set up a dump session.  Make sure you state that you are running a SBS box to ensure that you get back to the “Motherships” for SBS [my nick name for the locations around the world that have the PSS support engineers that are just as wacko of SBSers as we are].  You are in very good hands when one of the SBS “Motherships” are at the helm.

Posted Sat, Oct 23 2004 11:09 by bradley | with no comments
Filed under:
More Posts Next page »