[There's a reason that Yoda is the unofficial mascot of SBS.  Size indeed matters not.] November 2004 - Posts - THE OFFICIAL BLOG OF THE SBS DIVA

November 2004 - Posts

I'd like to point out some problems with your study you did in particular about the claims on SBS 2003.

In your information you indicate that on a SBS 2003 box you had  "Mitnick and Ryan Russell, an independent security researcher and author of Hack Proofing Your Network, were contracted by Avantgarde to set up and carry out the experiment."

"To hijack the Windows Small Business Server, the attacker finagled his way into a function of the Windows operating system that allows file sharing between computers. He then uploaded a program that gave him full control."

As a person who day in and day out is in the SBS newsgroups, this doesn't happen.  We're road kill out here.  We don't have attackers specifically targeting our boxes so the scenerio you have described doesn't happen.

The reality is we are more hurt by misconfigurations, weak passwords and what not.

You don't give details as to whether this was an attack from the inside or remotely from the outside. Given our file and printer sharing ports are closed from the outside, but obviously open and needed from the inside I'm guessing {I could be wrong} that it appears that the firm has an Human Resource issue [how to fire someone, perhaps?] rather than worrying about outside attackers?  However since the article is unclear as to the technical detail of “finagle“, it's hard to say from what location the attack was launched from.

Could a specifically targeted attack get into our systems?  Ever seen Dr. Jesper Johansson  aka Dr. J, “hack” his way into a fully patched network?  I have no doubt that you can "finagle" yourself into ANY network given enough time, expertise and talent [and a dash of social engineering thrown in if the normal methods don't work].

Reality is folks, that Ryan Russell and Kevin Mitnick would not be wanting to go after SBS boxes.  The reality is that spybots and malware are our issues. Stupid passwords and SMTP auth attacks.

Security is about Risk.  Ryan and Kevin are so NOT my risk factors. 

  • Stupidly misconfiguring my SBS box
  • Weak passwords
  • Not patching
  • No backup
  • Not paying attention to the risks of my desktops

Now “THAT'S“ my risk factors.

{READ THIS FOLLOWUP - it was a stupid password that is our “finagle” vulnerability}

Sorry he'll have to add descriptions later ...... but for those of you wanting to know Where's Jeff [besides in Melbourne for the Microsoft/HP/Trend SMB tour?

He's in these pictures

You know... I think I see some lycra in there.... what do you think?

Posted Tue, Nov 30 2004 0:23 by bradley | with no comments
Filed under:

Sniff sniff... as I do my first “send to, as attachment” out of Excel via Outlook, I got my first sidebar box in Outlook that reminded me I'm on my new and improved SBS 2003 box now and we're no longer in Kansas [meaning SBS 2000] anymore!

See that?  That sucker is asking me... do you want to automagically set up a Sharepoint Shared space?  Oooh I'm getting gooseybumpies here.  You know about the document that talks about the best integration that you get is with Office 2003 and Sharepoint [and I would argue SBS 2003]?  Click on that link and see what I mean.


About shared attachments

When you send a file as a shared attachment, a Document Workspace site is created for the attachment in the Microsoft Windows SharePoint Services site that you specify. The Document Workspace carries the same name as the attached file.

Note  If you attach more than one file, the Document Workspace carries the name of the first file in the list of attachments.

Members of the Document Workspace

As the sender of the shared attachment, you become the administrator of the Document Workspace, and all the recipients become members of the Document Workspace, where they are members of the contributor site group.

Recipients can open the attachment, or they can follow the link that is added automatically to the message. The link goes to the home page of the Document Workspace, where a copy of the e-mail attachment is stored in the Shared Documents library.

Document updating

If the e-mail attachment is a document or Single File Web Page (MHTML) from Microsoft Office Word 2003, Microsoft Office Excel 2003, Microsoft Office PowerPoint 2003, a document from Microsoft Office Visio 2003, or an XML file from Word or Excel, members of the Document Workspace can open and work on their own copy of the attachment while the Microsoft Office program that they're using to edit the document periodically gets updates from the Document Workspace. Members can also save their changes to the Document Workspace copy.


Mondo kewl, huh!

You have two last chances to see Jeff Middleton, Wayne Small and Dean Calvert, live, in person, with or without the lycra at the HP/Microsoft/Trend Micro SMB reseller summits down unda [note the pronoucement...it's not under it's unda].

Melbourne

Wednesday 1st Dec 2004

Crown Towers - Melbourne Crown Towers

8 Whiteman Street

Southbank  VIC  3006

 

Brisbane

Tuesday 7th Dec 2004

Brisbane Convention & Exhibition Centre Brisbane Convention & Exhibition Centre

Cnr Merivale & Glenelg Streets

South Brisbane  QLD  4101

 

 Dean [aka AquaMan] will be talking about - Systems Management is essential to the reliable operation of a server. This session focuses primarily on the systems management tools available with the Windows Server System for day to day server, client and patch management, HP Systems Insight Manager Tool and remote management capabilities through Remote Web Workplace and HP lights out management solutions.

 

Jeff [aka Superman] will be talking on - Windows Domain Migration This unique technical solution can redefine your SMB business and server support model, even put an end to the "business shutdown" or "the long-weekend server upgrade" approach to Windows Server and SBS upgrades. Direct shifts from NT4.0 Server to Windows 2003 domains become possible, as does a clean server installation recovery of Active Directory, salvage from a damaged solo Domain Controller or backup.  Swing Migration delivers a clean installed OS platform, with or without hardware replacement, retains the same server-name, same domain. ADMT is not required, no SID changes, no UNC namespace break, just a transparent server upgrade that includes the confidence of not impacting the workstations. This offers a documented process and keeps a customer's domain in production, even solves complicated Exchange based organisations on a single domain controller such as SBS operating as a file server as well. Your technician can work offsite, offline, open-timeline and with nothing to undo if unexpected issues arise.

Wayne [aka Batman] is discussing Security and Mobility - A primary concern to most SMB's is the need to secure there business from viruses, SPAM and to protect their business critical data. This session demonstrates the methods and practices used in securing a Small Business Server, introduces the HP dedicated ISA Firewall VPN Cache Server and covers vulnerability management.  Microsoft Exchange Server 2003 and Small Business Server 2003 are equipped to allow your customers to access their email, calendar, contacts, internet and line of business applications from virtually anywhere on a range of devices. This sessions examines how to build a services revenue stream for business around mobility, demonstrates how to configure and manage mobile access and solutions and looks at the mobile technologies available today and in the near future from HP and offers for your customers in market.

If I were you I'd hop on the nearest transportation and get there! 

 
Posted Mon, Nov 29 2004 18:50 by bradley | 5 comment(s)
Filed under:

Couple of stories today on the Air Force making a deal to get a “special security tweaked” version of XP.  And in the TaoSecurity blog, asks “Will Microsoft sell this "special version" elsewhere, and if so, is the Air Force the guinea pig paying to develop this version?”

Uh..sir... all the information YOU need to have this version is in this guide.  But here's the catch.  The special version that works for the Air Force MAY NOT work for you.  In fact, YOU may be able to tweak and tune more securely than they can.

I'd probably guess they have a lot of legacy apps and interoperability they have to deal with so I'm going to go out on a limb and say that I just “might” be able to tweak down tighter than the Air Force can.. I could be wrong.

The bottom line folks... we've got the tools and information right NOW today to do exactly what the AirForce is getting. 

Read the ...um... manual folks.  It takes a real good understanding of your network, not a deal with Microsoft to be secure.

And while you are at it... read the Threats and Countermeasures guide and the 2k3 security guide.

Want to give the perfect gift for Christmas?  XP sp2 that's what.  So what are you missing out on if you don't have SP2?

While Windows 98 will have critical patches released until June of 2006, the fact that you have to lower the security in your network to accomodate them in your network is unacceptable to me.  Remember you are only as strong as your weakest link. 

For those folks that say “I have apps who's vendors won't support XP sp2”, to that I say, let me know whom those vendors are.  Your vendors should not be the ones setting your security policy.

And Jethro?  Dude!  Get up to SP2 as fast as you can!  The people that I'm trying to jump up and down and get on XP sp2 are probably wheezing on Windows 95 and 98.  It almost sounds like you are already on XP sp1?  If so, what in the WORLD are you waiting for?  Granted, I think that XP sp2 without a server to control the features is like driving a fast car in second gear the whole way and I would argue that if you have 6 XP computers... dear... come on up to the pleasure us control freaks can get with group policy and XP sp2s and join us with a Windows 2003 server or better yet a SBS 2003 server to control those 6 machines!  Okay so maybe I'm a major control freak, but knowing that I can remotely patch, touch and control all my workstations just makes my day.

The only pain I had in upgrading to SP2 was two workstations that had digital video cards from nvidia.  That's Nvidia not Windows at fault.  All of my other machines had no issues.  What's cool now is that I have firewalls on my desktops that I control from my server.  I've limited the attack surfaces of both my server and my desktop.  Now once I kick my workstations down to user mode ... that's “my” Christmas present to myself...I'll be in an ever better position to protect and defend all over the place.

Jethro... it's not painful.  Not when you've made sure your machines are clean of spybot gunk like Charlie said.  And once it's done you can rest snug as a bug knowing that your machines have the best protection around.

We're putting up the Bradley Christmas tree and this normally includes one of us [normally me] crawling on my knees in the attic to pull out the Christmas ornaments.  The good news is this year we found the spare tiny light bulbs.. the huge bag of tiny light bulbs...that is as big as it is because every year we can't find the bag of spare tiny light bulbs until about December 26th and we buy more each year. All bulbs worked this year [we leave the light strings on the tree], so it's fitting we found the bag when we don't need it.  We'll probably forget where we're going to store it this Christmas season in case we need it so we'll probably end up with more light bulbs after we go to the store and buy more because neither one will remember where we stuck the bag.

When I was a little girl we had a mondo kewl Christmas tree.  Aluminum tree with the color glo wheel.  Now THAT was a Christmas tree.  None of this warm, cozy Christmas tree stuff, this was George Jetson's tree embodied.  To see how much it costs now...just don't tell my Dad who probably sent it off to Salvation Army years ago how much they are selling for now.  But we didn't have a hardwood...nah ... our tree was 100% metal.  One day Mom was vacuming the living room and had to yell “timber” as she sent the tree tumbling over.

Okay enough of a break... time to crawl back in and drag out the rest of the ornaments.

P.S.  You don't have to call my Sister.. I made it out.  :-)

Posted Sun, Nov 28 2004 15:14 by bradley | with no comments
Filed under:

If you are into learning online you might want to check out some of the resources and links for info.

First off are the full video webcasts or seminars that can be found here at the Microsoft online seminars.  Click around and take a look.  Some great topics out there.

Then there are the Office Live meeting style of webcasts which can be searched from [sort of anyway] through here.  It's really not clear that if you uncheck everything except “on-demand” it appears to seach old webcasts.  I'm checking to see if there's an easier way.

Then there are the chats [through the new interface that doesn't need funky ports opened up]. 

Then there are e-courses that you can take online.  Michael Howard refers to several of the Security Dev courses here.

A couple of other sites that have great security online seminars.  Blackhat for one has online presentations.  Defcon has online stuff as well [check out their “see it“ “hear it“ sections.

Last but not least Jerry has a long list of excellent resources.

I know that I even will fire up an archived webcast and stick the video over on my second monitor and listen in while multi-tasking.  It's a great way to at least keep up to date on the buzz words :-)

If you run an SBS user group, we're starting to do Office Live meeting presentations to groups amongst ourselves.  It's really cool.  All it takes is a phone, a high speed connection and an Office Live meeting account and we've had presentations where I'm in Florida, Roger and 25 other people are in San Diego and another presenter is in Redmond.  I've used the technology as well to have presenters talk to my CalCPA tech groups. 

Think about remote presenting to your clients as well.  Nothin' sells SBS more than showing what it can do.

P.S. Forgot one more source for Webcasts... the MSDN ones.

So in addition to putting in the server over the Thanksgiving weekend I was also reading a few more chapters in that future Security book that I've mentioned earlier in my blog that I'm giving feedback on.  [No, I wouldn't even dare to call it editing]  I keep feeling like Michelangelo and Leonardo DaVinci are asking me “so what do you think?” and I'm like standing there going... “Mike, Leo, guys, it looks really good but can you just change a few things here and there?”

Keep a look out for it next year from Addison Wesley.  It's about protecting your network but it's way way way more than just RJ45 and tcp/ip packets.  It's the whole she-bang from the bits and bytes to the people layer -- you know -- the really hard stuff to secure.  What's cool about it is already it's made me stop and think on how I've set up my new network.  I didn't turn off SMB signing like I would have normally had just knee-jerk done.  I disabled nolmhash because I knew I had a no Win9X's in my network.  I so totally winced when I had to get my scanner/copier/printer reset up and realized that FTP service was not enabled on my server and had to stick in the cdrom and enable it because I realized I was increasing my “attack surface“.  It's already made me stop and think.  In fact as soon as I reincarnate my old server as a member server, I'm moving the FTP to that one.  Granted I'll still have FTP inside my network enabled, but it won't be on the “everything on it including the kitchen sink“ domain controller.

Reading the chapters has made me realized that my “eagerness to please and enable” introduces insecurity in my network.  In the newsgroup yesterday, [a] Andrew put forth a document that he wants to give to owners to make them realize that having their employees install software is not a wise move.  Javier made an excellent point that at one point in time he used to think the IT admin that locked down everything was a jerk and now he's realizing that that person was just trying to protect his network and is doing the right thing.  SuperG makes the point that your employee's computers are not “their computers“ even though the icon says “My computer“.

So I guess you probably want to know who the two authors are that are writing the book you should put on your “this is a book you must have in the future” list?  One is Jesper Johansson [whom I call Dr. J because I can never remember if it's one n or two and one s or two without double checking] and the other is Steve Riley.  It's been interesting how many times I've seen people mention stuff they've learned from their sessions as they've traveled the globe giving security summits.  And the funny thing is that I've read comments on listserves as varied as Florida CPA geeky listserve, my SBS listserves, to blogs, to web sites.  I keep joking they need to patent or trademark their jokes because I keep seeing them repeated elsewhere.

Put it on your wish list.  It's a must get/must read in my opinion.

“Hey, Mike, the Chapel looks great but can you make the figures a little skinnier... and Leo... put a bit more smile on the girl will ya?”

[a] please note if you click on those links your default newsreader will launch you to the sbs2k3 newsgroup

Posted Sat, Nov 27 2004 23:49 by bradley | 3 comment(s)
Filed under:

Tim Barrett posted in the comment section a really kewl idea that I just had to pull up to the front blog.

Here's the idea. 

  • You, the IT pro do a blog [blogger.com is free] of tips, tricks, announcements, happenings of interest to your customer.
  • You set up a Sharepoint feed reader on your client's Sharepoint that suck in RSS feeds
  • You subscribe your client to your feed
  • Your client now gets announcments from you, not spam filtered, not stopped by email issues
  • Your client now has a direct communication link from you

So what do you need to accomplish this?  Most of the ingredients you already have or are to be had for free

Remember if the client is behind ISA you will need to add proxy info:

There are two ways you can use this web part within

your proxy server.  The first is to set your proxy

configuration in the Portal's web.config file:

 

<system.net>

    <defaultProxy>

      <proxy proxyaddress="server:port" bypassonlocal="true" />

    </defaultProxy>

  </system.net>

 

The second option is to configure the proxy server

settings on the web part.  In SHARED VIEW, the proxy

server/port settings are enabled for you to enter them.

And Nick found the command that adds the webpart to your sharepoint, but I also stuck the bat file here

C:\Program Files\Common Files\Microsoft Shared\web server extensions\60\BIN\STSADM.EXE" -o addwppack -filename "C:\Program Files\Smiling Goat\FeedReader\SmilingGoat.FeedReader.cab" -globalinstall -force

Nick also sent me his Front page part that can be used to easily import [and it still has his firm name on it :-).  I'll ping him to double check to see if I've forgotten anything.  I know he had to walk me through a few steps... the main one being that batch file he did for me. [still needs to be easier for us non coders/admin types in my opinion]

Anne also has a service where she sets up Business blogs for folks, gives the person a tutorial on how they work, etc. if you still aren't convinced that blogs are a business tool.  It's a realtively inexpensive way to get a leg up in how the process of “blogging” works. 

It's funny because for a while when Anne and I would go nutcase over blogs, some of our geek counterparts were rolling their eyes. There are some even saying that if you don't have RSS.. that they just don't listen to you. 

So check out adding RSS to your client's Sharepoint!

Just to let you know that on this server I did NOT have to wack off SMB signing to get the Konica copier/printer to work and the file transfer speed working.

I left the system “as is” with a full network of XP sp2 machines and the NIC at autosense for the GIG nic, and 10 speed for the Internet nic and do not see any issues with transfer of file speed.

I think I would say if you have no 98s/ME/NTs, you shouldn't have to disable SMB signing. Give it a try and see what you think.

Andy actually re-enabled it last week as he was getting “You cannot open file shares or Group Policy snap-ins when you disable SMB signing for the Workstation or Server Service on a domain controller” and Kevin was noting that he was seeing the same issue.

Kevin also reported finding some kewl stuff in the  gpresult /v  command:

Gpresult.exe Syntax

Gpresult.exe uses the following syntax:

gpresult [/v] [/s] [/c] [/u]

You can use the following parameters with Gpresult.exe:

/v: Use this parameter to run Gpresult.exe in verbose mode. When you use this parameter, the following information is displayed (in additional to the information that is typically displayed):
A list of the user's security privileges
GPO details including globally unique identifier (GUID), friendly name, version, and source
Details for the following Group Policy extensions:
Administrative Templates (registry-based policy settings)
Application management
Disk quotas
Folder redirection
IP Security
Scripts
/s: Use this parameter to run Gpresult.exe in super-verbose mode. When you use this parameter, the following information is displayed (in addition to the information that is typically displayed):
Binary values of binary registry settings (when applicable)
A detailed list of the programs that are displayed in the Add/Remove Programs tool in Control Panel
The Group Policy Container (GPC) and Group Policy Template (GPT) version numbers of the GPO
/c: Use this parameter to display information about computer settings only.
/u: Use this parameter to display information about user settings only .

Posted Fri, Nov 26 2004 21:39 by bradley | with no comments
Filed under:

Windows 2003 by default does not turn on, doesn't even install ftp service.  To get my network back “exactly” to full working order by Monday I had to install ftp service and enable it.  Now after my old server is reincarnated as a member server I think I'll enable the IIS/FTP on it and move this to the member server...but in general here's the info to get the a Konica copier to do scanning and printing


If you need to get a Konica copier/scanner attached to your network, you basically have to go back into add/remove windows components, drill down under the IIS components, add FTP.


Then you go to the default ftp web site and change the “landing place” to the location you have chosen to be your scan spot.


For setting up the print driver, don't forget it wants to be a LPR printer.


And flip the WinPrint to TEXT

 

[Sorry Sean LOTS of pictures in this one ;-)

 


 

In case you are wondering... I don't do malls anymore for my after Thanksgiving day Christmas shopping experience.  I do online shopping.   From Amazon.com to Outpost.com [Frys online shopping experience] there isn't much you can't find online.

You guys know about Google's comparison shopping site called Froogle don't you?

Just some reminders this holiday season.  Retailers don't send emails asking you to confirm usernames and passwords.  It's called Phishing.  While we should be aware of the bad stuff online, remember that my sister got her credit card info stolen from a restaurant.  Every time that card goes to the cashier to be swiped, it could also be swiped on a portable card reader.  A news story like what happened to my sister is talked about here.

Some things to remember

  • Review your credit report on an annual basis and question any remarks, comments you don't think should be there
  • Have a dose of healthy skepicism when using online web sites [look for the padlock like is shown above down in the system tray and don't put your credit card on a site that doesn't AT LEAST have that in the shopping cart section].  That said, buddies of mine in the dotcom days said that sites would regularly email credit card orders unencrypted from the order taker to the fulfiller all the time.
  • A good list of “how to handle your credit card“ is listed here
Posted Fri, Nov 26 2004 10:33 by bradley | 1 comment(s)
Filed under:

 Just following up on a blog posting and something that came up on a listserve.

How can you email something confidentially both internally and externally [especially if you are wacko like I am and open up the email as per our employee policy]?

Adobe acrobat with a password protection that includes encryption is honestly the easier than anything else to send confidential documents to business associates.  Never send Word or Excel documents [especially us beancounters] because we should never send information that can be changed.  Not to mention it may include metadata that you don't want to send.  Adobe's come out with version 7 that is supposed to allow documents that are first done on version 7 pro or standard to be “inked/edited” on Adobe Reader.  I need to order that and check it out.

I've tried digital signatures in email and swapping dig certs, but most folks just can't handle that yet.  At times I also use hypersend.com.  Encrypted email is still just a bit too much for most business folks to handle.

Honestly it is pretty easy to set up individual digital certificates.  In Outlook, Tools, Options, Security and click on “get a digital id” and walk yourself through buying one.  Attach the digtal cert to your outbound email and it will get automagically added to the email account you send your email to.  When THEY send YOU their dig cert, you will now have the opportunity to encrypt the email between your two boxes.  It's amazing how UNDERUTILIZED it is though.

P.S.  Just so no one gets the wrong idea I agree with Dana that Adobe has it's limitations..but I'm dealing with business folks with AOL email addresses who are still using Word Perfect with the blue dos interface.  I start talking adding digital certificates and swapping certs and I've totally lost these folks.  At LEAST I'm SB1386 in compliance.  I'll be the first to admit I'm trading off functionaly over security.  If it truly needs protection, it's hypersent. 

Jeff from Vancouver also writes in that he wants a more detailed description of what the group policy can and cannot do.

You know [in my opinion] the best source for seeing the power of group policy is?  In an Excel spreadsheet. Now granted I think it's because us beancounters are born with a spreadsheet so it's more natural to us, but that one document more often than not shows me what can be done. 

Remember my NOLMHash thing?

On the spreadsheet it's detailed out like this:

Computer Configuration\Windows Settings\Local Policies\Security Options

Network security: Do not store LAN Manager hash value on next password change

Determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.
For more information on cryptographic hashes of passwords, see "Microsoft NTLM" in the Microsoft Web site at http://go.microsoft.com/fwlink/?linkID=7029.                                                                  
Important:
Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.
This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98. 

Check this spreadsheet out Jeff.  It takes some time to go through, but I think it might help.

Let me know.

From the mailbag comes a couple of questions from Jeff L out of Vancouver regarding some things I did in Exchange:

  • Why did I manually turn off circular logging?
  • Why switch to native mode?

When the SBS2k3 ships and you have not run the backup wizard, SBS protects you from your own stupidity by having circular logging in Exchange turned on.  If  the folks in the Motherships of SBS PSS had a dime for every time a SBS box ran out of space because they were not running a backup of Exchange and the log files grew too large on that box, they'd probably at least have enough money for one mondo cool Christmas party.  So when SBS2k3 was built, the circular logging is enabled and automagically DISabled when you run the backup wizard.  Because I have a third party backup program and NOT the built in one [mainly because I'm backing up two servers and using a quad loader] I needed to make sure that the logging was turned off.

Why switch Exchange to native?  By definition, mixed mode is needed in a mixed Exchange 2003 to Exchange 2000 forest or whatever you Big Server folks call it when you have several Exchange servers.  Uh.. folks.. once you migrate from SBS 2000...look around.... there's no Exchange 2000 left to worry about.

One click later.. and my box is a native now.

P.S.  Evan in the comment section points out that even if I “had” Exchange 2k and 2k3 combo we could still flip to native.  It's only there to “talk” to an Exchange 5.5 box.  All the MORE reason to kill it off  ;-)

I'm stealing a newsgroup post from Chris Puckett!

To Obtain Exmerge.exe

-----------------------------

 

1. To download Exmerge.exe, visit the following Microsoft Web site         

 

2. This download is a self-extracting executable.  Double click Exmerge.exe

to extract the files to the location of your choice.

 

3. Once the files are extracted copy the exmerge.exe program to the

C:\Program Files\exchsrvr\bin folder.

  

Preparing the SBS 2003 Server to Run Exmerge
---------------------------------------------------------
 
By default in Exchange 2003, organization administrators and domain 
administrators inherit the Allow permission in addition to the Deny 
permission for the Receive As permission and the Send As permission.  To 
use ExMerge, the accounts that use this utility must have the Send As 
permission and the Receive As permission.  
 
To grant these permissions to the Administrator account to use ExMerge, 
follow these steps:
 
1. Click "Start", point to "All Programs", point to "Microsoft Exchange", 
    and then click "System Manager".
 
2.  In Exchange System Manager, locate the Mailbox Store under " 
Servers//".
 
3.  Right-click the Mailbox Store, click "Properties", click the "Security" 
tab, and then click "Advanced".
 
4.  On the Permissions tab, uncheck the box "Allow inheritable permissions 
from the parent to propagate to this object and all child objects.  Include 
these with entries explicitly defined here.  Click "Apply" and click "Copy" 
on the security popup.
 
5.  Remove the Deny entries for the Receive As and Send As permissions on 
the Administrator account, Domain Admins group, and the Enterprise Admins 
group. 
 
6.  Click Apply.  Click Yes on the security popup.  Click Yes on the 
Permissions warning popup.  
 
7.  Make sure that the "Send As" check box and the  "Receive As"
check box are selected  under the "Allow" column in the "Permissions" 
list for the Administrator account, Domain Admins group, and the 
Enterprise Admins group. 
                        
Note Make sure that the "Send As" check box and the "Receive As" 
check box are not selected under the "Deny" column in the "Permissions"
list.
 
8.  Click "OK" to close the "Properties" dialog box.
 
 
Importing data into the Mailbox Store
-----------------------------------------------
 
1. Before you import data into a new Exchange store, log on to any mailbox 
on that Exchange store, and send a test message to every mailbox on the 
server. If you do not do this, ExMerge.exe will not detect any mailboxes 
that have not been logged on to or that have not received any mail. 
 
This step is necessary only when you run the program using the two-step 
merge and import data into a Microsoft Exchange Information Store. This is 
because the program gets the list of mailboxes from the Exchange store, and 
if no Exchange store object exists for a mailbox, the program will skip 
that mailbox. 
 
1a.  By default in SBS 2003, a 200 MB mailbox store limit 
is imposed on all mailboxes.  If any of the .pst's you import are greater 
than 200 MB, only 200 MB worth of data will be imported into the Exchange 
mailbox and then exmerge will report a failure on that mailbox.  You can 
modify or remove these storage limits prior to running exmerge to avoid 
this.  See article 319583 below for the location of the mailbox store 
limits.  The location is the same in Exchange 2003 as Exchange 2000. 
 
319583 HOW TO: Configure Storage Limits on Mailboxes in Exchange 2000
http://support.microsoft.com/?id=319583
 
Or Look on Mariette and Marina's site
 
2. Double-click the C:\Program Files\exchsrvr\bin\exmerge.exe 
program.
 
3. On the "Welcome to the Microsoft Exchange Mailbox Merge 
Wizard" screen, click Next.
 
4. Select "Extract or Import (Two Step Procedure)" and click Next.
 
5. Select "Step 2: Import data into an Exchange Server Mailbox" 
and click Next.
 
6. Type the Exchange Server (SBS) computer name that is found in the 
Exchange    System Manager program and click Next.
 
Note For more information on the data selection criteria available within 
the Options button refer to the Mailbox Merge Wizard (Exmerge).doc 
file that was extracted from the Exmerge download.
 
7. Select the mailboxes that you want to import, or click 
"Select All", and then click "Next".
 
8. Select the appropriate mailbox locale and click Next.
 
9. On the Target Directory screen, click "Change Folder" and 
browse to the directory in which the program should find the 
existing .pst files. Click "OK" to accept your selection and 
click "Next".
 
10. On the Save Settings screen click Next.  The import will begin.
 
11. Once it is complete, click Finish.

Well day two of the “you really don't want to do it like I'm doing it and I never want to do this again and have to “touch” the workstations like I'm having to do it” migration.

I got the permissions needed for Lacerte working, and used the “touching the workstations” opportunity for a good spyware inventory.  There are a couple of workstations that I did a “what the heck is that!” in the add/remove directory.  Time to prepare the troops for “user mode” by Christmas.  A little too many funky programs in there that just shouldn't be there.

And of course there's one workstation that had to make my day.  I've never seen a Window XP that wouldn't let me flip from the “cutesy” control panel to classic mode, but I did certainly today.  It also only has “restricted site zone” in Internet Explorer.  That's it, no internet, no trusted zone, nothin'.  Just “restricted”.  Like I said, I've never seen a machine do what this one is doing.  Oh, did I happen to mention that it had [notice the past tense] AOL on this workstation?  Remember the other machine [a laptop] that I had xp sp2 upgrade issues with was also a machine that had AOL on it.

I'll let you decide about supporting AOL in a firm environment, but I know I'm putting my foot down and not installing it anymore as I've wasted too many hours with machines that have had it on and it just gives some really weird issues.  Now granted in might be coincidence, but given that two out of two computers with AOL have been my problem children, it just makes you go hmmmmm, doesn't it?

Kevin actually recommends a different approach if the owner “has“ to have AOL:

  • Use Enetbot's utility that will send/receive AOL email into Outlook [http://www.enetbot.com]
  • Or use the AOL webmail [which in reality isn't too smart either as you are blowing past all of your Exchange based antivirus]

Well there's a repair install of XP in the cards for tomorrow.  The worse thing about this workstation is it's one of the ones with a Nvideo Digital card.  I have two of these machines in the office and they hate the SP2 driver so I have to boot into safe mode and roll them back to the sp1 video driver.  I even tried totally building a new profile on this system and it still was an obviously not so healthy box.  Mind you.. this is one of the partner's computer [of course... it would have to be his computer, wouldn't it?] so I want to get it ... well... kinda working.. ya know?

So I took this opportunity to

  • Update the ISA client
  • Update to the new Trend suite
  • Ensure that the antivirus was being seen by the XP sp2 security center
  • Ensured that a port was opened up for Trend to listen at 24091 [Trend's default]
  • Reviewed Windows update to see if “it thought“ I needed any additional patches [for example one machine “thought“ it needed XP sp2 even though I had previously applied it.  Under the theory that just let it do it's thing and don't argue... I let it reapply SP2.  The other machines wanted to load the GDI+ tool
  • The annoying thing is I have to launch the time and billing program for each workstation and make it build a local calc space and reattach to the right billing database
  • Some programs don't bat an eye when you've ripped out their UNC name and some do

Funny thing.  I was contacted on Wednesday to give feedback on patching.  It's very fitting that I “just“ finished “patching“ a new server up to snuff and then had to take inventory of all these machines.  It's still not easy to patch.  Even with my Shavlik patch tool, it's still NOT “blonde“ enough for a do it yourselfer or even a consultant that isn't the wacko for patches that I am.  The impact of the ISA patch the other day points out that many folks did not realize that ISA Server sp2 had come out as far back as last May.  I still want an RSS feed that keeps track of all Service packs.  I think I'll ask Santa for that for Christmas  ;-)

Posted Thu, Nov 25 2004 23:07 by bradley | with no comments
Filed under:

For those of you in the world that are not MM/DD/YY but backwards [well to me anyway], you do know that Company web has it's “own“ date settings, don't you?

Thanks to Kevin for posting this

Check out http://companyweb, Site Settings, Go to Site Administration link, 
Change regional settings link.

SharePoint.
    > Site Settings
        > "Go to Site Administration"
            > Management and Statistics
                    > "Change regional settings".

So one sticking point I had on a older line of business tax application was that it was freaking out saying it didn't have the right permissions, so I had to go up to the server, and on the folder it resided in, push down a permission for read/write/muck with it whatever you want. 

In case everyone is not aware of this change in Windows 2003, Everyone isn't Everyone any more.  In Windows 2000, Everyone included anonymous users.  2003 it does not. One of the great resources for learning more about Windows 2003 and security tweaks and changes in it is in the Threats and countermeasures guide and the 2k3 Security guide.  This is one of the reasons why I'm so glad I'm finally on SBS 2k3.  I have all the tools, tweaks, “stuff“ that came out of the security push at Microsoft. If you will remember SBS2k3 “beta'd“ right as the security push was underway.  We had a long long long beta and what SBS2k3 ended up with was a bit different from where it started.

For those still on the Win NT platform, I cannot stress how much you need to seriously consider getting off that platform.  98 machines should be seriously “planned for future death”.  I have so so so much more controlability of my workstations, much more protection of them than with any other server/workstation combo.  I've got some screen shots of the defaults of the XP sp2 group policy.  There are many more tweaks you can put in there and as I start expanding the tweaks, I'll let you know.

One tweak is right here regarding Lan Manager has values.  So why should we care about that on our little networks?  For one, if we have an up to date network, there's no reason to not have this setting.  We don't need the hash values.  Next, grabbing the hashes either by internal staff or even through a misconfigured opening into your network [hard to do if you use the wizards and patch your systems], password are our first line of defense.

It's just a little tweak to make us all safer.

Posted Thu, Nov 25 2004 15:49 by bradley | 2 comment(s)
Filed under:
More Posts Next page »