THE OFFICIAL BLOG OF THE SBS "DIVA"

Today is the second part of our interview series.  We talk with Samantha, the SBS 2003 client workstation today about her year in review

Q.  Good morning Samantha!  I see you are having your morning Mountain Dew!

A.  Well, yes, I'm just not a coffee drinker like the rest of you guys.

Q.  Well let's get started, shall we?  Yesterday we talked with Sam the SBS 2003 server about his year, let's talk about your year?

A. Ok!

Q.  Let's cut right to the chase and ask you about what's been on everyone's list these days of issues - malware.  How was it this year?

A.  You and I both know it was pretty bad this year.  For my end users that were smart, surfed safely, and stayed in a position where they didn't have full control of me and instead let Sam the SBS 2003 server control much of the details, they were pretty good.  For my end users that downloaded anything, clicked on anything and opened up email attachments willy nilly, they had some issues.

Q.  I hear though, you do have some protection that came out in August of this year, some third party addons to help and there is even more new products and plug ins coming to help out even more.

A.  That's true.  First off I have Outlook 2003 for my end users [again, thanks to Sam the SBS 2003 server that licenses all my end users for that] there are some built in protections that I have.  For example, in Outlook if you leave on cached exchange mode which Sam automatically sets for me, I have junk filtering, I block nasty attachments, and I block photos from being automatically viewed.

Q.  That's sounds pretty good.

A.  Yes it is.  Then if Sam the SBS 2003 server has Trend Micro Antivirus installed [and this is just one example, many of the vendors do this], there's a malware addon that you can enable that helps to protect me. 

Q.  So let's talk about what happened in August of this year, I hear you got a major update?

A.  Yes I did, a big new service pack for XP sp2.  Let me really stress to the listeners how much better I work when I have XP sp2 and Office 2003 with Sam the SBS 2003 server.  I really hook in really well with Sharepoint when I have Office 2003.  And with XP sp2 and Sam the SBS 2003, I really protect my workstations from willy nilly talking to one another.

Q.  I heard one of the Microsoft speakers talk about this, Steve Riley, I think?

A.  Yes, he's writing a book that will include dicussion of this concept, that workstations shouldn't just “talk to one another” that they should only talk to the server and thus they are better protected from things like blaster, sql slammer and what not.

Q.  Do you know what the book title is?

A.  Oh yes, it's called Protecting your Windows Network and it will be out in 2005 from Addison Wesley.

Q.  Cool.  But let's go back to that malware issue because I hear it was pretty bad. 

A.  Oh sure thing!  I agree it's a huge issue and even my maker in Redmond knows and they bought a anti-spyware company and will be bringing out a public beta of this very very soon.  Also speaking of betas, I've been trying out the Windows Update Services beta and that is looking really nice.  I'm really looking forward to relying more and more on Sam the SBS 2003 server for lots more protection.

Q.  Yes, Sam mentioned that, that can you expand?

A.  Absolutely, as I said right now I run with my end users in a pretty trusting way, but Sam and I have been talking and for some of our setups, where the consultant, the VAR/VAP has sat down with the owner and talked about this, we're going to run a bit more securely this year and take away those administrator rights on for my end users.

Q.  That's sounds pretty cool.  Is this something all firms will be doing?

A.  It's in the long term plans for all systems actually.  Some firms can do this now, and there's honestly some firms that don't see this as an issue.  But what's cool about the relationship that Sam and I have, is that we're pretty flexible and can set things up just about any way the owner wants us to go.  The biggest issue is not with the Microsoft applications running in this user mode, it's the third party stuff.  Like the firewalls we're running here, he and I can and do roll things out faster than bigger firms.

Q.  Wow, that's great to know that you guys are so agile.  But, I hear it's a pain to get those programs to run in user mode.

A. Yes it is, we have some tools like filemon, regmon, incontrol5, and a new chapter in Harry's book coming to talk on this, and I honestly do think that more companies are beginning to realize the value of doing this, but it will take time.  Right now we've got a lot of people asking how to do this for Quickbooks, an accounting program.

Q.  So what I'm hearing from you is that letting Sam the SBS 2003 server be in control is really key to having a secure system.

A.  Yes, being under Sam's protection, in a domain where I am, really helps me stay safe and secure.  It's really been obvious that the more I let him protect me for, the better off I am.

Q.  That's really good to know.  So we're about out of time, any final words to our listeners today?

A.  Yes, remember that you really want to buy XP Professional version, retire all older version because I really work the best when all my end users are on the same platform.  If you have any questions at all about licensing and what not, I have some really smart people looking out for me that are on the Mssmallbiz site and listserve. If fact all of my support communities are pretty amazing.

Q.  We've heard that they are pretty special online places.

A.  Indeed!  I'd like to wish everyone a very Happy New Year and an invite to everyone to join Sam and me in the SBS communities!  From Nick's to the Magical M&M's, to yahoogroups that Sam mentioned yesterday, to the newsgroups, in fact, before I forget it I want to say a HUGE thank you to the original gentleman who really started the community feeling and to this day really sets the tone for the communities out here.

Q.  Is that Grey Lancaster that I've heard mentioned?

A.  Yes it is, he has a real “southern gentleman” way about him and he really makes sure that the communities of SBS are kind and helpful.  He's pretty amazing.

Q.  Well we're out of time Samantha, the SBS 2003 client workstation, it's been great talking with you!

A.  Same here!

[Like I said, a little too much Dew for Susan]

[tomorrow we will interview Samantha the SBS workstation, but today we sit down one on one with Sam the SBS box to ask him how his year was]

Q.  So Sam, overall, how was 2004 for you?

A.  Pretty good, all in all.  I've added a lot more relatives to the SBS family and community this year, a lot of brand new faces, blogs, it's been really fun to see a lot of new family members in SBSland.

Q.  Give us some highlights of the year, if you will?

A.  Sure thing, we started out the year on a solid footing with the release of Harry Brelsford's SBS 2003 best practices book and we've been building momentum ever since.  It's been really cool to see the increase in people in the 2003 newsgroups, in the yahoogroups - both the technical ones, the business ones and our new general small business one.

Q.  Any event in particular stand out in your mind?

A.  Oh yeah, couple of things that I was proud to be a part of.  First off we had the second year of the SMBnation conference in September and this time we had it in the place I was born, so that was a real treat for me.  Next Microsoft started a new community surrounding the small business space and that really took off with a bang which was really cool to see.  The Mssmallbiz web site, listserve and now blog really took off great.  I was proud to be associated in some small way with that effort. 

Q.  That's really cool!  Now we have to ask the tough questions, okay?  One of the big issues we have today in technology is in Security.  Let's be honest, here.  Weren't you in the news recently about some security issues you had?

A.  You read that USA Today article too, huh?

Q.  Well, yeah.  Want to comment on that?

A.  Absolutely!  I'd love to tell my side of the story more often. Honestly, that was a really dumb test they did.  What they should have tested was Windows 2003 server, instead they tested me.  And I kept yelling at them that I wanted a strong password or passphrase, that I did not want to be sitting on the internet exposed without a firewall but they refused it listen to me every step of the way.  I mean talk about frustrating for me, when I was trying to get them to listen to the right way to set things up and they didn't!

Q.  You mean they purposely set you up insecurely?

A.  Yes they did.  They wanted to prove the point that being on the web you need a firewall.  Geeze, I kept telling them that all along the way, but they refused to listen.  They did say that once they picked a secure password that I did stay on the web and didn't get hurt.  Given that I was set up without my normal protection in place, I'd say I did pretty good given that no one should be out playing on the Internet without the right protection.  But it really does showcase the one place where my owners and end users need to help me out.  Choosing proper passwords.   In fact, this year I can honestly say that I “could” have not gotten any security patches throughout the year and I'd still be able to be in very fine shape at the end of the year.  What really was my soft spot this year was what spammers were trying to do to me. 

Q.  Spammers?  What do you mean?  Can you elaborate?

A.  Oh sure!  First off they tried to guess my passwords so they could authenticate on my mail system. This is called an SMTP auth attack in my biz.  If one of my owners or end users uses a dumb password, it makes me susceptible to password guessing.  This is one reason why it's important for my owners and admins to review my audit log files.  This is one major advantage that I have over my older SBS 2000 relative, I natively do auditing, whereas my relative, you have to turn it on in his system, he doesn't do it automatically like I do.

Q.  That's a good feature to have turned on.

A.  Yes it is, I'd really recommend it to anyone still running SBS 2000 to enable it on their systems.

Q.  What other issues did you face?

A.  My other big issue regarding email is something called NDR attacks.  This is where a spammer tries to trick me into sending spam mail.  Javier, and Les, two really cool SBS MVPs that I know typed up some instructions to help people deal with these two issues.

Q.  Wow, that's kinda scary.  What other issues did you face?

A.  Well obviously, I wasn't hurt like Samantha [that's my SBS client workstation] was surfing the web because I have two things going for me. 

Q.  What's that?

A.  Well for one, I have a special protection on my Internet Explorer to block active X scripting.  You see some really smart guys looked at me while I was being built and tried to imagine all the bad things that people would try to do to me and the last thing they thought of was that my owner and admin would be really stupid and want to surf the Internet from me.  Then I have a smart owner that doesn't use me as a workstation and treats me like a server, so that really helps out.

Q.  Why would an owner do that?

A.  Sometimes they don't realize that my main job is to do work for them and not be used as a workstation.  Fortunately there's this IE lockdown that is in place that protects me a lot.

Q.  That's good to know.

A.  Yup, pretty much as long as you let me do what I am supposed to do, I really was not hurt by Malware like Samantha was this year.

Q.  Yup, I'll be talking with Samantha about her year tomorrow, I hear she got beat up a bit.

A.  Yeah, we've been talking about some ways that she and I can work closer together and do something called group policy to help her.  All in all, I had a very good year from a security standpoint, and now we're going to see if we can do more to strengthen her as well.  She did, though get a big boost from XP sp2 and the firewall she's running now inside the network and there are some anti spyware tools that our birth place just bought to help out.

Q.  Sounds pretty promising.  Well we're just about out of time Sam, any more thoughts before we end this interview?

A.  Well I'd like to point out a few last things, first off, don't forget about the “Oh, Canada!“ event that kicks the year off in grand style up in Toronto on January 11th.  Also, everyone should look forward to the SBS 2003 Advanced book coming out soon from Harry Brelsford.  I'm also hoping that this year we really put more emphasis on Sharepoint, taking that to the next level.  Look also for a new service pack in the new year.

Q.  A new service pack?

A.  Yeah, I'll be retiring ISA 2000 and adding a new member to the SBS family, called ISA 2004 and rolling up some other fixes and what not.  In fact, let me remind our listeners that there will be an week long ISA 2004 webcast series to get people ready. 

Q.  That's really cool.  Thanks for taking time out of your server duties, Sam, to talk to us about your year.

A.  My pleasure.  Back to work!

[okay so maybe a little too much Egg Nog and Mountain Dew for Susan today]

Windows NT 4.0 Server, operating system, died, Friday, December 31, 2004 in Redmond, Washington.

Born 1996 in Redmond, Washington, he was the son of Windows NT 3.1 and Dave Cutler.

Windows NT 4.0 server worked for many years in many corporate offices and was for many years a beloved member of many firms.

He is survived by two sons, Windows 2000 Server and Windows 2003 Server, both of Redmond, and five cousins, Windows 2000 workstation, Windows XP Professional, Windows XP Home, Windows Tablet PC edition and Windows XP Media Center edition.  He was predeceased by his nephews Windows NT workstation, and Windows 95.  Currently another close relative, Windows 98 is on life support but the Doctors indicate has a few more years left.

Private visitation will be in Redmond.

A Christian burial will be celebrated at midnight [your local time zone] on December 31, 2004.

Windows NT 4.0 server had been in failing health but finally succumbed to the dreaded final “Blue Screen of Death”.

May you rest in peace.

If you've been seeing some of the tech news, you'll know that a group overseas called Xfocus published some details of Internet Explorer vulnerabilties on the web right before Christmas.  And while the press can say [clearing their throats] “Microsoft hasn't responded”, I can say that every time I sent in an email to the Secure alias [secure - at - microsoft.com] I got a response back.  They know and are “responding“ in their own quiet way when such things occur.

But in the meantime some general rules to keep safe until a patch is released:

• Begin to push for running in lesser “rights“ on the desktop.  This isn't easy at all, but it's something that we all need to push our app vendors to do natively in 2005.  I don't expect you guys to do this right away, but start thinking about preparing your end users and clients to not being able to download and install just willy-nilly.
• Ensure that you always use up to date antivirus
• Only surf where you know you'll be safe [I know...this one is kinda dumb as there have been reports of “good sites“ that don't keep themselves up to date on patches getting turned into “bad sites“ - but just try to be AWARE]
• Block all unnecessary email attachments.  Whether you use the native to SBS Exchange attachment blocker or Trend's blocker, PICK ONE and don't even let this stuff get in your network.
• Consider running IE with High security turned on, and only place those web sites into “trusted“ zones that you need fully functional for business purposes.
• While you can use alternative browsers like Firefox, Mozilla, I'd still recommend that you not “install and forget it“.  Mozilla today just released a new patch for a security issue it had.  Remember that Windows update does not patch Firefox, Mozilla, so you are on your own.  The default for Firefox is to check every 7 days [apparently as I'm guessing from the about:config that I'm looking at.  Brian Livingston has a great primer on Firefox that he had to dig up from their web site and other locations.
• Just in general be aware.  If an email sounds too good to be true, or is trying to sound like the sky is falling, check it out on the snopes.com web site.

P.S.  Next time guys, send an email to the secure alias and work with them for a patch FIRST?  Don't just disclose this stuff and then contact Microsoft?  Be part of the solution, not part of the problem.

Date: January 11, 2005
Time: 6:30 - 8:30 PM
Location: Microsoft Canada - Mississauga

OK Toronto and area SBSers! The first meeting of the year for the Toronto
Windows Server User Group (TWSUG) - and it is all SBS. And look a the
drawing cards we have for the event!


Session 1 - Migrating Windows Domains using Swing Migration
Presenter: Jeff Middleton - US Microsoft MVP for SBS 2003

Session 2 - Windows Small Business Server - A Year in Review
Presenter: Harry Brelsford - Author and US Microsoft MVP for SBS 2003

Event information here...

http://www.twsug.com/Default.aspx?tabid=62


Jeff is just back from his 5 week presentation tour through Australia - with
resounding great response all the way. You want to know about his Swing
migration? Waiting to finally move up to SBS2k3? Here is an opportunity to
see, hear and ask those "what if?" questions about the process. Here is
Jeff's web site...

http://www.sbsmigration.com/


Harry is in Toronto the same day with his own One-Day Workshop in Windows
Small Business Server 2003 - Strategies to build your SBS consulting
practice; How to integrate SBS with Office 2003; Technical tips and tricks
to extend SBS. Harry has graciously accepted an invitation to present at our
evening session. Check out Harry's event here...

http://www.smbnation.com/smb_nation_summits.htm


But wait - there is more!

We are up to a count of 9 SBS MVP's that will be on site that evening! A
wonderful opportunity to meet the anchors of so many community resources you
depend upon. We want this to be your chance to ask questions, and share your
own hard earned knowledge with your Peers.


TWSUG membership is NOT required to attend. There is NO charge to attend.

Please - tell others about the event. We want this to be the start of a
really great year!

When we were little kids we were told by our parents to “don't run with you have sharp objects in your hands” ... like..scissors.  So remember my rant how I don't trust any browser?  I want to revisit that a bit again tonight.  Active controls in a web browser are, I think, like “running with scissors”.  Why?  Because what I said before that they rely on me trusting too much.  While the whole concept of “active content” means great things have happened in the Internet space, it also means that the very way we have let our applications get away with being coded as horrifically as they are and haven't really noticed how bad they are is contributing to the malware/spyware and other gunk we now have to deal with. 

While one could argue that Active X is worse than Darth Vadar, worse than ....oh I don't know.... worse than offering me fresh fish [I really hate sushi...I“m really sorry... it's chicken or beef for me], the fact is the real threat is there because Active X only plays in whatever “rights” you have on that system.  Run in user mode and Active X isn't the issue we're all running from.  Run like we're all used to with full rights to every single registry key on that box and Active X starts making us start thinking of a tall guy in a dark plastic suit that is a heavy breather.  Active X is the bad guy it is because we're running with scissors around here.  It can't be sandboxed from the user rights we have.  Thus as long as we go “la di da ing“ through life accepting that my business applications, ones that I just bought during the 4th quarter of 2004, many of them still think they live in a Win98 world are just wonderful, we're going to be stuck in the mess we're in.

Tonight I was running some tests on one of my lovely applications that are not “Designed for Windows XP” but yet we all happily load it and run it on our XP systems.  Once in particular ...well lets just say that I knew it was coded pretty poorly and now I'm certain more than ever that Vendors really need to step up to the plate more on securely coding these applications.

Now I'm not a coder by any means.  The last coding I did [other than a quick batch file here and there] was the misguided attempt to have beancounters learn cobol.  But it didn't take a degree in computer science or a slew of certifications to take one look at what that testing program was trying to tell me.  That application of mine, the one that I put firm's financial data in, looked to this untrained eye to probably make someone like Michael Howard  or Howard LeBlanc fall over in apoplexy.

In the document “Designed for Windows XP“ logo certification, the documents are pretty clear.  Support user mode and you get that certification.  So why the heck are we not beating up on vendors that DO NOT get certified on it and not giving awards for those vendors that DO get certified. 

As I'm typing this up I have an idea.  My term as Chairman of the Technology Committee of California CPA Society expires in May.  Perhaps one of my final duties can be to set up an “award” to the accounting application that meets security criteria.  Hmm.... I'll bring it up at the next meeting. Or perhaps my AICPA geek group, CITPers can also do that?

I'll showcase some of the vendors who ARE coding for least priviledge

• Peachtree 2004 - Designed for XP - runs in user mode
• Peachtree 2005 - Designed for XP - runs in user mode
• Quicken Premier 2005 - Designed for XP

Keep in mind that Peachtree 2003 is “compatible with XP“ and thus doesn't meet the guidance.  Notice there is one major application missing that isn't in the “designed for Windows XP“ logo program at all. 

Amazing isn't it?  We run our daily business in an application that is not “designed for Windows XP“

That in this day and age we can accept “The user doesn't have sufficient permissions with the Windows user login. Users must have full Admin or Power User permissions that permit them to write to the Windows registry. “ as being acceptable from an accounting application...   shouldn't we as CPAs, as fididuciaries of our client's records demand better than this?

Pssst you can't “intuit-itively“ figure out the app?

The designed for Windows XP logo includes this as a criteria

3.4     Support running as a Limited User

Applications must not require users to have unrestricted access (for example, Administrator privileges) to make changes to system or other files and settings. In other words, the application must function properly in a secure Windows environment. Complying with the previous requirements in this section will help to ensure that the application meets this requirement.

An application that does not install (executes without installing any components) must still support use by a Limited User.

A secure Windows environment is defined as the environment exposed to a Limited (non-Administrator) user by default on a clean-installed NTFS system. In this environment, users can only write to these specific locations on a local computer:
[Note 1]

·         Their own portions of the registry (HKEY_CURRENT_USER)
[Note 2]

·         Their own user profile directories (CSIDL_PROFILE)

·         A Shared Documents location (CSIDL_COMMON_DOCUMENTS) [Note 3]

·         A folder that the user creates from the system drive root

However, applications defaulting to use of these folders do not comply with the other requirements of this section.

Users can also write to subkeys and subdirectories of these locations. For example, users can write to CSIDL_PERSONAL (My Documents) because it is a subdirectory of CSIDL_PROFILE. Users have read-only access to the rest of the system.

NOTES

[1] Applications can modify the default security for an application-specific subdirectory of CSIDL_COMMON_APPDATA. This may provide an additional location to which users can write for a given application.

Any modification of the default security for an application-specific subdirectory of CSIDL_COMMON_APPDATA must be documented when submitting your application.

[2] Users cannot write to the following subsections of HKCU:

\Software\Policies

\Software\Microsoft\Windows\CurrentVersion\Policies

[3] By default, users cannot write to other users’ shared documents; they can only read other users’ shared documents. Applications can modify this default security on an application-specific subdirectory of CSIDL_COMMON_DOCUMENTS.

Any modification of the default security on an application-specific subdirectory of CSIDL_COMMON_DOCUMENTS must be documented when submitting your application.

This requirement does not apply to all features.

For any feature that a limited user cannot use, when submitting your application you must document what objects need to be opened for that feature to work, such as file system, registry keys, and so on.

When a limited user can’t use a feature, the application must degrade gracefully.

As defined in “Designed for Microsoft Windows XP” Application Test Framework:

TC3.4              Does application support running as User1, a Limited User?

To the poster in the newsgroup who said “I wish they wouldn't keep it a secret” that XP Home [s] cannot join a domain.

Let's blog this up a bit so it's more googlable shall we?

XP HOME platform are for “Homes, houses, condos, apartments, shacks, shantys, leantos, outhouses, etc., etc., etc.“ but they are not for BUSINESSES.  Get it?

The information on whether or not XP HOME can join a domain is on the XP Professional page.

“Windows XP Professional is required to access a domain-based network. If you're not sure whether the network you will access is domain-based, talk to the person in charge of the network to make sure you choose the proper version of Windows XP.“

I love those kind of postings don't you?  I AM in charge of the network and what if I don't know the right answer? 

Like those messages that say “please contact your network administrator for more information“.  I AM the network admin and can't get this thing running the way it's suppose to.

XP professional is what you need to have computer JOIN A DOMAIN. 

I would argue that XP Professional is just plain better in general, with or without a domain, but that's just my opinion.

Let's blog it one more time for dear old Uncle Google

XP Home machines cannot join a domain.

XP Professional machines can.

XP MCE 2004 can join a domain.

XP MCE 2005 sort of can't but I hear if you install them from stratch the bits are there and you can join them, but officially they aren't supposed to be domained.

P.S. Changed the blog so that XP HOME would be better googlable  :-)  Thanks Sophos 

I'm bringing out to the blog an argument I'm having with someone on IM about the private versus “private” and Ipconfig posting issue just to make a point about the risks of life in general on the Internet.

I'm arguing that in a mere email, there is as much risk of information “leakage” about a firm as there is when we post in ipconfig in the newsgroups. 

Let me show you want I mean.  Send an email from your SBS firm network to an outside email box.  Open up the email and adjust it so you can see the headers [Outlook is a pain in the butt for doing this, Thunderbird much easier].

Okay let's look at the clues that come from a email

• Inside that email in your internal name.  Probably something.local or maybe .lan both clues that you are an SBS box.  Therefore there's about a 99% chance that your internal IP address scheme is 192.168.16.x
• Inside that email is your public IP address
• Inside that email is the “stamp“ of what version of Exchange you are on.  So if I see “Produced by Microsoft Exchange V6.5.6944.0” or “Produced by Microsoft Exchange V6.5.7226” I know you either have or don't have Exchange 2003 SP1.  [During the XP sp2 betas the beta testers would read the email headers of the MS folks and track what “next' build number of XP sp2 they were on versus the beta participants.... sick puppies ...weren't we? 
• Given that last I checked Dr. J's job wasn't to specifically target SBS boxes, I would argue that the fact that you can google the phrase “Remote Web Workplace“ and see potential SBS boxes and get just as much stuff from email headers that the risks are the in the same category. 

Will I still feel that way in a week.... a month... or a year... maybe not.  Probably not.  But I see that email headers “bleed out” just as much private information that we probably don't realize.

So is Tony right about freaking out about ipconfig postings in the newsgroups?  Probably.  psssst.. just don't anyone tell Tony I posted that....Jeff also states that to post that information indiscriminately in the newsgroup is not wise.  To post internal information in a public manner that is forever googlable is a bad idea.

But I would still argue that email is just as much of a “bleeder“ of information.

So ...what do you disclose about YOUR firm by just sending emails?

Tony posts that one should santitize the Ipconfig/all posting that is done in the newsgroups and I'd like to clarify one point he's made.  He says that you should clean out the 192.168.16.x and 10.0.0.x addresses in your post and I disagree.  While those are class c and class a “private” ranges they are so well known of internal IP address ranges that IMHO, you aren't disclosing anything that your email header doesn't post in more stuff on.  I would recommend taking off an “external” IP address [something your ISP gave you, but posting in ipconfig/all shouldn't also expose your ISP's DNS info [and it's not like an ISP's DNS isn't googable anyway.  We as SBSers don't “host” our own public DNS.

So what are the standard IP addresss that are considered “private“ but so used by everyone that it's common knowledge?  There's a page here that talks about the 'standards“.  In general in SBS land, back in the SBS 4.0/4.5 days we used a “class a“ with a kind of “class c“ subnet mask.  What's a subnet mask?  It's the part of the IP address that lets that system know how big of a network range it's going to talk to.

Back in SBS 4.0/4.5 we used 10.0.0.2 with a 255.255.255.0 mask.  That meant that as long as a computer had a IP address that started with 10.0.0.X, our server would “talk“ to that system.  You'll also see it noted as a 10.0.0.X/24. 

Now in SBS 2003 our default “'base“ range is a classic “C“ address of 192.168.16.x [where the server is normally 192.168.16.2].  Again the subnet mask of 255.255.255.0 makes that system “talk“ only to the 250 someodd systems in that range.  What that 255.255.255.255 mask really means is this.

As per RFC 1918, these address are “non routable“ they are your “inside“ addresses.  What many consultants do is pick that 172.16.x.x range and that is more often than not, NOT in a SBS network and thus any static VPN routing that the internal firm may do won't mess with that consultant's own ranges and settings.

What do I mean by Class “A“, and Class “C“?  These are agreed upon naming ranges for “private“ non-routable addresses.  Typically the Class A is a 10.x.x.x with a netmask of 255.0.0.0 and Class C is a 192.168.16.x with a net mask of 255.255.255.0, Thus in the SBS 4.0/4.5 days our 10.0.0.x/subnet of 255.255.255.0 was kinda not exactly the best setup.  Our new default of 192.168.16.x is the proper way to name our internal range.

In computers the use of “on“ and “off“ is really what everything talks in, so 255 is in reality the value of 11111111

Starting from right to left in a logarithmic fashion it's the total of

128   64   32   16   8   4   2   1  = 255

   1    1     1     1    1   1   1   1  = 255

Which is telling that system match every single number from the IP “octet“ [between the “.“] to the IP address that you are comparing it to. So a 192.168.16.2 with a subnet of 255.255.255.0 can talk to a 192.168.16.200 that also has a subnet of 255.255.255.0, because the “0“ at the end is telling the system “okay you talk to ANYTHING in the 192.168.16.1 to 192.168.16.255 range and I won't care“.

See how it works?

So when your ISP gives you an external REALLY PUBLIC IP address and the net mask is set for 255.255.255.248, it's saying the following:

128   64   32   16   8    _   _  _  = 248

   1    1     1     1    1   0   0   0  = 248

And because 1 + 2 + 4 = 7, your ISP has just given you only “that“ IP addresses that your public IP can talk to [normally a gateway IP address and 6 public IP addresses.   Get it? [Assuming I'm doing that right, someone correct me if I'm wrong]

So bottom line when you post your IPconfig /all in the public newsgroups DO clear out an PUBLIC Ip addresses that your ISP gave you but I would argue there's no need to clear out the 192.168.16.x stuff.  Wouldn't take a rocket scientist to know that we're “supposed” to be using those inside our networks.

DHCP.

As it's stated here on a web site:

1. What is DHCP?

   DHCP stands for "Dynamic Host Configuration Protocol".

2. What is DHCP's purpose?

   DHCP's purpose is to enable individual computers on an IP network to extract their configurations from a server (the 'DHCP server') or servers, in particular, servers that have no exact information about the individual computers until they request the information. The overall purpose of this is to reduce the work necessary to administer a large IP network. The most significant piece of information distributed in this manner is the IP address.

I have found that things just work “better” if you let the SBS server be the DHCP “hander-outer”, that is, it NOT your Linksys/firewall/router is the one handing out the IP addresses.  Again, if you are migrating from peer to peer this is a bit unusual as you've been used to having a router that does this function.  But IMHO [in my humble opinion] the SBS network works the best [connectcomputer works better, wizards run nicer] if the SBS box is in charge of DHCP and DNS.  If you ensure that the router has it's DHCP function disabled BEFORE you begin to set up the system, the SBS box will automagically set up the DHCP/DNS functions.  Go into the webbased interface and adjust the router to have DHCP disabled and then set up your SBS box.  It will no longer see another DHCP server and shut it's own down. 

If the SBS box sees any other DHCP server [like your router] on it's same subnet it will shut it's own DHCP server down.  Don't forget to run the VPN wizard as I've seen my server want to turn RRAS into a DHCP server without running that wizard.

Probably the number one asked question back to posters in the newsgroup is

“Please post the results from ipconfig /all at both a workstation and a server”

So many issues with a SBS network are “fixed” with the right Internet Protocol configuration on the server.  It's amazing how people and go through the wizard and not “get” what they are trying to set up.  I think it's because of coming from peer to peer and on network card setups and now reading about different ways to set these networks up.  Many people expect that there should be an “Internet connection sharing” tab on the server, but we don't do things like that. 

The most recommended diagrams to follow for setting up a network can be found here:

While you can do a one nic setup as discussed here:How to Configure a SBS for Full Time Internet Access with a Single Network Adapter:
http://support.microsoft.com/kb/309633  I personally feel that two nics is more “separated“, more flexible and I just feel more comfortble with the wizards of SBS than the configuration of a hardware firewall.

The other KB that talks about two network cards is listed here: How to Configure Small Business Server for Full Time Internet Access with Two Network Adapters:
http://support.microsoft.com/kb/306802

Basically you point to the server, the internal IP address for all your DNS entries.  You only put in the ISP's DNS information into the DNS configuration as “forwarders“.  This is done automagically in the “connect to Internet“ wizard, but you can see the impact in the Admin tools, DNS.  Right mouse click on the server name, click on the “forwarders tab“ and you can see where the wizard put in the ISP's forwarders.

See?  That's the ISP's DNS that I placed in my box when I ran the connection wizard.  You don't put that information in the Network card properties as DNS as you would normally in a peer to peer with a Linksys.

This “separates“ and builds a wall between the inside and the outside to better protect you.

So next time you are having issues with your network, review the settings.  Start, command prompt, type in ipconfig /all and hit enter.  Copy what you see there, and paste it into the newsgroups and have us check why you are having issues!

ipconfig /setclassid "Local Area Connection" TEST

If you are like me you might have a client that has an old server lying around because they just [or they will] be upgrading to SBS 2003 from SBS 4.5 because...well... THEY SHOULD!  Here are some ideas for that old server:

• Can you reuse it? How old is it?  Mine was 3 years old and just a month before “dropped“ a harddrive [and running out of room] and with dual processors, 2 gig of Ram was just fine for a member server, a terminal server, AND in my case, for running the “lunch order“ Live Communication Server 2003 [which I have because I had Software assurance on SBS 2000]
• Can you load Windows 2003 on it? If that was running SBS 4.0/4.5 and the server is “THAT“ old, you might not want to put it back in service and you certainly don't want Windows NT on it.  I personally would recommend Windows 2003 on any “side server“. Now keep in mind that any XP operating systems you had in place before Grey Lancaster and I went to the Windows 2003 Server launch in San Francisco [that's April of 2003 if anyone is counting], you can get grandfathered TS Cals.  Because I had Software Assurance on Windows XP, in my case it was a easy as going to my TS box, indicating that I had a Open Value/Volume licensing agreement, putting in my agreement and authorization codes, the number of XP pro licenses I had via that program and voila.  I have TS cals on the 2003 box.  For my OEM ones I'd have to figure out which ones were purchased before that date, crawl on the floor with a magnifying glass to read the Product key code off the Dell sticker and place them into the transition web site.  I'll stick with the ones from the SA plan.  Lot's cleaner.  Too many dust bunnies on the floor :-)
• Can you donate it?  But be careful here, before you donate ANY computer equipment with a harddrive to any charity [workstation/server] take that harddrive and ensure that it is totally and utterly and completely scrubbed.  You cannot merely reformat, this takes a Department of Defense level “drive wipe“ to ensure that it is cleaned.  You are literally writing “1's“ and “0's“ to the drive.  A story in the IEEE security and privacy magazine has excellent resources on scrubbing that drive.

Remember fondly SBS 4.0/4.5...but do exactly that.... remember it...don't run it anymore.  Come up to SBS 2003 where things are much better!

I'm reading Directions on Microsoft's Top 10 issues that Microsoft has for challenges in 2005 and I'm pulling one paragraph out that in particular [I think] needs clarification.  In the Directions on Microsoft article they state:

“Security has always been near the top of our Top 10 list, but despite laudable efforts by Microsoft, such as a drop-everything-else code review, security is still a problem. In fact, the bad guys seem to be winning. Before anyone gets on the Internet the first time these days they need a PC already protected by the latest service packs and security patches, an antivirus program, an antispyware program, and training on how to avoid phishing exploits. Although Microsoft arguably bears little direct responsibility for these problems, the company has the most to lose if these security issues persist. Furthermore, Microsoft is in the best position of any vendor to address the problems. Some useful next moves? Make it possible to run Windows all day without requiring administrative privileges and work with other players on standards that will make it easier to authenticate the senders of e-mail.

"Security problems raise the cost of managing Windows clients, and make the perennial thin-client alternative more viable. This year, Microsoft has to deliver the improvements it promised for patching corporate PCs, and not let development of future product versions interfere with keeping current ones secure."
—Michael Cherry, Lead Analyst for Windows”

Mr. Cherry?  Office applications and Internet explorer run FINE as a user and do not need administrative privileges.  It 's my stupid APPLICATIONS that are coded stupidly that need these rights.  And even in SuSe [a Linux distribution] there are times to adjust the monitor, to apply patches, to install software that you need to Sudo [the equivalent of Administrator rights - or the Windows equivalent of RunAs].  I just recently loaded up SuSe and looked in absolute horror at this screen:

See that box that says “Keep password“?  You and I both know that your home user/end user is going to click that box and say “sure“ save my password because it's a pain to type in that really long strong password I gave the machine when I built it.  What's the insecurity [or insanity] of saving the administrator password so the next worm du jour that blasts through a SuSe box will have admin rights?  We cannot dumb down these desktops like this and keep these boxes secure!  The bad guys are winning and the sooner we all figure out that we should be fighting “them“ and not flighting the “who has the better Operating system“, the better off we will be.

Look at these applications in my office that REFUSE to run in user mode.  So I ask you?  Who's at fault?  Microsoft applications DO run in user mode.  It's my third party stuff that doesn't.  I say that it's not Microsoft that needs to make 'Windows' run as user, but rather that we get tools to help us identify how stupidly these applications are coded and then go and beat up THOSE vendors to make them either set the right permissions as they load on “just that registry key” or code better in the long run.  I don't need them to make Windows run as a “user” ...it does... I need Microsoft to give me tools to help me identify my vendors that are the dumb ones.

Ask for the right solution to the real problem, I say.

Directions on Microsoft released it's “Top 10 Issues that Microsoft has to overcome for 2005” and included in there were a couple that caught my eye in Silicon's version:

• Better security - "despite laudable efforts by Microsoft, such as drop-everything-else code review, security is still a problem… In fact, the bad guys seem to be winning."

• Doing a better job of convincing customers they can get more out of their software by deploying newer versions.

and lastly

• Making the PC a home entertainment hub, not trailing integrated digital lifestyle approaches at the moment led by others, notably Apple.

That one caught my eye in particular because everyone that I know that has a Media center edition computer says it does EXACTLY that.  Now while “I” would love it to natively be a domain member out of the box [you can do it if you install it from stratch] the reality is, in my opinion the product is already there but like the Tablet PC, the “ooh ahh” of getting it out in the marketplace needs to be majorly worked on.  The display I saw at CompUsa the other day underwhelmed me a bit.  You almost need to have a living room set up to showcase this.

So read that list.  Do you agree?  What are “YOUR“ top ten issues for 2005 that you'd like to fix?

It's Christmas evening and Julie Andrews is singing about her favorite things and I thought I'd take this time to talk about my “favorite things” [at least related to technology and SBS].

• The communities of Small Business Server - more that even the technology of SBS, the “we share, we win“ attitude of all the communities out here.  If you haven't joined in one of the communities... we have lots of variety of ways to “community“ out here so if your “thing“ is newsgroups, or yahoogroups [from business to technical to beyond], or web forums, we've got lots of options.  For each one of you that takes the time to share your expertise, THANK YOU for doing that.  You are what makes the communities so strong and so valuable.  Pat yourself on the back for doing what you do every day.
• The people of the SBS family who night and day, via email, or IM respond to anytime any day that I “say I need help, I'm stuck“ whenever I need help [or are just there when I need to rant about something].
• The people who work at Microsoft who work on SBS.  From Mothership Redmond, to Mothership Las Colinas, to Mothership Shanghai and to our future Mothership Bangliore, the people I know that work on SBS tend to go an extra mile, walk a little farther, and certainly some of you guys and gals stay up all hours of the night. 
• My fellow Microsoft Most Valuable Professionals who day in and day out do what they do because they want to help others make their systems just work.  You guys inspire me with your passion and knowledge.  You guys do what you do to help people and definitely believe in the concept of “pay it forward“.
• The people who work at Microsoft that I know in “weedy” areas and security.  The attitude on the “outside” is that Microsoft doesn't care, but whenever I meet people on the other side of the wall, I see people that I know care, and in fact sometimes feel just as passionately as we do out here about getting things “fixed” in security.  I think we're constantly going to be fighting the good fight against the bad guys no matter what platform, browser, you name it.  Yeah there is still a lot to be done, a lot to be fixed, but as I've seen the patch engines move to two engines, the fact that they are willing now to 'break things' is promising.  It's only us out here, working with more folks “in there” that more changes can be made.   

Happy Holidays everyone!

And here's to a happy new year.  So far we haven't blown anything up for the day's events.. but the day is young.  :-)  To everyone, to all of yours, here's hoping you have a very happy holiday season.

Stay safe, stay secure, use IE in high security and “let's be careful out there“. 

Was in the newsgroup and was finding this KB for a person with POP issues and thought I'd post it to the blog:

How to troubleshoot the POP3 Connector in Windows Small Business Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;885685

A couple of other KBs that might help as well.

Exchange Server Connector for POP3 Mailboxes deliver multiple copies of messages:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;264249
How to use the POP3 Connector:
http://blogs.msdn.com/sbsdocsteam/archive/2004/11/15/257881.aspx

Many times I see pop not pop when people add a new email address not of the same domain which “breaks“ the ad/mailbox glue.  Reruning the connect to Internet wizard normally fixes it right up.

[Snap, crackle and pop refers to Rice Krispy cereal which makes me start thinking of Rice Krispy Treats ...oh man, there goes the diet resolution again...dang...]

So there you are backing up every night and it's going beautifully.

Uh.. one thing.

Have you checked that backup?  Gordon blogs about the lovely “case of the missing backup”.  Can't we all relate to that tale.  What you thought was working, wasn't?

New Year's resolution folks.

Test the backup.  So ...how do you test it?  The better question is how much time and effort do you want to spend in testing.

• Minimum test - rename one file - restore that one file
• Moderate test - rename a folder - restore the folder
• Mucho giant test - restore the entire server

That last one is a bit extreme for a production network mind you.  Remember the backup and restore documents I pointed to the other day?  I'd say at least do a minimum test or a moderate test.

P.S.  Chad adds one more moderate test -- restore the system state to an alternative location.  ....... you do backup the system state..... right?  :-)

Just around the corner, we're getting ready for ISA 2004 on our SBS boxes, and in January, there's a whole week of ISA 2004 webcasts to whet our appetite.

ISA Server 2004: Maximize Application Security and Performance:
http://www.microsoft.com/seminar/events/series/isaserversecurity.mspx

Janury 17 through the 21st get ready for deploying info, administering, detailed info, the whole works from the ISA 2004 team.  Then there are also virtual labs you can play around with.

TechNet Virtual Lab: ISA Server:
You can even order a trial version of the software to play with on a separate server or a Virtual server.

Remember that as part of SBS 2003 sp1, Premium customers will get ISA 2004, but if you are a SBS VAR/VAP, you may want to start looking at this now.

Remember how I said earlier that if you were in Australia you were in luck because you had not one, not two but three MVPs presenting down under?  Oh, Canada, can you say TEN?  Book your plans in January, if you are ANYWHERE near Toronto, get ready for a SMBnation Day event that is turning into a MUST GO TO event for the Northerners.  At last count, about 10 SBS MVPs from across the US and Canada will converge in attendance at the Day Summit. 

First up MUST GO TO EVENT

SMBNation Summit in Toronto

• Click here to register
• January 11th
• Wyndham Bristol Place
• 950 Dixon Road
• 416-675-9444

Harry Brelsford is on the road with his SMBNation summit, a full day event filled to the brim of information that is always a hit.  Click here to register to get SBSism, lunch and Harry's SBS “bible”.  The bonus is that among the MVPs attending, you can meet several of the chapter authors that contributed to Harry's soon to be released Advanced SBS book [You know, the one I've been talking about that has the tips on Security and User mode?]

Later THAT EVENING, THE PLACE TO BE is  

TechNet Canada and the Toronto Windows Server User group plays host to two session speakers you know from the SBSworld as they welcome the SBS community!

• Click here to register
• Microsoft Canada
• 1950 Meadowvale Boulevard
• Mississauga [next door to Toronto]

Harry will spin a brief farewell with a “year in review” of SBS 2003.  Plus, sit back for an hour, Jeff Middleton is stepping up [or is it dancing?] for a Swing Migration presentation, the same one the Aussies saw just last month.  Click here to register for THAT event. 

SBS MVPs and SBS Family members are getting together and it's turning into a north of the border version of the Seattle SBS fest, and a north of the equator redux of the Swing It!! tour.  If you are in our Northern neighbors... sign up....and if you re near the border.... get your birth certificate in order and GO!