THE OFFICIAL BLOG OF THE SBS DIVA

Exchange MVP blogs:

• MS Exchange Blog - William Lefkovics, Chris Mierick & Neil Hobson - http://hellomate.typepad.com/exchange/index.rdf
• Wesley Peace - http://edcom.info/wpeace/Rss.aspx
• 3Sharp - Paul Robichaux and Missy Koslosky - http://www.3sharp.com/blog/index.rdf
• Dustin Smith - http://weblogs.ilg.com/dsmith/Rss.aspx
• Exchange Cookbook - Paul Robichaux, Missy Koslosky and Tom Meunier - http://www.exchangecookbook.com/index.rdf
• Exchange Security - Paul Robichaux - http://www.e2ksecurity.com/index.rdf
• Glen Scales' Exchange Dev Blog - http://gsexdev.blogspot.com/atom.xml
• Michael Smith - http://blogs.brnets.com/michael/Rss.aspx
• Todd Booher - http://msexchange.blogspot.com/atom.xml
• Siegfried Weber (Information Worker) http://www.asaris-matrix.com/sweber/playground/rss/index.xml
• David Sengupta - http://p0stmaster.blogspot.com/atom.xml
• Andy Webb's Blog - http://cameron-webb.com/blog/Rss.aspx

Microsoft Exchange blogs:

• Exchange Product Group Blog - (You had me at EHLO) - http://blogs.msdn.com/exchange/Rss.aspx
• David Lemson - Group Program Manager - http://blogs.gotdotnet.com/dlemson/blogxbrowsing.asmx/GetRss?
• KC Lemson - Exchange Release Manager - http://weblogs.asp.net/kclemson/Rss.aspx
• Larry Osterman - http://blogs.msdn.com/larryosterman/Rss.aspx
• Gerod Serafin - Exchange Support Consultant - http://blogs.msdn.com/gerod_serafin/Rss.aspx
• Evan Dodds - Exchange Program Manager - http://blogs.msdn.com/evand/Rss.aspx
• Michael Palermitti - Exchange Supportability Program Manager - http://blogs.msdn.com/mfp2/Rss.aspx
• Jeremy Kelly Exchange Escalation Engineer - http://blogs.msdn.com/jeremyk/Rss.aspx

I had this bizarre dream this morning.  You know that morning dream you get when you go back to sleep for a bit..the one in which you dream really really bizarre stuff?

I had this dream that in order to promote LUA and least privilege user mode and all that ... Bill Gates was Grand Marshall of the Pasadena Tournament of Roses Parade.

Now exactly HOW being grand marshall would promote running as restricted user ... I have no idea... but that was my crazy dream this morning.

Now given that the Grand Marshall tends to set a theme for the floats...and the theme was LUA and least privilege... I have no idea how the flower covered floats would look.  I didn't dream that far into the details and just woke up going.... okay how exactly did that idea get into my head?

Okay... I really need a life   :-)

Oh my gawd...the enemies are out there....oh no...they are in here.... The Security mentor brings up something along the lines of my password issue..... it's an issue I call “the balance”.  Every day, each one of us take our expertise and talent and try to balance the forces of needing to do our jobs, needing to secure the information we are caretakers for.  The most secure information is locked up away never shared.  But....you see.... the best solution to our problem might be to share that information.

So every day we connect and communicate and open the holes and go through the firewall and pass the syn acks and all that. 

And every day we balance the access with the abilities it brings.  Push your end users too much security restrictions and you restrict interaction and stifle creativity and business.  Enable freedom too much and you have insecurity all over the place. 

There's a balance...and that balance costs. 

One of the ways to help set the line, to help determine the right costs for that balance is analyzing and putting mental boundaries around data.  Even if your computer systems don't categorize data in a “high risk“, medium or low risk, you should.  What is the data that should never ever be let out the castle gates?  Make sure everyone in the office knows to treat that data as carefully as possible. 

When it comes right down to it a lot of this really comes down to the 'people' part of the equation.  Make compliance with 'doing the right thing' too hard and people will find ways around it.  Make the choices easier to do, and people don't mind 'doing the right thing'.

Sometimes the worst enemy of all.... is you.

For all my talk about security I'm going to bare my soul to you all.  I do something very very dumb.

I do a very stupid thing.  One that my fellow Security gurus beat me up over [and rightfully so].

Like Gavin, there are times I need to log into “THE PROFILE”.  Not the admin profile, not a generic profile, but THE profile of the person that will be logging into that system come Monday morning.  So I need their password.  Yup, not too smart is that?

So either I have to do what my Security Guru's do, like Gavin, force people into changing password every time I need to manually install something or ensure that an server deployment went as it should, or I have to figure out some other way of installing updates on a weekly basis, ensuring that the desktop experience is “perfect” and not jeopardize accountability in the process.  I'm still personally struggling with the right answer.  I mean I'm totally violating authentication here.  Yeah, I know, totally NOT smart, I'll be the first to admit it.

Steve Friedl says this is something that is done all the time in the 'Nix world.....and while many times if one OS has something the other OS has it too but this is one area that I'm not sure I can find a Windows equivalent.  Redhat does have the same ability to age passwords and force certain policies with addons and other built-ins.  So if you can login as an admin in Redhat [or similar 'Nix distro] and then go into the profile experience of a user on that system.....sooooo.....why can't we do that in Windows?  I'm the Administrator of my network .... so why can't I get into the profile of that user without jeopardizing accountability in my network?

The real problem that “I” have, is exactly what Dr. Jesper Johansson says:

“The best practice is not to make the same person responsible for both security and system administration. “

And that's exactly the problem I have.  I'm both.  I'm trying to make the desktop experience 'automagically' for my users, and at the same time, trying to keep us secure.

So I know that the folks that do consulting normally do force the user to change the password like Gavin does.  What do you do in a similar situation?

Me, I'm hoping some folks north of me will listen up and maybe in that OS that I'm tired of hearing about [pssss.... goes by the name of that cow with big horns that I'm tired of hearing about so I won't even say it's name], will do something about my problem.  Either that or maybe I need a upgrade in policies myself.

I think I'll probably end up upgrading myself to the next paranoid version.  :-)

 To manually update TREND:

Otherwise on March 3rd it will get the necessary update.  [me I'm waiting]

Follow these steps to manually update your ScanMail scan engine:

1. Open your Web browser and type the following URL address:

http://www.trendmicro.com/download/engine.htm

2. Download the scan engine for your program version of ScanMail.

3. Stop the ScanMail Real-time Scanning services (Select Start >

Programs > Administrative Tools > Services > ScanMail_RealTimeScan >

Stop) and make sure that no scheduled scans are running.

4. Double-click the downloaded file and unzip it.

5. Copy all files to the ...\Trend\Smex directory, which overwrites

the existing files.

6. Restart the ScanMail Real-time Scanning services (follow the

steps in number 3 above, but substitute Start for Stop).

Excerpted from ScanMail for Exchange on-line help.

Trend Vulnerability

This vulnerability exists in the ARJ archive file format parser.

The ARJ archive file format is too flexible especially in the file name 
field in the local header. This file name is stored as a null-terminated 
string and limited only by the overall size of the local header (local 
header size is stored as a 16-bit value and is limited to 2,600 bytes only).

If the file name exceeds the maximum allocated size, the VSAPI scan engine 
still copies this file name into a 512-byte buffer, overwriting the 
succeeding data structure. One of the fields in the said data structure is a 
pointer to another data stucture. The next instruction after the copying of 
the file name is an assignment instruction to a member of the structure that 
is referred to by the overwritten pointer. The said routine causes an 
illegal memory access.

Thus, it is possible to create a specially-crafted ARJ archive file that 
overwrites data after the allocated 512-byte buffer. This specially-crafted 
file could possibly execute an arbitrary code.

The ISS advisory can be seen here:http://xforce.iss.net/xforce/alerts/id/189

We make a huge thing about making sure that we build in backups, disaster recovery, redundancy, but there's one thing that unless you have your own true backup and redundancy, you only have about 30 minutes that separates you between all the technology at your fingertips and whipping out a Dixon Ticonderoga. 

Today at about 3:45 p.m. all of a sudden all of our battery backups on all of our workstations and servers starting madly beeping even though the power was still on.  It appeared that we were having a bit of a brown out and our battery backups were kicking in to make up the difference.  [And yes, we'd found that buying EVERY workstation a battery backup is cheaper than possibly losing a spreadsheet or project and the power goes out.  We make sure there's even a backup battery on the phone system and the network switch so we can quickly save and shut down our workstations.  About 4 p.m. the power straightened up and we went on with our day.

Well tonight about 7:30, we're working along and “BEEEEEEEPPPPPP” there goes the power again.  While we did have the functional battery backups, I found we needed one more thing.  Emergency power lights.  We have one in the office that turns into a flashlight, but obviously not enough.  I found myself walking down the hallway with one hand on the wall visualizing the doorways and openings to get to where the emergency flashlight was.  We shut down the server fully this time since we felt that the power truly was going to stay out for a bit this time.

Check those battery backups... yank the cord of the UPS from the wall and make sure that your workstations and servers stay up ....long enough for you to turn them off.

The moral of this story is that for all our worrying about “up time” and “true redundant servers” and “ redundant DSL connections”, sometimes what you really need most in the world is just a flashlight so you can go turn off the server and go home early for the night.

 I don't host web sites on my servers and hire others to host them for me.  But you have to the rely on their security practices to ensure all is well.  Well tonight, thanks to David Svirskis I got my own wakeup call of how bad it's getting out there to “browse” on the Internet.  David emailed me with the warning that my little SBS web site that I use to throw up pages here and there was the site of a trojan. Java/Shinwow.Q!Jar!Trojan to be exact.

Steve Friedl, Security MVP looked at the offending file and found that it was trying to indeed hijack web browsers.

So for now if you go to my site sbslinks, the home page isn't there as I temporarily moved it and replaced it with a temporary page.  I've emailed Readyhosting.com to have them clean up the site and take action.

Just kinda feels a bit weird when a web page I set up to help others, ends up being a bad guy.  Downright creepy actually.

On the blog comments today comes a passionate post that I'd just like to respond to because it points to a Microsoft partner that I came across once upon a time...the glass is 1/2 empty partner....

Scott in the blog comments rants that SBS is a “bait and switch” because it's limited to 16 gigs of Exchange storage space under all versions of SBS and to go to the next level of 16 terabytes you have to fork out for the Exchange Enterprise version which is like $4,000.

First off, while I agree with Scott that there's a need out here for a “mid” sized SKU for Exchange... dude, you DO realize that SBS includes Exchange “Standard” and thus even if you buy standalone products you are stuck with the 16 gig even at the Exchange standard version.

Exactly what “are” you installing for your small business clientele if you “are” a Microsoft partner.  Hopefully not 25 user peer to peer networks?

You sir, are exactly the type of Microsoft partner that I ran into when I was looking for one back in the SBS 2000 days.  “SBS is too limiting” they said.  “You'll outgrow it”.... they said.

Guess what dude... I'm still on it. 

Yeah 16 gigs is too limiting..but blasting my blog comments isn't going to move any mountains.  Making a calm argument that we're doing will.

And Scott what are you a blog spammer tonight or something?  You've blog commented the same rant three times.  Enough.  You've said what you've had to say, and if you post one more comment I will remove it.

The glass is half full and we're asking for a refill.

P.S. Do remember that every gig of more Exchange storage is potential for liability, legal issues, and disclosures.  It increases your business risks to be that much of a email hog.  Keep in mind that all those terrabytes are discoverable.  Sometimes forcing people to keep neat and tidy mailboxes “is” a good thing.  Just ask Enron, Arthur Andersen and Martha about email and courts...they might disagree with you on mail retention policies.

From the mailbox today comes this tip from WayneV

While I was trying to find an answer to a web based program/IIS problem I stumbled on a checkbox worth mentioning.

I was getting the error:

The page cannot be displayed

There is a problem with the page you are trying to reach and it cannot be displayed.

---------------------------------------------------------------------------

Please try the following:

Open the 12.3.45.254 home page, and then look for links to the information you want.

Click the Refresh button, or try again later.

Click Search to look for information on the Internet.

You can also see a list of related sites.

HTTP 500 - Internal server error

Internet Explorer

Which tells you practically nothing.

However, if in IE, you turn off "Friendly HTTP error messages" by choosing tools - internet options - advanced. You get the real program error message and line number of the error which makes it a hell of lot easier to solve. -Sheeeesh

If you are reading this blog...if you install computer systems.... you should already be signed up as a Microsoft registered partner [if not, click here to enroll].  But now that you've done “that”.... how about we “bamm” it up a bit shall we?

I was out on the Microsoft Partner site and if you are a registered partner that specializes in SBS... you need to enroll in the Small Business Partner Engagement Program:

Check it out!  Cool look at the emphases of SBS, Office and XP with Service pack 2 [aka the Security triangle in my book]

With over 7 million small businesses in the U.S., the small business market revenue opportunity is huge - and it's growing every day. You can share in this substantial opportunity by actively promoting the benefits of Microsoft® Windows® XP Professional (with Service Pack 2), Office Small Business Edition 2003, and Windows Small Business Server 2003.

In yesterday's mailbox came the email from WindowsITPro with an article/commentary by Paul Thurrott and in it he talks about IE 7.0:

 “IE 7.0
   The biggest security hole in any Windows system is IE. Although
Microsoft made many important improvements to IE in Windows XP
Service Pack 2 (SP2), the product is still a conduit for spyware and
other malicious software (malware), phishing probes, and numerous
other electronic attacks. Microsoft is going to attack the problem at
the source: Rather than wait for the release of Longhorn in 2006,
which was the original plan, Microsoft will ship IE 7.0 in late 2005.
At least two public betas will ship around midyear. As with SP2, IE
7.0 will include sweeping security fixes and, possibly, heavily
requested features such as tabbed browsing.
   There's a catch, however. IE 7.0 will be made available only to XP
SP2 users. That's right. Customers still using earlier XP versions,
Windows 2000, or Windows 9x are out of luck. This kind of forced
upgrade in the name of security is dangerous, in my opinion. Although
I agree that XP SP2 includes low-level security features that aren't
present in other OS versions and would be difficult or time consuming
to add, forcing customers to upgrade an OS--with all the inherent
time, difficulty, and cost associated with such an effort--is
problematic.”

uh.... folks... newsflash for ya.... Windows 9x has no security so to even expect something that can protect us like we need to be protected in the year 2005 when the underlying code was probably written back in... oh... say 1996 or 1997 is a bit much.  The same goes for Windows 2000 to be honest with you.  I'd probably say that my first real awareness of Security was back on the SBS 2000 platform in the “code red” days.  Windows XP sp2 and Windows 2003 both are better built to withstand today's threats.

• 98 has no event viewer and thus none of the benefits of the web site www.eventid.net
• 2000 has none of the build in protections that XP has.
• XP sp1 doesn't have the additional protections that sp2 has

Someone once said that you can't bolt security on afterwards.... you definitely can't with Windows 98.  It has no security.

I have full XP sp2 here in the office with the firewall enabled INSIDE the firm for additional protection.  Believe me, I sleep a lot better knowing that I've killed off Windows 98.

So Dean posted about an article in Windows IT pro and one of the commenters was pointing once again to the “Myths of SBS”

Unless you're a really small business running only 1 win2k server to take care of all of your needs, SBS 2003 might be the option for you but I would steer clear of this product. You must setup SBS 2003 as a domain controller, if you don't, it's a violation of the eula and the server will power itself down after 7 days and every day afterwards. If you have other servers at your site and possibly other sites with other domain controllers, SBS 2003 won't play nicely with them. It's a domain controller of a different flavor, no other DC's are allowed in this domain, it's a like a single tree in a single forest (why do you call it a forest if there's only 1 tree?). Also, aside from it's packaging indicating that this is an easy product to install & maintain for the non-IT person, real world experience indicates that this is most definitely not the case. If you can stick with Win2K server if that's what you're currently running for as long as you can. It's a rock solid server product without all of the headaches & XP'ish eye candy that SBS2003 brings to the table. If you plan on going with SBS2003, plan on increasing the amount of time you spend at your workplace by the amount of time you'll be reducing your sleeptime by. IMHO, 2 thumbs down for SBS2003! 'nuff said.

Arrrggghhh...... will folks get out of the NT world please?  We CAN have additional domain controllers we just have to be the PRIMARY domain controller and hold all the FSMO roles.  When will everyone understand that we can add as many additional domain controllers if we want to?

Next, Windows 2003 is way more rock solid than Windows 2000... IIS 6 is ROCK solid over IIS 5...nuff said.

The SBS2003 platform shows the “lowered profile“ both in terms of services turned off as well as the Enhanced IE lockdown... nuff said.

Then the article never talks about the killer app of SBS which is Remote Web Workplace....nuff said.

Run with XP's and they use cached credentials such that the issue of a [so rarely down it's not funny] domain controller is a non issue...the workstations log into the domain profile no sweat....nuff said.

Oh well... I guess if people didn't post this kind of stuff I wouldn't have things to rant about on the blog.....nuff said.

The recording is now live [click here] on the web for Jeff's SBSMigration method

“We will be talking with a SBS MVP [Jeff Middleton] about benefits of deploying SBS 2003. Swing Migration – Windows Domain Upgrade Method - This unique technical solution can redefine your SMB business and server support model, even put an end to the “business shutdown” or “the long-weekend server upgrade” approach to Windows Server and SBS upgrades. Direct shifts from NT4.0 Server to Windows 2003 domains become possible, as does a clean server installation recovery of Active Directory, salvage from a damaged solo Domain Controller or backup. Swing Migration delivers a clean installed OS platform, (with or without hardware replacement), retains the same server-name, same domain. ADMT is not required, no SID changes, no UNC namespace break, just a transparent server upgrade that includes the confidence of not impacting the workstations. This documented process keeps a customer’s domain in production, allows a full server replacement for complicated Exchange based organizations on a single domain controller such as SBS operating as a file server as well. Your technician can work offsite, offline, open-timeline and with nothing to undo if unexpected issues arise. “

From the mailbag today comes the question from Dick about moving from an hourly basis firm to a SLA [service level agreement and/or maintenance contracts].  He asks “ The big question is of course at what price level can i start for let's say full support (telephone, remote, patches,upgrades?).

The first thing I'm going to tell you is that I'm only one person in Fresno, California and you need to “bounce” ideas off of other consultants, especially those in your region [remember too I'm more of a SBS admin per se], but in general I can tell you what is happening in the SBS marketplace:

• Blocks of time -- first off consultants are starting to sell blocks of maintenance time.  No computer system is a “install and walk away” these days so many consultants have these blocks of time. 
• Remote access means you don't have to drive across town - you remote into the server - remember to log in using the console session but you may not need to drive across town to do tech support.  Train the end users to leave the computer systems turned on.
• Consider additional charges for the “value add“ stuff like remote monitoring which is provided with tools like MOM Express and Level Platforms.
• Discounted time blocks for more time that's bought - typically the larger the contract, the slightly smaller the rate per hour is.
• Premium rates for weekends and holidays
• Hotel billing - it's key that you capture the time on the site and not afterwards.  If you do use hourly billing ensure that the technician uses some sort of data capturing device like a Pocket PC to capture the work performed and then ensure it's transferred to your accounting package.
• Hourly rates [or even hour bundles] should be charged based on the going rate of other “maintenance“ professions - so many times I see IT firms undercharge compared to other professions - don't undervalue yourself - look at what auto repair professionals are charging or even other technology firms in your area.  There's nothing to stop you from calling your competition and just asking them for their hourly rate.
• Security assessments, education, security awareness, acceptable use policies - ensure that your client puts in place the HR and human side of technology,  Having a kewlamundo computer is great, not knowing how to fully utilize it is not so great. 
• SBS “and“ as I call it - putting SBS in a firm is just the beginning - adding on Sharepoint and now adding on CRM as additional services you can generate sales from.  But keep in mind that CRM... like installing accounting packages is a bit of an “art“.  You may want to joint venture with a SBSized firm that specializes in this.
• Lastly remember that there's a long standing arguement about hourly billing versus value billing.  People down in small biz want to know “how much will this cost“

So I'm sure you are saying...well great but all you've done is make me ask the questions and not get answers..... but I will get you answers... from your fellow “Been There and Done That's“ that are dealing with this same issue

There are two communities where you can ask your questions and they'll tell you that in your region, this is what they are doing.....

• First the Official Microsoft Small Business Community has a fabulous peer listserve resource
• Next there's a smallbizit yahoogroup

So Dick, don't just ask me..... ask the Community of SBS these questions....you'll get your answer.

You've seen it haven't you, all of a sudden your system tray will have a “bubble“ that says “Outlook is trying to retrieve information from Servername“.  I just always wrote it off and lived with it.

Well guess what..there's a patch for this issue:

Performance issues that are caused by the JunkMailImportLists registry value in Outlook 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;889918

The JunkMailImportLists registry value may cause poor performance in Outlook 2003:
http://support.microsoft.com/kb/893057

"Given their record in the security area, I don't know why anybody would buy from them," the former White House cybersecurity and counterterrorism adviser said yesterday, when asked for his thoughts on Microsoft's forthcoming line of security software.

Seattle PI had that quote from Richard Clarke from the RSA Security Conference.

Interestingly enough I don't think Mr. Clarke is seeing what I'm seeing.  On the SBS 2003 sp 1 beta [that has Windows 2003 sp1 in it] I did something stupid and Windows 2003 sp1 kept me from being blonde.  You see, before I ran the Connect to internet wizard to fully enable the RRAS [or ISA 2004] firewall, I stupidly assigned the external NIC an IP address [you see I didn't have to do that as the wizard does this for me] but the point is as I first went to run the wizard on that live enabled NIC the new Windows 2003 sp1 firewall popped up and said “are you sure?” just like XP sp2 ensures that it checks.  You see it was protecting me from my stupidity of putting a live server on the Internet and was protecting me from the get-go by ensuring that inbound protection of a LIVE connection was protected.

Mr. Clarke?  You aren't seeing what I'm seeing .... yeah sure.... we need to get it so that running in user mode is “normal” around here but that's our entire industry.  In my own little way I'm trying as best as I can to make people aware that the software that REQUIRES power user or local admin don't “get security”, but in the meantime, I think you should see what I'm seeing.....

• A basic firewall that protects that live NIC connection from the get go, from my own stupidity of putting a live server on the web
• The COM protections that were put in place in XP sp2 now in Windows 2003

Yeah, sir, I'm buying security from Microsoft because I see their CURRENT track record and I like what I see.

 We never stop working for you.  [well unless you are a customer with a dynamic IP that is...]

Companies can either handle a policy well by communicating in a great way, or they can totally blow it.  Handle it right, you build Customer Evangelists.  Handle it wrong and you end up with blog posts like this one.

Today Verizon proved that they are totally messing up by not notifying customers that they've changed their mail policies.  Eriq posts on his blog the troubleshooting steps and resolution that he had to do to overcome his issue [and it's a great how to on checking mail issues by the way]

"AS OF JANUARY 31, 2005, VERIZON WILL NO LONGER ALLOW BUSINESS OR
RESIDENTIAL CUSTOMERS WITH DYNAMIC WAN IPS TO RELAY THROUGH THEIR SMTP
SERVERS." 

  The quick and dirty answer to yesterday's post about whether SBSers get Entourage 2004 for Mac's is YES!  Us SBSers are legal for this and do get the right to have Entourage 2004.

The slightly longer answer is that for now the Sofware Assurance Volume License channel has it [as I can confirm] and that “channel” is working [ummm... I hate to point this out as another reason to get Software Assurance in my book is that they know we yell louder and this typically ensure that this distribution channel gets priority.... but I'm sure that's not exactly an answer everyone loves to hear...but ....ummm.... it is kinda how it's working at the present time....or maybe they know that one annoying SBSer is a SA customer and they want to keep me happy?  ;-) ].

OEM and Retail channel just hang tight for just a smidge longer [or ... ummm......and you didn't read this here.... if you have a client [like me] on Software Assurance/Volume Licensing who doesn't have any Mac's around and thus it's still shrinkwrapped ....steal their copy of Entourage 2004 for the time being].  There will be final information on the site on how to get copies of Entourage 2004.

Bottom line we ARE INDEED licensed for it....we just have to wait just a smidge for the OEM and Retail channel fulfillment to get in place.

P.S.  Does everyone know that if they log onto the MSSmallbiz website they can download FOR FREE the Licensing chapter from Harry B's Advanced book [nice sneak peak at the book]

From the mailbox tonight is a question about Entourage for Macs and I'm just letting you know I am now going to stomp off and email a few folks and figure out what's up with Entourage.

It used to say we got it on this page. [see blog post]

I KNOW I have at my office a cdrom in turquoise that says SBS 2003 Premium “Entourage” that clearly is part of my SBS 2003 media.

Stay tuned to the blog for more details.