THE OFFICIAL BLOG OF THE SBS "DIVA"

Okay when they build a security listserve for ya... you know it's beginning to be a target...

Objective

The Focus-Apple mailing list discusses security involving hardware and software produced by Apple or that runs on Apple platforms.  Discussion may include security assessment, planning, and implementation for Apple technologies. This list is meant as an aid to network and systems administrators and security professionals who are responsible for implementing, reviewing and ensuring the security of their Apple hosts and applications.

What is appropriate content?

- Discussion of securing Apple hosts in various networked environments, including but not limited to integration with Active Directory or LDAP-based networks.
- Discussion of securing Apple hardware devices such as Airport base stations using wireless technology.
- Experiences in securing specific Apple technologies that would prove valuable to share with the community.
- "How-to" questions surrounding the assessment, implementation, or configuration of Apple technologies, as they relate to security concerns.
- Discussion of tools and/or products that may assist in auditing, securing, and/or patching Apple technologies.
- Follow-up discussion of Apple-related vulnerabilities as it relates to questions about identifying and securing vulnerable hosts and applications.

What is inappropriate content?

- Announcement of security vulnerabilities. (Post this information to Bugtraq)
- Product advertisements.
- Discussion of non-Apple related issues.
- Non-computer/network security related material.
- Discussion of forthcoming product rumours.

How do I subscribe?

Send an email message to focus-apple@securityfocus.com.  The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer.

So I'm rebuilding an OEM machine... and feeding it the drivers because the OS does not see the NIC card from the Dell site ...  and I realize that not only can't this machine not see the nic cards.. the C: drive isn't a C: drive.

Now THAT is annoying, isn't it?  That whenever there's a zip drive it picks that up as a C: drive instead of the read drive.. so now my C.. is my E... arrrrggghhh.. I'll have to fix that.. as the Dell drivers keep trying to install to a C drive that isn't there.  Normally I unplug the zip but I forgot to do that this time....

hmmm won't even load up the nic drivers...okay back to the Dell website to see what other drivers are available.

The eOnCall weekly internet radio broadcast has a new home in June. 
Starting June 1, the show can be heard "live" at 10am and 1pm Central 
time on Thursdays on AIRtunZ (http://www.airtunz.com 

We will still maintain archives of each broadcast at the eOnCall 
web site (http://www.eoncall.com  but those who had been listening
to the streaming broadcast at Apostle Internet Radio will need to 
change their virtual tuner over to AIRtunZ.

Okay so we know about the SBS Podcast from the SBS support gang

We know about the SBSShow... but everyone does realize that there's 
a THIRD podcast in SBSland that occurs all the time, right?  Fantastic, you do know!

... I may need a bigger mp3 player with all this really good content though....

The third one is Eriq Neale's www.eoncall.com podcast. 

915343 - Buffer Overrun error may occur when CRM 3.0 is installed on Microsoft Small Business Server 2003

Okay so the hotfix I was attempting to call for last night... I got today... and while I'm not running CRM 3.0.. I wanted to see if the patch was available via the "call PSS/CSS, hit the button for hotfixes and get it sent to you for free" and sure 'nuff.... it was.

So if you are a CRM'er running on SBS and you've seen this issue about a "buffer overrun" on your system, know that this is not a 'regression tested patch' and ensure you have a backup and try it in a test network first..but you can call the ITPro support number and get this hotfix...I call US (800) 936-4900 but call whatever number is appropriate for your area.  Furthermore due to the "after hours IT Pro" support having a business after hours 24/7 world wide feature now, you "should" be able to get hotfixes 24/7.. I say "Should" because Mariette is supposed to be able but none of us could find the appropriate number for her to call in the Netherlands that would give her the hotfix....

..and we spotted this hotfix by an answer posted to Kathy's question about BufferOverrun in the Managed Partner newsgroups... SEE why we say you need to be a MS Partner if you are selling SBS boxes?

... so I'm calling for a hotfix.. and I'm insanely calling on a Monday late night...and I've yet to talk to a human yet just to tell them all I want is a hotfix.... so far I'm starting to memorize "Do you know there are free technical events in my area?"  Visit www.technetbriefings.com

...and yes I do know about the Microsoft support lifecycle web site. ... but thanks for asking nonetheless...  http://support.microsoft.com/lifecycle

I still say there has to be an easier way (and certainly more automated) way to get hotfixes....I've been on hold for 40 minutes now....and so far me and the Microsoft lady are becoming fast friends..

Yes, thank you I do know about the technet events thank you very much....you said that before you know...

..and yes.. I know about the lifecycle too.. you said that about 2 minutes ago you know.. we talked about this before (how quickly she forgets that we just had this conversation).

..oh yeah.. visit www.microsoft.com/protect and perform the steps there to project your computer's security...

Ma'am.. look.. yes.. I know about Technet... you told me that like 2 minutes ago... um...can we try some other part of the Microsoft web site?

Yes, truly I know about the free Technet events....you just told me that 2 minutes ago....you know I'm really getting concerned about this short term memory loss issue you are having...are you feeling okay..because I'm really getting concerned that you can't remember what we chatted about not a minute ago...

oh yes.. I know about the lifecycle site.....remember.. we discussed this....you sure you are feeling okay?  We discussed this.. remember?

.. she's gotta be a real lady... wonder if she's got kids... wonder if she runs a Microsoft computer.....

truly ma'am... I know about technet.. you know I really think you need to take a break here.. this short term memory loss is truly concerning me now...

(in all seriousness.. I think I'm going to give up for tonight...getting the hotfix for KB915343 will just have to wait for tomorrow...and yes 915343 is a real hotfix..just not yet publically posted yet...)

In the newsgroups over the weekend... a thread about RWW came up ...and I wanted to visually show everyone the difference between when you log into Remote Web Workplace as a domain admin (Which you should ensure that you set up an additional admin account and use this when remoting in just to be paranoid) and what it looks like when you log in as a user.

 ...with a VPN, a user can access only the designated shares on a
server. With RWW, a user can gain full and unrestricted access to a
server, as though they are sitting next to it. That's what remote
server management is about, after all.

Click here to see the difference.

With RWW the user only gains access to their desktop or Terminal server and from there it's only the parts of the server that you want them to have.  It's no different than the rights you are setting up inside the firm. Now as Les said, it can be edited to be a smidge more granular.. for example the view that you see of the "user" there is an uber user that has rights to view the more "adminish" things like the Server reports.

But for anyone who thinks that Remote Web Workplace gives you any more rights to a server that the user has now... as you can see there.. that's incorrect.  In my office the only "server" I see is the "Application Server" aka the Terminal Server box sitting next to the SBS box.

Remote access can be done in many ways.. but sometimes the biggest hurdle of remote access is finding the right blend of rights, access, benefits and security.  Understand the advantages and disadvantages of each.

Not fully understanding is a disservice to your clientele.

Okay so I'm dying to show folks my ... uh... oh I can't say it...this is going to drive me insane to keep it secret until the middle of June of what those "Tech Ed" inspired shirts look like... but I can show you these Tshirts that I've put together in the meantime ......

http://www.cafepress.com/KnowPaul

http://www.cafepress.com/ArePaul

Now this only makes sense if you read this....

Killed By Microsoft Bob:
http://webpages.marshall.edu/~hartwel1/humor/misc/killed_by_microsoft_bob.html

..and for the record.. it runs on XP.....I have a copy of it...and this 'is not' the other image that I'm having Curtis work on ... just wait until you see that one....

..okay so I had this logo done by Curtis at Curtoons.com and well.. it turned out reallllly cute.  You see they are ... oh rats ... I can't tell you that because that will give the secret away.  And I will put the link up here after the rest of the gang see the shirt logo...but I can't yet... oh but it really is soooooo cute.

But the process was really cool.. I entered the information of what I had in mind... gave him the time frame... and he asked for a deposit via paypal.. and then sent back the "proofs" today... and it did turn out really cute.

Oh this will drive me crazy keeping this to myself.... see I want the shirts in time for TechEd so that I can wear them (and give one to Jeff Middleton who is speaking there on SBS "myths" of disaster). 

...now the question is.. can I hold out and not blog about it and put the link up for the .... oh I can't tell you what's on the shirts as that will give it away.....

But truly.. if you ever want a cute, fun, corporate logo that is part Pixar and part Disney.. I'd highly recommend Curtis' work.

... just wait until you see my next commission that he's doing... it's a ... oh shoot ... I can't tell you....it's a surprise... man this is worse then keeping Microsoft NDA secrets... this is going to drive me crazy... I can just tell.....

Tolerance.  Acceptance.

You know I try not to be too political in the blog.. I mean it's supposed to be for tech notes and what not... but this weekend is the American holiday of Memorial Day where we pay tribute to Veterans of American Wars...and on the TV they've got several themed movies playing today.  One of them reminded me of community.

Today on the television I watched a movie that wasn't about paying tribute to veterans at all.  It was about a Paperclip.  A Paperclip Project.

http://en.wikipedia.org/wiki/Paper_Clips_Project

...and in my typical one track mind ... it reminds me that tolerance in any community is a good thing.  A very good thing.  And it's something that we need to remember in all of our communities.. the ones we live in... the ones we work in..... and especially our online ones.

I'm going to go find me a paperclip and remind myself to try to ensure that my online community and all of the communities that I live in are ones that remember the lesson of the PaperClip.   

"We can change the world"

Look at this link…. it now works and the instructions you need are shown..

I have installed an interesting application - BlogJet. It's a cool Windows client for my blog tool (as well as for other tools). Get your copy here: http://blogjet.com

"Computers are incredibly fast, accurate and stupid; humans are incredibly slow, inaccurate and brilliant; together they are powerful beyond imagination." -- Albert Einstein

Yes.. I am in fact testing the Blog jet posting to see if it works… bear with me

To Community Server 2.0 and we're also patched for a security issue they had....

Bear with us as I go to look for new skins and what not..

Yesterday at the office I used the excuse of a temporarily frozen switch to upgrade our switches to 10/100 to gig switches... and for the first time.. my server popped up with a "Hey I'm now running at 1000 speed"

..now we'll see if I have machines that notice the speed difference.  I don't have everyone running gig cards..but we're getting more and more machines with gig nics.  The switches have IP addresses.. We've gone from a day where these suckers where just boxes that I plugged in and didn't care about.. to where there's a username/password in there.  (and sorry folks .. I changed it from a default of "admin" so you are out of luck).  I made sure that they have IP addresses that are in my static IP address range of 10.0.0.2-10.0.0.9 (I'm still using that old fashioned 4.5 addressing range otherwise it would be a 192.168.16.x range).

And then looking inside the Interface.. dang... I'm looking at a ton of software under the hood these days on those switches.

The SBS blog has given us homework for the US three day weekend...

http://blogs.technet.com/sbs/archive/2006/05/26/430584.aspx

A newbie podcast.. but you know what.. sometimes everyone needs to revisit those foundations and ensure that the "best practices" they think they are doing are still good best practices...

... oooh I said best practices didn't I?

Notes here...

Even the experts need to listen to this.. there are lessons learned from these OEM machines... I know what she's talking about...

1.  The fact they offer that Yosemite Technolgies tape drive software on those OEM machines when it's totally NOT needed drives me absofreakinglutely insane.  To me that is highway robbery what Dell does when they talk about that tape drive software and do not even tell you that as paranoid as I am .. I USE THE NATIVE SBS BACKUP... and given that in the SBS 2000 era I used another backup software says a ton.

2.  The fact that the OEM install forces you to a small C: drive on that preinstall... many of the oldtimers flatten it and start over.  No, SBS doesn't have to have a small C drive.

3.  The fact that if you try to move some of MSDE instances, there's a spot in the SBS "where do you want me to move things screen that you have to be very careful, and I've found that (and hopefully I can remember the proper way..) is that I sometimes make the folder location and actually browse to the location.. merely putting in a drive letter and a folder name won't work.

4.  Yes, you still want to have partitions out on your system.  You do not want to have 120 gigs of a c drive for a disaster recovery purposes..still the best practices for parititions sizes is to not have one big harddrive.

5.  Moving folders.. the white paper is here....

6.  And these days.. I'm using hard drives for backups.

7.  www.eventid.net is a great resource for event log... but those Dell machines in their documentation has a whole section of "here's some of the wacko things that SBS does in it's event log only during boot up and shut down so just ignore them" in the documentation....

On the blogs (remind me to better track the msdn blogs.. I tend to concentrate on the technet ones...) I realised that I  missed a couple of things...

The updated 'how to secure your SBS network'

A review opportunity for a document on wireless on a SBS network

A review opportunity on basic troubleshooting

Cool!

Download details: Installing Virtual Server on Windows SBS:

Hot off the presses tonight is a white paper to install a virtual server 'under' SBS... but remember you can also put SBS "under" a virtual server.  Keep in mind that SBS max's out at 4 gig of max Ram.

We already had a poster ask for a clarification...

...and Les responded back....

Hi Phillip,

There are a number of things that affect performance when running virtual 
machines, especially in a production environment. But in any case, 1 GB ram 
for the SBS alone is really a practical minimum for a small environment of 5 
users; 2 or 3 GB of ram for the SBS will give you a large performance boost. 
Personally, I haven't seen large performance gains by exceeding 3 GB for the 
SBS server, even in larger environments.

Once we add VS and virtual machines, we need to consider resource 
allocation. VS is nice, as we can reserve resources for both the host and 
virtual machines.

I run several production SBS networks with VS and TS apps mode servers 
running as virtual machines. Acceptable performance is achieved with the 
following resources allocations:

a) dual processors, with 100% of one processor reserved for each of the SBS 
and the TS virtual machine.
b) 4 GB ram, either 3 GB for the SBS and 1 GB for the TS, or 2 GB each 
(depending on the number of TS users, and apps being run).
c) a seperate disk subsystem for the Virtual Machine.
d) a 5 minute delayed startup for the virtual machine on host system 
restart.

I haven't run into network bottlenecks yet, but as the number of TS users 
increases I expect I'll have to address this at some point.

Whenever there's some news about a tool or something that makes "running as non admin" a smidge more obvious... or some tool that helps to beat Vendors over the head... I always joke "okay so whom do I owe my first born to now?"

Today I owe someone...

http://blogs.msdn.com/uac/archive/2006/05/25/607348.aspx 

Read that ...and then go download that tool.....

Okay so like this is a joke.. but unfortunately it's one that a lot of folks think is going on in their systems... they don't trust what automatic updates does on their systems.

But keep in mind that enabling automatic updates to "download but let me install" means just that.. it will not force and install and will only download the update and install it when YOU choose to do so.

On the blog link tonight is a new blog.. the SBS Community Lead, Kevin Beares has put up a blog shingle....

http://blogs.technet.com/kevin_beares/default.aspx

And he also says that is you read his blog you have to fill out the Community survey... .. thus by osmosis reading this post... you should fill out the community survey..too.

I want you to read Les's comments about this survey....and then Dave's. 

Someone once said that they wanted to feel like the product group was listening... well this is step one in that direction. 

So fill up his database will yah.. cause this looks fun and interesting....

and see Kevin..that wasn't so bad now was it?  ...and after we have him trained on how to do surveys better.. and then blogging...next will be podcasts... oh yeah... I think he'll be into podcasts in about ...oh.. six months or so ... don't you think?

;-) (just kidding.. baby steps... he just started blogging I shouldn't freak him out)

1>	We can simple rerun the Monitoring wizard to purge the
SBSmonitoring.mdf database. 

NOTE: After doing the following steps, the original performance and usage 
data will be removed. The server will start to collect new counter value 
from the beginning.
 
1. Open Server Management console, navigate to 'Monitoring and Reporting' 
snap-in. In the right panel, click 'Set Up Monitoring Reports and Alerts'. 
 
2. In the wizard, click 'Next'->Select 'Reinstall monitoring 
features'->Select the options if you want to receive the report e-mails. 
Check 'View the usage report in Server Management' option. If you want to 
receive the usage report e-mail, also check the option below->Add the users 
which you allow them to view the usage report to the authorized 
list->Select the option if you want to receive the performance 
alerts->Click 'Finish' button to complete the configurations. 
 
3. After doing the above steps, the performance and usage data will be 
reset. Please wait for 24 hours and then you will see the reports through 
the Monitoring and Reporting console.

2>	If you are using SBS Premium and have SQL server installed: 

You can use the SQL Client Utilities to try and shrink the database. In 
SBS, there is a job SBS_Database_Cleanup that is scheduled to run at 3:00 
AM everyday, to delete over 90 day old information from the monitoring 
database. 

You can manually run the SBS_Database_Cleanup job, and use DBCC 
SHRINKDATABASE, DBCC SHRINKFILE or use Enterprise Manager 
to reduce the size of the database.

3>	If you are running SBS Standard: 

You need to use osql to connect to the WMSDE instance, and use transact SQL 
commands manually to request the database be shrunk ("dbcc shrinkdatabase( 
SBSMonitoring, <% free space target>)"). 

4>	If you need more space on your C drive, I would also suggest moving 
available data from your C drive to other partition on your Server. The 
following white paper demonstrates this scenario in detail.

Please refer to Step 5: Move the Monitoring Database in the following white 
paper.
Moving Data Folders for Windows Small Business Server 2003
http://www.microsoft.com/technet/prodtechnol/sbs/2003/maintain/movedata.mspx