THE OFFICIAL BLOG OF THE SBS DIVA

For the past two years since we started rolling out Vista, I've felt like Goldilocks.  I can't find an antivirus software I like.  Trend was my choice until it started putting a firewall in there that made it not quite right.  Then I was testing out Nod32 and it nearly was my choice until it too started to have known issues with iTunes and network icon interference. 

So in addition to the desktop icon review tonight, I'm starting the process of removal of the various antivirus' I've been testing on various machines and starting to standardize on the one that I think will be the one I choose.  But I want a wider beta so I'm going to be installing it on more machines.  What is the maybe, hopefully, possibly just right antivirus?  I'm leaning towards Forefront client security now.  For those who have home users or home businesses, the Microsoft security essentials is my current choice of antivirus.  Notice I didn't say "free" antivirus, I said antivirus.  It's discouraging when we're paying annual subscriptions to products that are not catching rogue antivirus, causing slow downs of our systems, and in general, if they were operating systems, we'd be a lot more upset than we are right now.

So before you ask, can the management console of Forefront go on SBS 2008?  Nope.  Can't.  But this is part of my larger test to see if the native notification of antivirus status is good enough for this Goldilocks.

I'll let you know how this fairy tale ends.

Tonight to answer the door of the trick-or-treaters I'm answering the door as Danica Patrick's older, less sexy, sister that is a Mini Cooper race car driver.

Okay so it's a stretch, I'll admit, but with a Mini Cooper racing shirt and a black wig, what do you expect?

I'm also remoting back into the office and doing the annual "what icons landed up on the desktop" review of the desktops.  While most of us do remote work as a matter of ease and efficiency, sometimes the only time you see issues is looking at the actual desktop.  So I'll take my secondary admin account and log into the workstations remotely and see what icons are there.  See if there's patches that WSUS or Shavlik missed, see if the event viewer looks good.  While I have remote tools that also pull this info, sometimes actually LOOKING at the desktop is like most picture experiences, a picture is worth a thousand words.

In my case, that picture of Danica is worth way more than what I look like in my Mini Cooper get up.

F. On the Source server, make sure the Active Directory is healthy.

If there is only one DC, make sure the SYSVOL and NETLOGON shares are present. Also, check the File Replication Service event log to see if it is in Journal Wrap. The event below is an example of what to look for.

Event Type: Error
Event Source: NtFrs
Event ID: 13568
Description:
The File Replication Service has detected that the replica set "DOMAIN SYSTEM
VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.

If there are multiple domain controllers in the source environment, force an Active Directory replication between them in Active Directory Sites and Services and verify it is successful.

You can also run the Microsoft IT Environment Health Scanner in the source environment to uncover any AD health issues.

Microsoft IT Environment Health Scanner

(I'll blog about that in a separate blog post)

An unhealthy Active Directory can result in the following setup errors:

• Windows Small Business Server group policies cannot be configured.
• Windows Server Update Services cannot be configured.

To fix this, you will need to restore the source server, resolve the AD Health issue(s) and start the migration all over again.

We're going to check this with a couple of things including this command:

1. The following are run from the command prompt to test Active Directory health:
2. DCDiag

•  
  • DCDiag [Enter]
  • DCDiag /test:DNS
  • DCDiag /? (List of switches)

1. DcDiag
   _______________________________________________
   
   Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>dcdiag

Domain Controller Diagnosis

Performing initial setup:

   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DOMAIN

      Starting test: Connectivity

         ......................... DOMAIN passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DOMAIN

      Starting test: Replications

         ......................... DOMAIN passed test Replications

      Starting test: NCSecDesc

         ......................... DOMAIN passed test NCSecDesc

      Starting test: NetLogons

         ......................... DOMAIN passed test NetLogons

      Starting test: Advertising

         ......................... DOMAIN passed test Advertising

      Starting test: KnowsOfRoleHolders

         ......................... DOMAIN passed test KnowsOfRoleHolders

      Starting test: RidManager

         ......................... DOMAIN passed test RidManager

      Starting test: MachineAccount

         ......................... DOMAIN passed test MachineAccount

      Starting test: Services

            IsmServ Service is stopped on [DOMAIN]  <<<< <this is okay and normal on a SBS box -- ignore this

         ......................... DOMAIN failed test Services

      Starting test: ObjectsReplicated

         ......................... DOMAIN passed test ObjectsReplicated

      Starting test: frssysvol

         ......................... DOMAIN passed test frssysvol

      Starting test: frsevent

         ......................... DOMAIN passed test frsevent

      Starting test: kccevent

         ......................... DOMAIN passed test kccevent

      Starting test: systemlog

         ......................... DOMAIN passed test systemlog

      Starting test: VerifyReferences

         ......................... DOMAIN passed test VerifyReferences

   Running partition tests on : ForestDnsZones

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : DOMAINNAME

      Starting test: CrossRefValidation

         ......................... DOMAINNAME passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... DOMAINNAME passed test CheckSDRefDom

   Running enterprise tests on : DOMAINNAME.lan

      Starting test: Intersite

         ......................... DOMAINNAME.lan passed test Intersite

      Starting test: FsmoCheck

         ......................... DOMAINNAME.lan passed test FsmoCheck

C:\Documents and Settings\Administrator>dcdiag /test:DNS

Domain Controller Diagnosis

Performing initial setup:

   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DOMAIN

      Starting test: Connectivity

         ......................... DOMAIN passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DOMAIN

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : DOMAINNAME

   Running enterprise tests on : DOMAINNAME.lan

      Starting test: DNS

         ......................... DOMAINNAME.lan passed test DNS

It should come back "clean"

Then do Netdiag

It starts out with a whole bunch of KBs listed... (hotfixes)

________________________________________________

Netcard queries test . . . . . . . : Passed

Per interface results:

    Adapter : Server Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : DOMAIN

        IP Address . . . . . . . . : 10.0.0.2  <<< I'm still at that original SBS 4.0 10.0.0.2 range btw

        Subnet Mask. . . . . . . . : 255.255.255.0

        Default Gateway. . . . . . :

        Primary WINS Server. . . . : 10.0.0.2

        Dns Servers. . . . . . . . : 10.0.0.2

        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Skipped

            [WARNING] No gateways defined for this adapter.

        NetBT name test. . . . . . : Passed

        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge

r Service', <20> 'WINS' names is missing.

            No remote names have been found.

        WINS service test. . . . . : Passed

    Adapter : Network Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : DOMAIN

        IP Address . . . . . . . . : 192.168.1.2

        Subnet Mask. . . . . . . . : 255.255.255.0

        Default Gateway. . . . . . : 192.168.1.254

        Primary WINS Server. . . . : 10.0.0.2

        NetBIOS over Tcpip . . . . : Disabled

        Dns Servers. . . . . . . . : 10.0.0.2 <<<< I still have two nics, I need to rerun this after I've removed ISA

        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Skipped

            NetBT is disabled on this interface. [Test skipped]

        WINS service test. . . . . : Skipped

            NetBT is disable on this interface. [Test skipped].

    Adapter : {A89DD362-5097-4A2B-AE4F-D7AB874ED971}

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : DOMAIN

        IP Address . . . . . . . . : 10.0.0.16  <<<< VPN connection going on here

        Subnet Mask. . . . . . . . : 255.255.255.255

        Default Gateway. . . . . . :

        NetBIOS over Tcpip . . . . : Disabled

        Dns Servers. . . . . . . . :

        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Skipped

            [WARNING] No gateways defined for this adapter.

        NetBT name test. . . . . . : Skipped

            NetBT is disabled on this interface. [Test skipped]

        WINS service test. . . . . : Skipped

            NetBT is disable on this interface. [Test skipped].

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed

    List of NetBt transports currently configured:

        NetBT_Tcpip_{31680511-DFA0-4A2D-A3A9-D1044337C37A}

    1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed

    [WARNING] You don't have a single interface with the <00> 'WorkStation Servi

ce', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed

    PASS - All the DNS entries for DC are registered on DNS server '10.0.0.2'.

Redir and Browser test . . . . . . : Passed

    List of NetBt transports currently bound to the Redir

        NetBT_Tcpip_{31680511-DFA0-4A2D-A3A9-D1044337C37A}

    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser

        NetBT_Tcpip_{31680511-DFA0-4A2D-A3A9-D1044337C37A}

    The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Skipped

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped

    No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information

The command completed successfully

C:\Documents and Settings\Administrator>

Next we'll do RepAdmin

1. RepAdmin

•  
  • RepAdmin /viewlist *
  • RepAdmin /SyncAll
  • RepAdmin /KCC

__________________________________________________

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>repadmin /viewlist *

DC_LIST[1] = DOMAIN.DOMAINNAME.lan

C:\Documents and Settings\Administrator>repadmin /syncall

CALLBACK MESSAGE: SyncAll Finished.

SyncAll terminated with no errors.

C:\Documents and Settings\Administrator>repadmin /kcc

repadmin running command /kcc against server localhost

Consistency check on localhost successful.

Next we'll do NetDom /query FSMO

1. NetDom /query FSMO

____________________________

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>netdom /query FSMO

Schema owner                DOMAIN.DOMAINNAME.lan

Domain role owner           DOMAIN.DOMAINNAME.lan

PDC role                    DOMAIN.DOMAINNAME.lan

RID pool manager            DOMAIN.DOMAINNAME.lan

Infrastructure owner        DOMAIN.DOMAINNAME.lan

The command completed successfully.

Other than reruning this after I remove ISA... AD using DCdiag looking fine.

Check out my pumpkin! http://halloween.cloudapp.net/pumpkin/98338f63-ccce-4ee0-a7bd-3ff27ae837d8

Well look at the bright side.  There's no icky disgusting azure and silverlight seeds to scoop out and throw away now is there?

http://blogs.msdn.com/bardak/archive/2009/10/30/happy-halloween-from-the-silverlight-team-and-archetype.aspx

We're going to start doing some scans on a SBS 2003 to make sure we're ready to go for migration.

We're going to take all of these tips mainly from here:  www.sbsmigrationtips.com whcih resolves to http://blogs.technet.com/sbs/archive/2009/02/19/sbs-2008-migrations-from-sbs-2003-keys-to-success.aspx

 And this -- http://blog.mpecsinc.ca/2009/06/sbs-2003-to-sbs-2008-migration-guide.html

So first tonight we're going to run the SBSbpa on the box and go through item by item what it's telling us.

E. On the Source server, run the SBS 2003 BPA.

• SBS 2003 BPA
• Resolve any issues reported in the source environment ahead of time.
• Know that SBS 2003 SP 1 is not the same as Windows 2003 SP 1 or SP 2. See item #4 for an explanation.

Download it from www.sbsbpa.com which resolves to http://www.microsoft.com/downloads/details.aspx?FamilyId=3874527A-DE19-49BB-800F-352F3B6F2922&displaylang=en

Now run it on your system:

Click on the view a report...

So let's go down line by line of the things it found.

1.  Disk space low.  No kidding Sherlock.  It's a five year old server so I think I done pretty darn good to be still with 19% free with about a month left to go before we move to a new box. 

2.  Network interface driver file more than one year old.  If you think I'm going to be flashing network card drivers on this baby now, keep dreaming.  That's an ignore for now. On a server you had not upgrade the nic drivers since it was built that would be another story.  You'd need to look at that and make sure it has newer drivers.  for me, it's going to stay there for now.

3.  Network interface driver file more than one year old.  This is a SBS 2003 with two nics and ISA (for about another week) and so that's why the two warnings.

4.  Windows Update Service v3 is at RTM.  Ignore this.  I actually have SP2 on the box but the BPA hasn't been updated to reflect that.

5.  Your email domain is on the turf list.   Your e-mail domain exists in the list in the msExchTurfListNames attribute. This can cause problems with public folder replication during a migration. To remove the domain from the list, open Exchange System Manager, expand Global Settings, right-click Message Delivery, and then click Properties. Click the Sender Filtering tab, and then remove your domain from the Senders list.

I'm pretty sure that's another bogus error as my domain name is not in that list, but to be safe I'll be removing those addresses and rescanning regardless.

So I removed the entries, rescanned and voila... (except now my external backup drive is indicating it needs more room :-)

 So now we're done with item number E .

E. On the Source server, run the SBS 2003 BPA.

• SBS 2003 BPA
• Resolve any issues reported in the source environment ahead of time.
• Know that SBS 2003 SP 1 is not the same as Windows 2003 SP 1 or SP 2. See item #4 for an explanation.

>>> NEW TOOL: Exchange Remote Connectivity Analyzer <<<:
http://social.microsoft.com/Forums/en-US/partnermsgexchange/thread/421c8eb2-7579-4806-a276-3aaeb90a10a4

Announcing the release of Exchange Server Remote Connectivity Analyzer for Exchange 2003, 2007, and 2010: https://www.testexchangeconnectivity.com/

Client connectivity and inbound email scenarios make up a significant portion of the Exchange support calls.  This tool will allow you to remotely test the following client types and services:

Exchange ActiveSync

Windows Mobile 5, 3rd party devices

Windows Mobile 6.1+ with AutoDiscover

Outlook Anywhere (aka RPC/HTTP)

Outlook 2003

Outlook 2007 with AutoDiscover

Inbound SMTP

The tool will simulate the protocol logic used by the specific client and not only tell you if the scenario was successful, but if it fails, it will tell you exactly where in the process it failed as well as try to guide you to the problem resolution.

HELPFUL LINKS:

More information https://www.testexchangeconnectivity.com/Pages/ChangeList.htm

Exchange team blog http://msexchangeteam.com/archive/2009/03/25/450908.aspx.

Exchange Remote Connectivity Analyzer Forum: http://social.technet.microsoft.com/Forums/en-US/exrca/threads

Provide feedback to exrcafb@microsoft.com

So I got a question today as to whether or not Exchange 2007 sp2 should be installed on a SBS 2008 box.

And I said:

1. there's an icky KB you have to work through

2. it breaks the sbs sites without the kb

3. IMHO it doesn' add any value (the Exchange backup we already have)

4. You wanna keep a test box for the sp2 wrapper that they will be building out

5.  You want to wait for that sp2 wrapper that they will be offering up for SBS boxes

There is no reason limited reasons that I can see at this time to be installing SP2 for Exchange 2007 on SBS 2008.  Thus don't. consider it carefully.

EDIT - it has been pointed out that Powershell v2 is not supported on SBS without Exchange 2007 sp2.  Thus for those folks who envision themselves on a remote beach in Bora Bora, sipping fruit drinks with umbrellas on them and using remote Powershell v2 commands to administer their Exchange 2007 sp2 boxes, you "may" want to consider going through the KB and apply the service pack.

The rest of us grunts may want to wait until the wrapper comes out.

How to fix an application that isn't working after 05-026 - THE OFFICIAL BLOG OF THE SBS "DIVA":
http://msmvps.com/blogs/bradley/archive/2005/06/23/54763.aspx

After rolling out a new workstation (Win7) our tax software wouldn't show the help file.. I had forgotten that I'd disabled the group policy on the server for some reason on this.

Fortunately I remembered the easy fix and found it on the blog :-)  Figured it wouldn't hurt to reblog this as you start to roll out Win7 machines

http://support.microsoft.com/default.aspx?scid=kb;en-us;896054

• Click on Start
• Run
• Regedit
• Find HKEY_LOCAL_MACHINE
• Find the subfolder of SOFTWARE
• Find the subfolder of Microsoft
• Find the subfolder of HTMLHelp
• File the subfolder of 1.x
• Now click on that 1.x folder and right mouse click
• Now click on 'new' and then on 'key' and add a new key
• Type in ItssRestrictions
• Hit enter
• Click on the subfolder of ItssRestrictions
• Right mouse click, click on 'new' and then on 'dword'
• In the “New value“ box, type in MaxAllowedZone
• Hit Enter
• Click on that “MaxAllowedZone“ and right mouse click
• Click on “Modify“
• Change the value data from 0 to 1
• Click OK
• Close the Registry

Try CCH tax software again.  Your help files should now work as expected.

When you get done the left side should look like this

The right side should look like

P.S.  This KB article is actually referred to from a “caveat” link at the top of the Security bulletin that points to known issues.  Always review the “Known issue” for the issues that have already been found and fixed.

http://msmvps.com/blogs/bradley/archive/2009/10/30/mpan-program-closed.aspx

So the bigger and more important question is ...what about the action pack license that was allowed to be purchased by CPAs as a result?  Are they still licensed?  Can they renew?  Can they keep the licenses or do they have to buy all new Server and OS licenses to make themselves legal?  [notice I'm using the word they as I've kept my firm buying software assurance for the server all this time and didn't use the action pack for the firm]

I don't know the answer to that one.  Stay tuned.

[and shame on the Office Accounting team that didn't anticipate that this would be the bigger question of the morning]

Dear valued MPAN member:

 We are writing to let you know that Microsoft^® Office Accounting will no longer be distributed by Microsoft after November 16, 2009. As such, MPAN membership will also be closed to new members effective November 16, 2009 and the complimentary download of Office Accounting Professional 2009 and the Office Accounting Customization will be discontinued November 16, 2009. Some existing MPAN benefits, such as online on demand training, will remain.

 We would like to thank the many dedicated users and partners who have been enthusiastic supporters of Microsoft Office Accounting and MPAN over the years.

 As a registered Office Accounting user, you may continue to use Office Accounting after November 16, 2009 and Microsoft will continue to offer product support for Office Accounting in accordance with the terms of the support policy. Your current MPAN membership entitles you to unlimited phone support through January 15, 2011.

 To learn more about other Microsoft offerings that can be useful to your business, please visit the following:

   -   Microsoft's Small Business site is a great resource for small businesses.

   -   Microsoft Office is a great tool for small businesses, especially when used with our easy-to-use templates.

   -   Microsoft Dynamics products offer adaptable business management solutions, and we invite you to visit the Microsoft Dynamics Community Web site, which offers role-based content, including a Finance sub-community, product forums and networking functionality.

 Please refer to MPAN FAQs for more information on MPAN benefits going forward.

 If you have further questions about Office Accounting changes, including changes to add-on services, additional information can be found on the Office Accounting FAQ page.

 Again, we thank you for your support of MPAN and Office Accounting. 

MPAN US Team

So an interesting topic came up recently.  As a professional with clients and an industry that expects confidentiality, for those that are consultants in this space, do your clients require you to sign a confidentiality agreement?  Do you offer it up in your contract that you supply to them?

If you don't you should.  If they aren't asking you this, they should.

When you work on their network you are an extension of their access.  If you have admin rights, even more so. 

SANS policy center has a sample access policy here:

http://www.sans.org/security-resources/policies/Third_Party_Agreement.pdf

And here's a sample policy at my firm for temporary employees....

1.  CONFIDENTIAL INFORMATION

In the course of the discharge of your duties, you may have access to and become acquainted with confidential information and trade secrets relating to the Firm’s business and clients.  Such confidential information and trade secrets include, without limitation, information concerning the Firm’s financial, personnel, sales, planning and other operations that are owned by the Firm and regularly used in the operation of the Firm’s business.  Access to such confidential and trade secret information should be on a “need-to-know” basis only and must be authorized by those Supervising you.  Any breach of this policy will not be tolerated and may lead to discipline up to and including immediate termination and, under certain circumstances; the Firm may take legal action.

2.  INSPECTION AND SEARCH POLICY

All furniture, equipment, computers, files, etc. on the Firm’s premises are the Firm’s property and must be maintained according to the Firm’s rules and regulations and should only be used for work-related purposes.  The Firm has implemented an inspection and search policy to protect against the unauthorized removal of Firm property from its premises, to keep alcohol and illegal drugs off the premises, and for general safety reasons.

Therefore, the Firm reserves the right to inspect and/or search any item brought onto Firm premises.  This includes, without limitation, any laptop or personal computer, or any package, lunch, toolbox, purse, briefcase or other personal item the employee may bring on the premises.  The Firm also reserves the right to monitor the use of its computer system and electronic communications devices, such as the voice mail system and fax machine, and reserves the right to access, review, copy, delete and disclose any personal information contained on any Firm electronic communication device or on its computer system, including Firm-owned PCs used by individual employees.

Any such inspection and/or search may be done with or without notice and with or without your consent.  Your refusal to cooperate in an inspection and/or search may result in termination.
    
If you do not want any personal item inspected and/or searched pursuant to this policy, you should not bring such item onto Firm premises or property.  Additionally, you should not use the Firm’s computer system, e-mail system, voice mail system, or fax machine for any personal information they wish to keep private, as the Firm treats all such information as business information and it will be treated no differently than other business information.  

3.    ELECTRONIC COMMUNICATION DEVICES POLICY

The Firm uses various forms of electronic communication devices, including, but not limited to, computers, e-mail, telephones, voice mail, and fax machines.  All electronic communications, including all software and hardware, are the sole property of the Firm and are to be used only for Firm business to transmit or receive business information and are not to be used for personal use.  The Firm treats all messages sent, received or stored in any of the electronic communication devices as business messages.  The Firm reserves the right to access and review, copy or delete electronic files, voice mail messages, etc., for any purpose and to disclose them to any party (inside or outside the Firm) it deems appropriate.  The Firm further reserves the right to monitor the use of electronic communications as is necessary to ensure that there is no misuse or violation of Firm policy. Use of any of the Firm’s electronic communications devices in violation of this policy may lead to discipline up to and including immediate termination.

Should you make incidental use of the e-mail system, fax machine, etc., to transmit personal messages, such messages will be treated no differently than other messages, i.e., the Firm reserves the right to access, review, copy, delete or disclose them for any purpose.  Accordingly, you should not use the computer, e-mail system, voice mail system, or fax machine for any personal information they wish to keep private.  

The Firm’s e-mail system permits employees to communicate with each other internally and with selected outside individuals and companies that the Firm, in its sole discretion, decides should be connected to the system.  Users should treat the computer and e-mail systems like a shared file system -- with the expectation that messages sent, received or stored in the system (including any individual hard disks) will be available for review by any authorized representative of the Firm for any purpose.

Confidential Information

Essentially, Firm e-mail messages should be treated in the same way as other Firm confidential printed material.  There are three common circumstances where confidentiality can be breached:

An employee leaves the e-mail program running on his or her screen, or leaves an e-mail message on his or her screen.  In either case, this allows others to view e-mail messages should they sit at the employee’s computer.

A confidential message is printed on a printer in an employee’s office or perhaps on a shared printer down the hall.  Anyone with access to that printer can view this document.

An e-mail message is inadvertently sent to someone who was not intended to receive it. Caution should be exercised regarding any confidential message before it is sent.  

Caution should be used when using the Internet.  The Internet is a convenient, cheap way to send business communications that are not security risks or time sensitive.  You should not rely on the Internet for critical communications due to the possibility of compromise.

Users must exercise a greater degree of caution in transmitting Firm information on the e-mail system than they take with other means of communicating information, (e.g., written memoranda, letters or phone calls) because of the reduced human effort required to redistribute such information.  Confidential information should never be transmitted or forwarded to outside individuals or companies not expressly authorized to receive that information and should not even be sent or forwarded to other users inside the Firm who do not need to know the information.  Always use care in addressing e-mail messages to make sure that messages are not inadvertently sent to outsiders or the wrong person inside the Firm.  In particular, exercise care when using distribution lists to make sure that all addressees are appropriate recipients of the information.  Lists are not always kept current and individuals using lists should take measures to ensure that the lists are current.  If highly confidential information needs to be transmitted, please contact IT Administrator, for assistance in sending confidential information via encrypted means.  It is against Firm policy, and possibly the law, to e-mail information that contains social security numbers.

E-Mail Security and Computer Security

The security on the Firm e-mail system and other computer programs is as good as password security can be.  If your network and e-mail passwords are easy to discover, your e-mail may easily be accessed by anyone with that intention.  It is strongly advised that you not use their first or last name, the Firm name or other such passwords.  It is also advisable that employees change their passwords periodically.  

Viewing and Protecting E-Mails

In order to guard against dissemination of confidential information, users should not access their e-mail message for the first time in the presence of others.  E-mail passwords (as well as other computer passwords) should be routinely changed every ninety days and will be reset by the Network Administrator.  

Copyrighted Information

Use of the e-mail system to copy and/or transmit any documents, software, or other information protected by copyright laws is prohibited.

E-Mail Etiquette

Please bear in mind that your e-mail messages may be read by someone other than the addressee you sent them to and may even someday have to be disclosed to outside parties or a court in connection with litigation.  Accordingly, please take care to ensure that your messages are courteous, professional and businesslike.

Other Prohibited Uses

The Firm prohibits use of the e-mail system or the Firm computer system to engage in any communications that are in violation of Firm policies including, but not limited to, transmission of defamatory, obscene, offensive or harassing messages, or messages that disclose personal information about other individuals without authorization.




Storing and Deleting E-Mail Messages

The Firm strongly discourages the storage of large numbers of e-mail messages for a number of reasons.  First, because e-mail messages frequently contain confidential information, it is desirable to limit the number, distribution and availability of such messages to protect the Firm’s information.  Second, retention of messages fills up large amounts of storage space on the network server and personal hard disks, and can slow down the performance of the network server, backup tapes, or individual hard disks for genuinely important documents.  The fewer documents the Firm computer has to search through, the more economical the search will be.

Accordingly, it is Firm recommendations that you do not retain e-mail messages in their electronic inboxes longer than 90 days.  Messages older than 90 days are recommended to be deleted from the your electronic mailbox.

Internet Access

The Internet offers a vast amount of easily accessible information to those who access it. The Firm is linked to the Internet to allow all members of the firm access to information and resources for Firm purposes and in order to enable you to perform their job duties more efficiently.  Anyone accessing the Internet for non-Firm purposes must obtain authorization in advance and in writing.  Any “downloading” from the Internet by employees for their personal use must be authorized in advance and in writing.  Accessing pornographic, offensive or other inappropriate information in violation of Firm policy is expressly prohibited and may lead to discipline up to and including immediate termination.  You are urged to use common sense and judgment.


Personal Programs, Screen Savers, Wallpaper and Games

You may not load or unload any programs on the Firm’s computer system without management approval. Any unauthorized personal programs, screen savers, wallpaper or games found on the computer system will be removed from the system without contacting you. Unauthorized loading or unloading of programs may result in disciplinary action up to and including termination.

Hacking

Anyone caught “hacking,” introducing a “virus” or foreign agent, or attempting to pierce the Firm’s security arrangements on the Firm’s computer system will be subject to immediate termination.

Firm Information

Anyone who removes information concerning the Firm or the Firm’s clients or employees from any part of the Firm’s computer system and uses that information for personal reasons is subject to discipline, up to and including immediate termination




4.    E-MAIL MANAGEMENT AND RETENTION POLICY

The Firm’s electronic mail (“e-mail) system allows everyone in the firm to communicate with each other internally and with outside individuals, companies and agencies in order to conduct the Firm’s business.  It is your responsibility to manage and protect the Firm’s business records resulting from all e-mail communications.  

E-mail messages on the Firm’s computer system, including personal e-mail messages, will be treated in the same manner as any other correspondence received by the Firm.  For example, regular mail of importance is kept, whereas junk mail is discarded.  The Firm reserves the right to access, review, copy, delete or disclose them for any purpose. Accordingly, you should not use the Firm e-mail system to transmit personal information you wish to keep private.      

All e-mail communications are subject to discovery during legal proceedings and can be used as electronic evidence in the event the Firm is involved in litigation.  Furthermore, unmanaged and unidentified e-mail messages residing on the Firm’s computers may pose a threat to the Firm’s ability to document and reconstruct business and decision-making processes.  

The following policy advises you of your responsibilities regarding the routine removal of messages from electronic file folders, and the storage and retention of e-mail communications which constitute official Firm records.

E-mail messages generally fall into three categories:

1.    Records which document the business of the Firm, such as those involving clients.  These types of e-mail should promptly be printed and a hard copy should be placed into the relevant subject matter file.  Internal e-mails pertaining to internal Firm business and employee and personnel matters will be kept by the Personnel Manager.
    
2.    Messages that have a limited or transitory value to the Firm, such as a message announcing the date and time of a meeting, need not be saved pursuant to this policy.  Retention of such messages serves no purpose and takes up space.  Such messages should be deleted as soon as they no longer serve an administrative purpose.  However, if the purpose of the meeting were to discuss a particular Firm project or client, the e-mail would be considered a business record and should be treated as such.
    
3.    Non-records, such as personal e-mails.  These types of e-mail messages should promptly be deleted from the electronic inbox.   

It is Firm recommendation that you may not retain e-mail messages in their electronic inboxes longer than 90 days.  Messages older than 90 days are recommended to be deleted.  If the e-mail message pertains to Firm business, a printed hardcopy of the e-mail message must be retained for the Firm’s files.  If an e-mail is sent internally, the person who sent the e-mail is responsible for ensuring that a printed hard copy of the e-mail is put in the appropriate file.  The same is true of e-mails sent to persons outside the Firm.  With respect to e-mails received from outside parties, the person to whom the e-mail is addressed is responsible for ensuring that a printed hardcopy of the e-mail is placed into the appropriate file promptly upon its receipt.   

If you are unsure as to whether to retain a particular e-mail message or the appropriate file to which it belongs, please check with the Personnel Manager.  


4.    ANTI-VIRUS AND ANTI-SPYWARE POLICY

The Firm provides corporate antivirus and antispyware software for all attached workstations.  Anyone found disabling or tampering with that antivirus software will be subject to disciplinary actions.  

Files or macros attached to an e-mail from an unknown source should not be opened.  These should be deleted from the system immediately and deleted from the “trash” folder.  

If a file that has been blocked by the e-mail system due to its potentially hazardous attachment and the sender is known and the e-mail is expected, contact the IT Administrator for access to this e-mail.  

Users who work at home on Firm projects are required to maintain antivirus, antispyware and firewall protection on their home computers.  If such protection is not already on a user’s home system, contact the IT Administrator for inexpensive resources for this home protection.

Delete spam, chain and other junk mail and do not forward any e-mails regarding potential viruses.  Many times these are hoaxes and should not be forwarded.

5.    PASSWORD POLICY

The Firm will change employee passwords on an as needed basis.  It is recommended that the following guidelines are used when setting up any Firm password:

•    The password should not contain less than eight characters.
•    The password is a word not found in a dictionary (English or foreign).
•    The password is not a common usage word such as:
o    Names of family, pets, friends, co-workers, fantasy characters, etc.
o    Computer terms and names, commands, sites, companies, hardware, software.
o    The words "<Firm Name>", "sanjose", "sanfran" or any derivation.
o    Birthdays and other personal information such as addresses and phone numbers.
o    Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
o    Any of the above spelled backwards.
o    Any of the above preceded or followed by a digit (e.g., secret1, 1secret).

Strong passwords have the following characteristics:

•    Contain both upper and lower case characters (e.g., a-z, A-Z).
•    Contain digits and punctuation characters as well as letters (e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./).
•    Are at least eight alphanumeric characters long.
•    Are not a word in any language, slang, dialect, jargon, etc.
•    Are not based on personal information, names of family members, etc.
•    Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.

NOTE: Do not use either of these examples as passwords!


Firm Information

Any temporary employee or external consultant who removes information concerning the Firm or the Firm’s clients or employees from any part of the Firm’s computer system and uses that information for personal reasons is subject to discipline or legal action, up to and including immediate termination and lawsuit.

Sometimes (okay a lot of times) I have this annoying streak where I want people to ask themselves if there is a true risk to what they are doing.  Too many times in security we turn knobs and do things just because some tool said so or some article said we all must do it.  And I'm guilty of it too.  The "best practices" mantra.

Sometimes the best practice of all is to patch yourself... as in patch your own stupidity. 

Some people may freak out about what I'm about to post.  Some people may question why I feel this way, but from day one I've cringed at that UAC on SBS 2008 and felt that if it annoyed me a little bit when I was working on the server, it certainly would be annoying to others.  So today when I got this email....

With SBS2008 deployments we are finding UAC to be a pain whenever you need to change ini or script files etc from inside a folder that is secured be administrator group permissions rather than explicitly applied to the user account.  Now I can accept this is UAC doing its thing and thats ok but the only way I have found to get around this is running notepad as administrator and then I can change the files as I need; the problem is, is that having to navigate through folders in this manner when trying to make changes to several config files is pretty clunky (in a recent sbs 08 deployment we had to disable uac and restart it to do all the changes to 30 odd ini files for an app that is used).  I’m overly interested in changing folder permissions explicitly to get around this; have you got any thoughts of how we might get around this?

 Thanks for your time.

It reminded me of that cringing I personally do and it made me once again question the sanity of this setting.  UAC first and foremost is a tool to beat vendors over the head to write code better.  That's it's basic goal in life.  It's not to annoy you (even though for many of you in Vista it does a darn fine job of that), it's not there as a security boundary, it's there as a virtual 2x4 to hit some sense into coders that DEMANDED admin rights. 

When you are on a server and ESPECIALLY as you set it up, what are you?  You are an admin.  You are god.  You need to be in your "patched for stupid" mode.  UAC is there more for the desktop, right?  Intially I said that I wasn't going to beat anyone up they adjusted UAC down to silently elevate as I said I liked protected mode on.  But there was a flaw in my thinking.  There are times that there are apps on a server that many not behave with UAC is silently elevate mode and it may end up that it won't tell you if it needs RunAs or true admin rights and you'll be banging your head against a wall. 

So fasten your seat belt because here I go more into a religious security position.  I won't kill you if you turn UAC off on a SBS box. 

On two conditions of course:

First you have to promise me you won't be surfing at that server.  No facebook.  No farm game on facebook while setting up the SBS box.  The only sites that I'll allow you to go to are Microsoft.com and HP or Dell for drivers. 

Secondly, before you work on that box, you patch your stupid.  That means you do your adminy stuff and then get off the box when you aren't doing adminy stuff.   

My 64bit vendors on the desktop tell me to turn off UAC while installing now. 

So there you have it.  Patch for stupid.  Do only adminy stuff and I won't yell at you.  Understand that when you are on that server you are God.  Act accordingly.

Vlad Mazek – Vladville Blog » Blog Archive » What’s left of the cloud after it’s done raining?:
http://www.vladville.com/2009/10/whats-left-of-the-cloud-after-its-done-raining.html

Since someone is once again taking pot shots at CPAs who are supposedly deathly afraid of cloud solutions [and since that's my cue to earn my MacBook from Vlad], sometimes even on premises solutions scare one a bit.

Take for example my HyperV beast I just set up where I want the full GUI on the outside of the HyperV because I want to run HP's insight manager software to alert me upon impending doom of raid failures and what not.

So I install the software and it wants an account to set up the database.  Okay, let's use another account and not THIS account I say.  So stupidly I set up ANOTHER administrator account and then have to go into the SQL config to allow that second user to have rights in SQL before the installer will set up the database.  And then it says

Hmmm.. okay... I just built in a security dependency where there's a service running on that box that has rights on there that I may do not want.  Needless to say I'll be going back again and trying to see if that process/service will run as a user, and not as an admin.  How many more of these decision trees along the way build in chinks in the armors of our on premises servers?  Conversely what are the decisions being made by the cloud vendors?  If they run HP, what account rights have they selected at that point in the process?  What other decision trees have been made along the way?  Not all of this is exposed by an audit or in a SAS 70 report.

But that said... so I earn my Macbook commission for the month, for the record, Vlad, it's not that I hate cloud, rather my apps won't go up there at this time, and I need an on premises server.

Those apps need an on premises Exchange.  I've done the research and pick the cloud where it makes sense for my business.  I can't when my apps aren't up there or don't support up there.

Not all of us live in a Google browser world you know.

Why am I so blonde when it comes to virtual networking in HyperV?

I have 4 nics, only one in use.

I have the virtual network with the "external" selected and connected to that nic.  I've compared the settings I have to my HyperV box at home where I have a similar setup and yet the internal SBS will not get Internet connectivity.  I can't figure out why it's not connecting.

Anyone have the once again blonde instructions for Virtual networks in HyperV?

Why is HP so blonde when it comes to HyperV?  I realized that inside the network card properties that there was an HP teaming software.  HP teaming software is starting to be up there with my hatred of broadcoms.  First off do not team nics on SBS 2008.  Secondly I could not figure out WHY I could not get my HyperV/Parent/child networking talking to the Internet.  The parent could, the child would not.  

 I disabled all nic cards except for the one I was using.  I turned off everything that said “offload” or “receive side scaling”.  Still nothing.  I compared my working HyperV to my non working one at the office.  


I googled and bingled and hit Ben’s blog http://blogs.msdn.com/virtual_pc_guy/archive/2008/01/08/understanding-networking-with-hyper-v.aspx  and then when I was looking at his nic card images it hit me.  There was a HP networking helper protocol that came in with the driver update and the check box was greyed out and you couldn’t uncheck it.  Dang.  So I go looking for something in add/remove Programs and features.  Nothing.  Dang again.  Hang on, I CAN uninstall it from the networking properties [note to self in anticipation of later blogging/ranting I should have gotten a screen shot here] and I told the item to be uninstalled.  It needed a reboot of the box.  The minute the box came back up, voila.  SBS 2008 now has Internet connection like it should.

The moral of this story is MAKE SURE the nic card doesn’t have ANYTHING ELSE but bog standard stuff.  Get rid of anything HP driver ish in the nic setting properties.  And don’t do nic teaming on SBS.

So on the "production" win 7 one of the feedback items was that the file open menu didn't open up the file folders the way Vista used to

http://www.windows7update.com/Windows7-Folder-Options.html

So one of the settings I put back on the workstation was the open folder settings.

And voila, the expanded folder pane on the left hand side like Vista did it is back again.

Someone showed me this "trick" the other day.  Google search on a web site, limiting the domain to just your domain and then search for "sex".

http://www.google.com/search?hl=en&lr=&rls=com.microsoft%3A*&q=sex++site%3Amsmvps.com&aq=f&oq=&aqi=

See how many blog spam/web site spam/bad content has ended up on the site that you weren't aware of it.

I got some cleanin' to do.

While I applaud what Microsoft is doing in the retail space (decrapifying the PCs to start with, offering deals on Home Premium and Professional - http://www.microsoft.com/windows/offers/ms-store-bundle.aspx, there's one other group of users that need a bit more TLC.

Those that believed in the Vista ultimate experience.  While their Home Premium and Professional brethern get discounts, those who are running Vista Ultimate get no discount whatsoever

http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/5bad261b-4103-4f38-b76d-da2d632e2ef2

Many are in the "Windows Update" forum asking where their update to Windows 7 is since they suffered through Vista.

Ultimate users were promised extra "stuff' and it never was delivered.  Oh sure if you want to count the few crumbs that were thrown out, and the 47 million language packs that were marketed as an "ultimate extra" but now when it's their turn to look for upgrade offers, there are none to be found.

So?  Microsoft?  How about coming out with some peace offering for your Windows Vista Ultimate customers, huh?

Microsoft SMB Community Blog : Regardless of what any hack says, a Windows 7 Upgrade is an Upgrade. What you need to know.:
http://blogs.msdn.com/mssmallbiz/archive/2009/10/27/regardless-of-what-any-hack-says-a-windows-7-upgrade-is-an-upgrade-what-you-need-to-know.aspx

Microsoft SMB Community Blog : No, OEM Microsoft Windows licenses cannot be transferred to another PC:
http://blogs.msdn.com/mssmallbiz/archive/2009/10/27/no-oem-microsoft-windows-licenses-cannot-be-transferred-to-another-pc.aspx

Already there is buzz about using upgrade media to perform a clean install.  "But if Microsoft didn't want us to to it they would block it'.  

Wrong.  It's there for us that are needing upgrade paths but the upgrade media alone is not a qualifying media to perform an upgrade.

First off I'd like to say that Karl Palachuk really screwed up this time.  Calling his company "Great Little Book" when his latest is great, but it sure isn't little, is not truth in advertising.  At a whopping 590 pages, that is not a little book by any means.  http://greatlittlebook.com/  Great yes, little, no way.

I'm in the pre-planning mode for the migration... or rather I should say the "Ghost of Karl Paluchuk" is hanging around me in my server room tonight telling me to "Document!  Document!  Document!" as I'm setting up a new firewall, writing down (YES WRITING DOWN) the passwords and making sure that they aren't variations of the SAME password over and over again.  For a temp dry run test setup, I have the server and the new Calyptix firewall hanging off the second of two DSL connections (long story as to why we have two, the old one was under the original firm name and when we went to change the name they said "Oh no we have to set up a new account".  I tested the DSL line when it first came in and it was SLOWER than our old line so I've kept the old line all this time while waiting for about 6 months for the speed to bump up to the promised speed.)  It's now coming in handy as a second line to stage some of this stuff without interacting and interfering with my real server just yet.

But I realized that on this Netopia DSL router model I had never bothered to change the default password from the serial number default it was.  Way to go Susan on that one.  Just stick a "Hack me" sign on my router on that one.  So I've changed that from the default it once was.

In addition I want to ensure that I have a "bus book".. you know ensuring that someone will have the documentation of the network should I get hit by a bus?  And too many times in small firms we do not take the time to document what we should.

Quick, where's the passwords for your routers that you have, that you manage?  Do you use the same variation of a password over and over again?  If someone guessed just ONE of your passwords, could they guess at the others?  See how important it is to understand the human nature of password choosing and just using the variations of that and doing something better than that?  Right now this box is bog standard, and not with what I'd consider to be fighting condition for production. 

Right now I have full RDP open to anyone not limited down to a per IP restricted range. Port 25 is also not limited.  AuthAnvil is not loaded up for the two factor authentication I need.  All of these screws to tighten up my firm I'll add, I'll document, and I'll ensure they aren't the defaults.

Starting to roll out the official producting Win7's and one of the interesting things is not all icons lend themselves to being "pinned".  On our CCH tax icons I have to build "pinable" shortcuts.  In particular I have to put the word explorer in front of the shortcut url and then I get the ability to pin it to the task bar.

How to Pin Special Windows Items to the Taskbar | Windows 7 Tutorials:
http://www.7tutorials.com/how-pin-special-windows-shortcuts-taskbar