[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Are you for sure going to hit the SharePoint issue? - THE OFFICIAL BLOG OF THE SBS DIVA
Fri, Jun 25 2010 23:17 bradley

Are you for sure going to hit the SharePoint issue?

Companyweb and SharePoint Central Admin not accessible after installing KB983444 - The Official SBS Blog - Site Home - TechNet Blogs:
http://blogs.technet.com/b/sbs/archive/2010/06/18/companyweb-and-sharepoint-central-admin-not-accessible-after-installing-kb983444.aspx

On Facebook yesterday, Shaquile asked if he should patch for the SharePoint security update as he knew he would "have to spend hours to resolve the issues and I know that the clients are not going to pay for it!"

First off let's set some expectations:

I can't guarantee 100% that you won't hit issues installing this SharePoint patch.  But I can't guarantee 100%  that you WILL have issues.  On my production servers and on my test boxes, I could not get this update to fail.  And believe me, I TRIED.  Yet I have seen others that said that they have been hit by this.

Some questions to ask yourself... have you had patching issues with SharePoint on this server before?  I personally have always installed SharePoint updates all by themselves and separately from all other updates.  I don't know if that helps, but for me it helps to narrow down any possible side effects.

Next ... I'd honestly patch this when you have a plan to have other more "maintenance" type of updates.. such as Exchange 2007 sp3.  The security issue in this has a low risk in a SBS 2008 network due to how we don't expose SharePoint to a public url.

Next for most of the folks, all you need to do is the psconfig command.  On a rare few, some need to watch that SharePoint Search service.

But bottom line, just because a security update comes out, doesn't mean that it has to be done immediately, doesn't mean that the risk is horrific if you don't immediately patch and remember.. you can always evaluate the mitigation and do that instead.  Typically buried in the patch section is documentation of a mitigation that will keep you protected just fine in the meantime.

You can use the workaround in the security bulletin to block the help file until such time you patch it.  The workaround will protect you until such time as you are ready to tackle the patch.  The issue is with the help file on the box.  Change the access rights to that help file and voila... issue is mitigated.

http://www.microsoft.com/technet/security/bulletin/ms10-039.mspx

To restrict access to the vulnerable Help.aspx, run the following commands from a command prompt:

cacls "%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /P everyone:N

cacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /P everyone:N

Do runas admin and remember it's normal for the error message to occur on the Program Files (x86) because SBS 2008 is a 64bit box and the x64 version of SharePoint is installed.

Once the security is set, you can't browse to that help.aspx file

When's the last time anyone read the SharePoint help file anyway?  Risk mitigation.  Patch not needed for now.  Document what you did to the server to ensure you undo it when you ultimately patch, and there you go. any potential issue with patching right now immediately has been bypassed.

So keep in mind that just because there's a known issue listed here... doesn't mean you'll hit it:

http://support.microsoft.com/default.aspx?scid=kb;en-US;983444

And keep in mind that just because there's a patch, doesn't mean you have to install it if you've taken the time to deem the risk acceptable or taken mitigations to remove the risk.

To undo it follow the workaround instructions again...

How to undo the workaround.

Run the following commands from a command prompt:

takeown /f "%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx"

takeown /f "%ProgramFiles(x86)%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx"

cacls "%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /R everyone

cacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /R everyone

When you run that command... you'll undo the mitigaton and be able to see the security tab info again.

Filed under:

# re: Are you for sure going to hit the SharePoint issue?

Monday, June 28, 2010 11:29 AM by Tim S

Well - I had the problem and ran the psconfig about 10 times.  I had it bad and eventually could get to the sharepoint website through the IIS program on the server.  Turns out that what saved my butt was the following: technet.microsoft.com/.../dd548327(WS.10).aspx.  As soon as I repaired user access to the internal web site it worked again.  Thought this might be useful!

Tim

# re: Are you for sure going to hit the SharePoint issue?

Tuesday, June 29, 2010 9:43 PM by Dean

"if you've taken the time to deem the risk acceptable "

There is a whole blog posting topic right there.

Who deems it acceptable ? The lone IT person in the company ? The lone IT person plus the owner of the company who probably doesn't understand the risk anyway ? Just the owner of the company ? The consultant who does the IT work for the company ?

If the risk IS deemed acceptable and you get hit who gets the blame ?