THE OFFICIAL BLOG OF THE SBS "DIVA" : XP2

No I really haven't lost my mind..

bradley — Thu, 01 Sep 2005 22:34:00 GMT

So I'm googling for some info to get a 98 attached to a SBS 2003 box for ...what else... a beancounter. A beancounter that SHOULD be signed up for the Microsoft's Accountant Network and not forcing his IT guy to jump through hoops as he'll be able to get Win XPs' and his 98 desktop won't SCREAM “I don't care about the security of my data” to every client that walks by... so anyway I googled this... and here's the funny thing... when I emailed it of to the person asking for it... it bounced back...

Your e-mail was rejected by an anti-spam content filter on gateway. Reasons for rejection may be: obscene language, graphics, or spam-like characteristics.

You know... I think I quite agree ... having Windows 98 info inside of an email is obscene isn't it? Especially in a SBS 2003 network... it just works soooooo nicely on XP... Remote Web Workplace... man you just do not know what you are missing out on when you don't have XP sp2 on that network....

Definitely I think I agree with the spam filter... definitely obscene to put a 98 on a SBS 2003 network. It's like making an Indy 500 race car driver drive an... oh I don't know...an Edsel or something...

Make sure that you specify WINS as the internal ip address of the server.

Also, if using DHCP, enable the support for updating to DDNS, for all legacy clients,

by entering the DNS tab in the properites of the server.domain.local in the DHCP Console.

The supported client OS for SBS 2K3 is Windows 98, Windows 2K, Windows 2K3

and Windows XP Pro edition. Windows 95, Windows Millennium are not officially

supported in Windows 2003 (which includes SBS 2K3) environment although

you may be able to join them into the domain

Please also note that although you can use a Windows 98 clients in the

domain, they won't have full functionality (won't have full functionality

of WSS/companyweb either due to not being able to use Office 2003,) and you

will have to manually configure clients networking configure it to logon to the

2003 domain (you will not be able to join the Win98 clients to the domain

by using the "connectcomputer" web site). In addition, there are many

other issues with legacy clients as mentioned in: 823659 Client, Service, and Program

Incompatibilities That May Occur When You -

It is also recommended that you install the updated DSclient (the one

included in the SBS 2K3 setup CD cannot be installed on 98 clients) on the 98 clients.

More detailed information can be found in the KB article below:

323466 Availability of the Directory Services Client Update for Windows 95

and http://support.microsoft.com/default.aspx?scid=kb;en-us;323455

226144 NetBIOS Domain Name Field Has a 15 Character Length Limitation -

http://support.microsoft.com/default.aspx?scid=kb;en-us;226144

After installing the updated DSclient on 98 clients (you may need to wait

for some time after the 9x clients' start until the computer lists are

synced,) I can then view and share the shared computers in 'Network

Neighborhood' ¨¤ Entire Network ¨¤

Why doing a clean install of Windows XP is a good thing..

bradley — Mon, 08 Aug 2005 02:26:00 GMT

You cannot find options under "Use Extensible Authentication Protocol (EAP)" on a computer that you upgraded from Windows 2000 Service Pack 4 to Windows XP with Service Pack 1 or Service Pack 2:
http://support.microsoft.com/default.aspx?scid=kb;en-us;902934

It's Knowledge base articles like that that make us recommend clean installs on Windows XP.

That said... I have to admit that I'm sitting here typing this up on my clunker machine of XP sp2 while my new spiffy super dooper SATA harddrive machine is sitting over there with it's side off waiting for me to hang one of these harddrives on this machine inside that machine to make it easier to migrate the 'profile' data. Once upon a time we could just copy the 'wack' folder from one system to another and everything would just magically work. But then someone invented...the registry.

Yes the same registry that the Scriptomatic guys joke that you are always reminded in KB articles that oh if you muck with this sucker you could blow up New Orleans in the process if you aren't careful. I think the problem that we all have with people not wanting to migrate up to Windows XP sp2 from what they have because what they have is 'good enough'...I think it's also a problem of migration is still ...even with the file and transfer wizard...isn't good enough. I know in my own office, if Word has a funky macro in the old machine and the new one isn't IDENTICAL, I'll end up with a messy normal.dot or a macro template that I muck around for hours trying to get back out of the newly built system.

..one of these days I'll be on my new super dooper computer....just probably.... well most definitely...not today....

Sorry Amazon.com, it wasn't you after all

bradley — Mon, 06 Jun 2005 22:19:00 GMT

I'll be surfing out on Amazon.com and after I've stuck something in the shopping cart...like...oh .... Dr J's and Riley's new book..... I'll click the back button and I get a page not displayed.

Rats. Stupid Amazon.com. Does this to me all the time. Really annoying.

Well I was out checking knowledge base articles and found this:

FIX: You receive a "Page cannot be displayed" error message in Internet Explorer when you browse back to a Web page that contains data that you previously submitted after you install Windows XP SP2:
http://support.microsoft.com/?kbid=890178

No WONDER I keep getting that issue. It's NOT Amazon.com at all. Remember this is a call for a hotfix, now why this isn't more available, I have no idea, but at least I can call for the free hotfix.

Update ...okay I'm confused.... if I get the hotfix it says I need to enable it by entering a reg key, but if I have cumulative update the steps do not have to be followed. Have you seen these hotfixes that are like this that have 'reg key enablers'? Outlook Express has a bunch of them too.

hmmm... I think I'll do the workaround.....

CRM and XP sp2?

bradley — Wed, 04 May 2005 02:09:00 GMT

I went to a NT user group meeting tonight and one of the guys sitting next to me said they hadn't yet deployed XP sp2 because Microsoft CRM didn't support it. I knew they had already sent out a patch to fix this... so ... if you are they guy who talked to me tonight...the patch is right here.

If you are on XP sp1 you won't wake up with XP sp2 tomorrow

bradley — Mon, 11 Apr 2005 17:51:00 GMT

Dear Microsoft/WagEd/whomever was in charge of your communication on the 'expiring blocking mechanism of 4/12/2005”:

Next time, can you try to do a better job of communicating than you did?

Your article here totally is confusing, misleading and quite frankly scares people.

Conversely Paul Thurott's article here gives the facts:

“However--and this is the most important point--Automatic Updates won't automatically install SP2 at that time. Instead, you must first agree to the End User License Agreement (EULA) before SP2 will install via Automatic Updates. If you decline the EULA, SP2 won't install. End of controversy.”

For those folks who also say that they'd love to install it but their vendors won't support it yet, do me a favor and send them this link:

Windows Application Compatibility Toolkit

The Application Compatibility Toolkit (ACT) 4.0 was designed to help IT Professionals minimize the risks associated with changes to the operating system and to deploy Windows XP SP2 quickly so they can realize the value of the investments Microsoft has made in securing the desktop from threats such as viruses, worms, and spyware.

Remember what has been said before about XP sp2 -- this is a WIN for the Security guys. So get your vendors [who obviously don't seem to be into security now, are they?] to help you get your desktops be part of your security protection system.

April 12 should not be a day of concern for you, rather it should be the day you put your vendors on notice that it's time for them to pick up the ball. I can understand if you can't find the vendor anymore, but folks, if you have a vendor that is on the record for not supporting SP2, that vendor needs to get a clue. They need to help you, help us out here get more secure.

XP sp2. If you don't have it installed. Do it.

If it's because of vendor support, start pressuring them.

It's time.

So what's YOUR excuse?

bradley — Sun, 10 Apr 2005 02:01:00 GMT

Dual monitors means I multitask.... doing a spreadsheet on one screen, got last years TechEd DVD content playing on the other [geek radio you know]. And I'm listening to Steve Riley's presentation on the changes in XP sp2...and he says that the computing industry is in it's infancy really.

Think about it...it's true isn't it? It's really only about 40 years old and the things we've relied on were truly built in an age that we trusted a lot more than we do now...and thus because the world in which computers live in is less trustworthy that the world that the underlying architecture was built for and intended for, means we need to change, to update how we do things.

He goes on to predict that we might even see some more RPC issues crop up [you remember 03-026/03-029 Blaster right?] because the underlying architecture on what RPC was based on assumed we could trust the network. But we can't anymore, can we? He goes on to say that the move to making sure that you can trust a machine with your life [aka trustworthy computing] is about a 10 year process...and they've just begun. RPC Interface Restriction is just one of the first steps. And he finishes it out by saying:

“This [Windows XP sp2] It's a victory for the security guys. It's a step to get your hosts [desktops] become particpants in the security stance of your organization. “

Hmmm... interesting... so if XP sp2 is a win for the security guys....

So what the heck are YOU waiting for?

You heard me.... why haven't 75% of you deployed it yet? Why has only 1/4 of those on Windows XP rolled it out?

You know your desktops are your weak spots, why haven't you empowered them with all the layers you can to protect them?

You know .... someone was asking in the newsgroup about upgrading from SBS 2000 to SBS 2003 and whether they should upgrade and you know.... it truly isn't just about the killer app of Remote Web Workplace to me. It's also about Security. About the better patching experience I've had. [truly I do mean that] Someone on a listserve mentioned that IIS 6.0 was rock solid. That while they have attacked boxes, they've gotten in via poorly written applications and not via the native IIS.

That's why you should upgrade to Windows 2003/SBS 2003 and Windows XP sp2. Because truly both platforms are a win for the Security guys. And soon for us, our own service pack, SBSers SP1. I've literally seen the Data Execute Projection mechanism where a potential buffer overrun is flagged [in my case it was a major update to the Trend virus engine that needed to be 'approved' as a DEP exception], I've seen the impact of the firewall as the system is built. The changes in XP sp2, in Windows 2003 sp1, the beginning of the band wagon for LUA for Longhorn.

Like this feature for example....

Post-Setup Security Updates (PSSU). Servers are vulnerable in the time between being installation and when the latest security updates are applied. To counter this, Windows Server 2003 with Windows Server 2003 Service Pack 1 blocks all inbound connections to the server after installation until Windows Update has run to deliver the latest security updates to the new computer. This feature also guides administrators through Automatic Update at the time of first log on.

Do you realize that never again will a box be nailed with Code Red/Nimda as it's being built? Wow, I mean how cool is that?

So if you aren't on XP sp2, if you aren't getting prepared for SBS 2003 sp [don't install Windows 2003 sp on our boxes], why aren't you?

The Green versus the Blue

bradley — Sat, 26 Mar 2005 03:39:00 GMT

A bit of background first from Steve Riley:

"Therefore, we admit we broke our promise and we added features to a service pack, but we did it because we believed it was absolutely necessary to improve the resiliency of the operating system to live in the hostile network that we have now that designers of software and even software as recent as Windows XP never really imagined that the Internet would become the hostile place that it is right now. And it's more imperative to software designers than ever before that they build in features that can increase the resiliency and security management, for example, so that it's easier to configure and maintain."

"The perimeter is, for all practical purposes, almost gone. Every machine is becoming its own perimeter."

"Moving the security decisions from the edge to the host, it's almost as if the host is now the edge."

Friends, Romans, Countrymen, Geeks, Blogreaders lend me your ears...or eyes as the case may be.....

XP home does not have the same security features as XP pro. Specifically it is lacking these two that I think are very important ones:

Encrypting File System - protects sensitive data in files that are stored on disk using the NTFS file system.

Access Control – restrict access to selected files, applications, and other resources.

In this day and age where Aunt Nellie's system is apt to be turned into a attacking bot, where the home PC has PII [personal identity information] on it [credit cards, bank accounts and what not], where identify theft, phishing, etc etc is a daily occurance, I think the home machine needs as much protection as our most vulnerable web facing machines. Therefore, why is there an operating system 'built for Home", ready for peer to peer networking, that has less security features than XP Pro?

Shouldn't the needs of a home machine, less controlled and protected than a XP pro behind ISA server [preferably in SBSland as well] not be identical to pro...or perhaps [gasp] even exceed a pro machine in its security needs?

If I have personal information on that box, I want encryption. If I have junior on my same system doing who knows what, I want the ability to add security permissions and what not to files of a level possibly more paranoid than I do at work.

Why is there an assumption that Aunt Nellie at home needs less security than Uncle Bob at the office?

Shouldn't all desktops be protected in the same manner? Why is there [other than for stupid marketing and pricing decisions] the need for two client systems anyway. Aren't the security needs of us all the same?

We in SBSland don't like the Green box because it means that we have to talk the owner into upgrading to the Blue box. [remember XP homes cannot join a domain]. But heck I don't like XP Homes for their lack of security features.

As we go into Longhorn...how about ONE BOX. One Security model...one set of tools and tweaks and protections and ....just one protection level.

I'm not talking about versions like Tablet and Media center and what not...but just don't have a version at home that cannot have the same security features as an Office version.

So Steve Ballmer or Bill Gates or whoever is in charge of making the decision of the client/desktop operating system. Consider that Home machines need just as much security IF NOT MORE these days than office machines. Don't make this a marketing decision...make the choice of ONE operating system a security one.

Just say NO to the Green Box.

Go Borg!!!!

bradley — Sat, 19 Feb 2005 05:13:00 GMT

In buying some USB cables at Office Depot tonight, I noticed that Office Depot had XP sp2 cdroms in the same shelf as the AOL cdroms. Kewl. I was posting to a listserve some of my accumulated “stuff” about XP sp2 and I'll copy it here....

For those that haven't deployed it.... DO IT. Go Borg!

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2aumng.mspx

In my little lan while certainly not a huge rollout, just a few patterns that I noted

2 out of 2 workstations with Nvidia digital video cards did not like the driver in Sp2 and needed to be booted into safe mode and rolled back to the sp1 driver.

2 out of 2 computers [laptop/desktop] with various versions of AOL installed on them [yeah... I know....don't ask] did not have good install experiences and required the use of a repair install.

Ensure you scan with a malware remover BEFORE deploying SP2 as there are a couple of nasty strains [one in particular comes to mind] that wreak havok with sp2 installs
Windows XP Service Pack 2 is not available to install from Windows Update and is not offered by Automatic Updates: http://support.microsoft.com/default.aspx?kbid=885627

All other machines were deployed in stages using Shavlik HfnetchkPro and had no issues.

After deployment I would advise installing the Loopback patch for two issues....

1. Some reported issues with Cisco VPNS and what not
2. A bit noisy app log files with mrxsmb "cosmetic" issues

Programs that connect to IP addresses that are in the loopback address range may not work as you expect in Windows XP Service Pack 2: http://support.microsoft.com/default.aspx?scid=kb;en-us;884020

The recent 05-011 patch has some very isolated issues with XP sp2 and 2k3 networks [file shares and mapped drives] so if you are seeing any of these remember it's a free call to Microsoft for security patch issues. [I personally am not seeing issues here]

There are two other patches that you may want to include in your XPsp2 images for those that RIS and 886185 gets offered up via Windows update but not deemed to be a security patch

Description of the critical update for Windows Firewall "My Network (subnet) only" scoping in Windows XP Service Pack 2: http://support.microsoft.com/default.aspx?scid=kb;en-us;886185
You receive the Stop error "Stop 0x05 (INVALID_PROCESS_ATTACH_ATTEMPT)" in Windows XP Service Pack 2 or Windows Server 2003: http://support.microsoft.com/default.aspx?scid=kb;en-us;887742

Get XP sp2... go BORG!

Issues with updates on XP sp2?

bradley — Wed, 09 Feb 2005 18:36:00 GMT

Here are some tips stolen from the newsgroup:

Method 1:

Stop the Automatic Updates Service
1.     Click Start.
2.     Choose Run.
3.     In the Run box, type services.msc.
4.     Click OK.
5.     Right-click the Automatic Updates service.
6.     Select Properties.
7.     Under Service status, click Stop.
8.     Click OK.

Delete the Contents of the DataStore and Download folders
1.     Click Start.
2.     Choose Run.
3.     In the Run box, type %windir%\SoftwareDistribution.
4.     Click OK.
5.     Delete the contents of both the DataStore and Download folders.

Start the Automatic Updates Service
1.     Click Start.
2.     Choose Run.
3.     In the Run box, type services.msc.
4.     Click OK.
5.     Right-click the Automatic Updates service.
6.     Select Properties.
7.     Under Service status, click Start.
8.     Click OK.

Reset or Optimize the Internet Explorer:
For this lets follow the steps given below:
1.     Double Click on Internet Explorer Icon
2.     Select Tools
3.     Select General Tab
4.     Delete Cookies->Click OK.
5.     Delete History->Click OK
6.     Then go to Advanced Tab
7.     Click Restore Defaults
8.     Click Apply->Click o.k

Turn-Off the Pop-up Blocker: To disable it :
1.     Open an Internet Explorer window
2.     Click Tools
3.     Select Pop-up blocker
4.     Select Turn-off pop-up blocker

If our issue stays then kindly proceed to the next set of suggestions.

Add the following Sites as Trusted Sites:
For this lets follow the following steps:
a.      Click Start-->Internet Explorer
b.     Go to tools in the Tool Bar
c.      Click on Internet Options.
d.     Go to the security Tab
e.      Click on trusted sites
f.       Add the web-sites one by one.
g.     Click add
h.     Click ok
i.        And click ok again

http://Windowsupdate.microsoft.com
http://V4.Windowsupdate.microsoft.com
https://v4.Windowsupdate.microsoft.com
http://Download.Windowsupdate.com
http://V5.Windowsupdate.microsoft.com and
https://v5.Windowsupdate.microsoft.com

Method2:

1.     Click on Start and then click Run,
2.     In the open field type "REGSVR32 WUAPI.DLL" (Without quotation)
3.     When you receive the "DllRegisterServer in wuapi.dll succeeded"
message, click OK.
4.     Please repeat these steps for each of the following commands:

REGSVR32 WUAUENG.DLL
REGSVR32 WUAUENG1.DLL
REGSVR32 ATL.DLL
REGSVR32 WUCLTUI.DLL
REGSVR32 WUPS.DLL
REGSVR32 JSCRIPT.DLL
REGSVR32 WUWEB.DLL
REGSVR32 MSXML3.DLL

So why did the laptop have that key and not my workstation?

bradley — Sun, 09 Jan 2005 01:24:00 GMT

Fixing my sister's laptop that has been giving problems with USB devices like the thumb drives and I was trying to get her new gig drive working and it kept coming back with an error message: “The specified service does not exist as an installed service“

Fixed it.

But don't know why her machine had this key and my desktop does not:

HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}

Under there was indeed a key called “lower filters” and it was indeed a binary. Deleted the key out, rebooted and it can find the drive just fine now.

Weird. My desktop doesn't have it.

Must be sunspots again.

So like how many #$%# firewalls do we need?

bradley — Thu, 02 Dec 2004 01:30:00 GMT

The question was asked again in the newsgroup today --

“Do I need the XP sp2 firewall enabled on the workstations inside my network when I have a firewall on the outside?”

First off some background. In your computer, in any computer there are over 64,000 ports... tcp/udp ports that are used to talk to one another. Sometimes there is an application that is loaded up and “listening“ on a port. Kinda like it's sitting on your computer going “I'm ready! I'm here!“. For bad things to happen a couple of things have to align in the cosmos.

First you would have to have this open port with an application that is “listening“. Then you would have to have a vulnerable application, something that you didn't patch. Now knowing that I'd wack you guys upside the head for not patching, that's probably not going to happen, but let's pretend, shall we? Then there would have to be a way inside your network.

If a bad guy knows that behind that open port [think of it as an open door] that application “X“ is waiting and ready to go, they can build a worm that attacks that “listening application“ that specifically targets that open port. Now we all know that all we need to be absolutely positively 100% safe is a firewall, right?

Wrong. A firewall is only as good as the ports you have closed. Furthermore, its only as good if there's absolutely no other way to get inside your network. In order to do “normal“ business, we MUST open ports. Think of it this way, in order to do your job you must take the risk of driving a car. You must get in the car and drive on the road or highway to get to your destination. Thus you have opened yourself up to risks. In a typical firm you probably have some ports opened up all the time:

Port 443 - the SSL port that SBS 2003 needs for secure access to RWW and OWA
Port 25 - needed for email

On port 25 in particular [the email port] spammers are trying to “hang off your nice IP address“ and do what is called an SMTP authorization attack. They will attempt to “crack“ the password on that port and try to authenticate on the Administrator's account. Keep in mind that the “attacker“ doing this... I wouldn't call an “attacker“. It's a “bot“ a machine just trying to add another victim to it's lair. There's no human “hacker“ on the other end of your rj45 connection manually trying to crack password, it's more likely that it's an automated program trying to get into your system.

This by the way is the “finagle“ vulnerability that was discussed by USAToday... aka stupid cracked passwords...a “don't do that“ event as Jason out of Mothership Charlotte would say.

Okay lets discuss historical events in history that would have been prevented if a firewall had been on the inside of a network shall we?

SQL slammer would not have been as damaging for one - right now my file and printer sharing ports, my Trend listening ports and nothin' else are open on this workstation. Thus 1433/1434 the MSDE/SQL server ports are not open. Now if I had something like an application [like the new 2005 Lacerte will do] that has MSDE installed on the desktop, I can sleep easier knowing that that application is protected.

Remember too that the other way you got nailed was when you had unpatched machines, a firewall on that outside peremeter and somone remoted in/VPN'd into the network and infected the unprotected/unpatched network. Most of us probably are not running with VPN quarantine features running as it's not quite SBSized, so unless you can guarantee that all your salesmen have nice, clean, protected machines as they remote into the network, you probably need to think about firewalls on the INSIDE of your network.

Steve Riley will be including this in an upcoming book, but the gist is that the concept of the DMZ is dead.

So why do you need a firewall on the inside of your network when you have a perfectly good one on the outside? Because stuff happens. That's why. And it's another layered defense to have on our side.

Speaking of patching... for those people that are 100% borg [aka SBS 2003 and Windows XP sp2.... there is no patching needed today whatsoever]

Non-Affected Software:

•	Microsoft Windows XP Service Pack 2
•	Microsoft Windows XP 64-Bit Edition Version 2003
•	Microsoft Windows Server 2003

Details on Group Policy

bradley — Fri, 26 Nov 2004 07:13:00 GMT

Jeff from Vancouver also writes in that he wants a more detailed description of what the group policy can and cannot do.

You know [in my opinion] the best source for seeing the power of group policy is? In an Excel spreadsheet. Now granted I think it's because us beancounters are born with a spreadsheet so it's more natural to us, but that one document more often than not shows me what can be done.

Remember my NOLMHash thing?

On the spreadsheet it's detailed out like this:

Computer Configuration\Windows Settings\Local Policies\Security Options

Network security: Do not store LAN Manager hash value on next password change

Determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.
For more information on cryptographic hashes of passwords, see "Microsoft NTLM" in the Microsoft Web site at http://go.microsoft.com/fwlink/?linkID=7029.
Important: Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.
This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.

Check this spreadsheet out Jeff. It takes some time to go through, but I think it might help.

Let me know.

Some addins on XP sp2 are not listed in the Manage Add-ons box

bradley — Sat, 20 Nov 2004 05:50:00 GMT

One of the big changes in IE under XP sp2 is the ability to manage Internet Explorer add ins. Details of this are showcased here:

How to manage Internet Explorer add-ons in Windows XP Service Pack 2:
http://support.microsoft.com/kb/883256

Tonight on Thundermain's RSS feed I spotted this KB and tracked back the KB that was released to the download page:

Download details: Update for Internet Explorer 6 for XP Service Pack 2 (KB888240):
http://www.microsoft.com/downloads/details.aspx?familyid=d788c59e-b116-4d38-b00c-ff1d529106c8&displaylang=en

Some add-ons are not listed in the Manage Add-ons dialog box in Internet Explorer on your Windows XP Service Pack 2-based computer:
http://support.microsoft.com/default.aspx?scid=kb;en-us;888240

Sounds like a good download to install, don't you think? :-)

MRXsmb errors in your system event log files after XP sp2?

bradley — Thu, 04 Nov 2004 23:18:00 GMT

Sorry to sound like a broken record again, but first I have to rant:

"An enterprise class account will typically have adequate security procedures from a firewall perspective, and also have appropriate intrusion detection systems," said Phil Ernst, president of Convergence Technology Consulting, Bowie, Md., which has performed numerous SP2 deployments for SMB customers. "The SMB space is a mixed bag. Best practices costs money, and in some cases too much for many SMB organizations. Either they lack the internal expertise for controlling updates, lack the funds, or both." X2 Adoption slow in Enterprise, Picks up in SMB.

I've met some folks in “enterprise class and I can say without a doubt that “best practices“ isn't followed in those enterprise marketplaces any better. They don't necessarily because of their size have adequate security procedures.

So what "best practices" can you do that we already have the tools for under the hood and just need external expertise from a VAR/VAP to set up [or even one really geeky admin]?

Controlling updates from the server with SUS
Group policy
Password policy
OWA with SSL encryption
Remote Web Workplace which has SSL
We already have a firewall
You need to add a antivirus program

But the article confirms what I've seen. Out here in SBSland we're rolling out XP sp2 much more than the big guys.

Remember the resources we have for rolling out XP sp2;

I also spotted this article that says “Business Continuity to suffer“ with the roll out of SP2. What continutity issues? What broken applications? I've had NO issues with SP2 on my workstations and all of my applications work just fine. If the program gets broken with SP2 the program was written poorly in the first place.

The only issue that I noted, and have now fixed, is that my workstation was throwing off a lot of “Event 3019 errors - MRXsmb - The redirector failed to determine the connection type” errors in my system event log and the application of the loopback patch cleaned up my system log files. After I applied that patch, it cleaned up my log files with no issues. It wasn't causing any issues, more of a cosmetic thing that was annoying. The hotfix is available on the download site. Given that I shut off SMB signing here because of attached printers, I'm thinking it was related a bit to that. Whatever the reason, my log files are now as they were before.

XP sp2 stuff

bradley — Thu, 14 Oct 2004 17:39:00 GMT

David S. in the newsgroups asked if I could put a XP sp2 category in the blog. Sure!

I'll revisit the “stuff” you need to have for deploying sp2 on your SBS 2003 network:

ENABLING THE FIREWALL

Update to enable and configure the SP 2 firewall inside the network [this comes down via Windows Update]
Hotfix to fix the “long name“ error on the Group policy edit [this does not come down via Windows Update]
KB article about the issue
Whitepaper to deploy XP sp2 firewall

DEPLOYING SP2 TO NEW MACHINES/NEWLY JOINED MACHINES

Package to deploy SP2 to new computers - please note this cannot be uninstalled
Whitepaper to deploy XP sp2 as the SP to new machines

SP2 INSTALL PACKAGE

XP sp2 install package

TURN OFF THE FIREWALL?

What policies to adjust to turn OFF the firewall at the domain controller

MICROSOFT'S RESOURCES

XP SP2 hotfixes you may need

Loopback fix [for VPNs etc]

One of the best ways to get a feel for how much you can control is looking over THIS spreadsheet. Take a look at it and I think it will give you the best feel for how powerful this is.

So, I'm sure you are wanting to know ...why do we need a firewall on the inside when we have ISA/RRAS on the outside. Because look at our past Blasters, Sasser and other worms. Most of the affected businesses HAD firewalls, yet they got nailed. Port 80 is jokingly called the universal firewall bypass port because so much goes though there now. Protecting your workstations, limiting the ports that they are exposed on is the best practice going forward. The Windows 2003 R2 [the next release of the server OS in a year or so] will include network protection feature so that workstations that don't “pass muster” won't get a IP address. Enabling the firewall inside our networks is the first step in the journey towards that.