July 2005 - Posts
A newbie SBS'er wanted to know about documentations to read to deploy group policy. Here were suggestions from Brandy Nee [MSFT]:
I suggest you that start with the "Implementing Common Desktop Management Scenarios with the Group Policy Management Console".
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/csws2003.mspx
This white paper is more basic for you to start with SBS 2K3 server. It includes coverage of Windows Server 2003 and the Group Policy Management Console (GPMC). I also found some additional information for you, please see:
Windows Server 2003 Group Policy
http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx
Frequently Asked Questions About the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/gpmcfaq.mspx
Administering Group Policy with the GPMC
http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx
Also, I would to install the SBS2003 update for enabling XP2 firewall via GPO in an SBS2003 network:
http://www.microsoft.com/downloads/details.aspx?FamilyID=D70097C2-4317-40E0-B7DA-FEB52C6B6386&displaylang=en
And here's a four part article that describes the new GPO features of Windows 2003:
http://www.enterpriseitplanet.com/security/features/article.php/2200561
So, a person has a SBS2k3 w/SP1 installed. Exchange activesync works with SSL turned off via wireless synchronization locally and over the internet. The questions are:
1.) What are the security related risks, if any, by not using SSL?
2.) When I try to enable SSL I copy the cert over to the PPC and attempt to run it and it says cannot access certificate. I'm grabbing the cert from \\servername\clientapps\sbscert. I did install the certificate component from add/remove programs. Does this screw with it? I was grabbing at straws trying to figure it out.I don't know if it matters at all, but I can install a cert if I go to http:\\servername\certsrv and install a DES cert but not the other one. I get an internet_45 error after that cert is installed.
If question 1 doesn't lead to significant security risks question 2 becomes mostly moot, although I would like to figure out WHY it won't install.
Thanks.
Jerry Zhao (MSFT) from Microsoft had the answer:
For the function of the SSL, you can refer to the following articles:
What is TLS/SSL?
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/ed5ae700-e05e-45ef-b536-45795dbb99a2.mspx
XADM: How Secure Sockets Layer Works
http://support.microsoft.com/default.aspx?scid=kb;en-us;245152
As for your question 2, from the Exchange 2003 viewpoint, the OMA/Server ActiveSync features don't require certificates if you don't plan to enable SSL for the HTTP connections for these mobile features. Also, in the mobile devices with PocketPC 2003 or later as OS, you can choose either using HTTPS or not using HTTPS when you try to use Exchange 2003 OMA/Server ActiveSync features. If you choose using HTTPS, you may have to obtain a certificate from an well-known third party CA or set up and issue your own certificate by using the Windows 2003 CA service, and then implement the certificate in your Exchange 2003 Server to enable SSL for OMA and Server ActiveSync.
NOTE: If you plan to set up Windows 2003 CA Service and issue your own certificate, it will not be trusted by your PPC mobile devices by default and you may want to use the following tool on your PPC devices to disable the SSL check:
http://www.microsoft.com/downloads/details.aspx?FamilyId=D88753B8-8B3A-4F1D-8E94-530A67614DF1&displaylang=en
Here's my initial experience with setting up a Treo 650 to an SBS2003 server.
In all cases, I used the VersaMail utility software. Some vendors may automatically install VersaMail on their Treo's, whereas others supply it on the CDROM and you must upload (install) VersaMail on your Treo.
I've configured and tested the Treo 650 both accessing Exchange server directly via Activesync, as well as using IMAP to pull email in. Using Activesync, the Treo automatically pulls in emails on a scheduled basis you select (5 min, 15 min, etc.). With IMAP, however, I kept getting errors when the prescheduled download of email would kick in. This happened with two different SBS2003 servers. But clicking 'Get' to manually pull down new email always works for me.
Exchange/Activesync Basic Settings:
1. Account name: Home
2. Mail Service: Exchange Active Sync
3. Username/password: my SBS username and password
(note: I did not have to add a leading “domain\“ to my username)
4. Email Address: my SBS public email address
5. Mail server: kwsupport.tzo.com
Advanced Settings:
6. Incoming port: 443
7. Use SSL is checked
8. Proxy Server: 80
9. Proxy authentication: unchecked
IMAP Settings:
1. Make sure you enable IMAP services on your SBS server
2. Account name: Home2
3. Mail Service: Other/IMAP
4. Username/password: my SBS username/password
5. Email address: my SBS public email address
6. Incoming mail server: kwsupport.tzo.com
7. Outgoing mail server: I used my ISP's mail server (outgoing.verizon.net)
Advanced Settings:
8. Port #: 143
9. SSL was NOT selected
10. Outgoing Server Settings:
- Port 25
- Use Secure SSL connection
- Use authentication (enter username/password for your outgoing ISP )
In the public newsgroup recently someone asked: I have 2 locations of what seem to be installation files for SP1 for our
SBS 2003 server: c:\Windows\$NtService Pack Uninstall$ and c:\windows\Service Pack Files. Can they be deleted now? The update appears to have installed correctly. I need the space on that volume!
Our man on the spot in England (Steve Foster) had the clear, concise answer:
Yes, you can archive the %NTServicePackUninstall$ files off somewhere (these are only needed if you uninstall the service pack for any reason).
However, do not delete the ServicePackFiles folder, as it is needed since it acts as a supplementary install source for future system modifications (eg add RIS , Mac Services, etc). You can safely set the folder to be compressed by NTFS, though (mind you, it probably won't compress much).