So I’m reading Dana’s blog and he’s ranting that SBS doesn’t allow ISA server to “work” unless there are two network cards on the server. If you only have one server, as you run the wizard it won’t set up ISA [or RRAS on the Standard SBS] to be a firewall and you must be dependent on an external hardware firewall. I’ll be the first to admit that I run at the office with two firewalls, my outside little non beefy, no where near like ISA Server, hardware firewall and THEN I run ISA server. Why? For one thing I like to have two walls, one to thin out the log files and then I want ISA server. A firewall integrated with active directory, so much logging that it gives my auditor background happy, and on a platform that with a push button I can patch. I can’t do that with my hardware firewall. And these days with the Secunia web site throwing out as many firewall vulnerabilities as operating system, the idea that the software on a hardware box is more secure is silly unless it’s like as someone said the base of OpenBSD right after boot up when you have a command line prompt and nothing else. We add on the cutesy wutsey GUI to make people like me happy and you start introducing vulnerabilities.
The knowledge base article that talks about two network cards is here:
825763 – How to configure Internet access in Windows Small Business Server 2003: A two-network-adapter configuration connects one adapter to the local area network and connects the other to the Internet. A one-network adapter configuration connects a single network adapter to the local area network.
Then in this KB it clearly states
323387 – How To Connect Your Company to the Internet by Using an ISA Firewall with Windows Server 2003:
Install the ISA Server
To install an ISA firewall, you need a computer with two network adapters. You must connect one of these adapters to your internal network and the other adapter to your Internet service provider (ISP). Your ISP can help you make this connection. A firewall acts as a security barrier between your internal network (or intranet) and the Internet by preventing outside users on the Internet from gaining access to the confidential information on your intranet or your computer.
Thus you need two network cards to enable the ISA firewall. Dana responds to my comments that any firm that is doing a virtual firm would want this setup. He may have a point, but I’ll refer back to the first time Dana posted into the community newsgroup and was like “Dana Epp, THE security blogger Dana Epp? You aren’t the normal “SBS“ customer“. And beleive me, I mean that in the MOST complementary way. Dana is not the normal SBSer and the wizards are built for the rest of the 99.99999999% of the marketplace. SBS is flexible, but this is where the Enterprise folks say they don’t like the wizards… because they force the “best“ practice or the “best“ balance. As I’ve blogged before, the wizards leave behind an audit trail. They do the heavy lifting for you. They want to help you make the best choices…. like…. two network cards.
Hmmmm… a virtual organization SBS network. Interesting…. we are certainly doing more and more things “virtually“ rather than physically these days. I know I’ve been collaborating with other folks from around the world and we certainly get a lot done without physically being in the same room. I think I’ll email Dana’s blog post to some folks that just might be interested in that.
Typing up the SBS news of the week and was on Microsoft’s just opened Small Business site and linked off to upcoming webcasts and found a couple of good ones!
Dr. J will be presenting TechNet Webcast: “Ask The IT Security Experts” Series: Preventing Network Hacking Level – 200 on September 21st and his webcasts are always entertaining AND informative. [I can never spell his last name right two times in a row, so it’s Dr. J]
Oooh Steve Riley will be presenting on XP sp2 on Thursday.. save me some popcorn for that one too!
Bottom line check out those webcasts. A TON of good stuff this month and don’t forget the MSDN webcast blog too to keep you up to date on what is coming up!
So I ordered a replacement for my SCSI harddrive and the item that arrived was ddy”f”-t36950 not ddy”s”-t36950. And then Ken and I are trying to confirm that it’s a 64 pin not an 80 pin. [Can you tell I’m a software gal not a hardware gal?] Finally we spot in little tiny writing 64P.
Bottom line, my poor server is sitting there with it’s sides all hanging open as I order the “right” drive. In addition to a source on the web, I ordered one from ebay. Knowing what you have, having spare parts around [and that’s my fault on that one], that’s what I don’t think we SBSers really do enough of. We want “true fallover redundancy when all we really need is to ensure that we have the right part on the shelf. That’s another thing that I’ll be talking about at SMBNation. How really easy it is to find out exactly what hardware you have to ensure that you don’t get stuck.
Watch the tape backup log email that you get. Make sure it backs up. Test it every now and then.
I’ve given Jeff Middleton the task to build my next server. So why am having one built rather than buying a Dell or a IBM or a HP? For one, I trust Jeff. Two, I’ve just had [knock wood] good luck and a good feeling about the parts in my servers. Adaptec controller cards. Intel. The players may be changing a bit these days and some folks may argue that S-ATA drives are coming into play, but bottom line, when you have a part from a known manufacturer and with “history” behind it, I just feel better about it that’s all.
So anyone want a ddyf-t36950 drive?
BBC NEWS | Technology | Surf the net while surfing waves:
… and the sad thing is… my only complaint is that you can’t truly surf the ‘net and truly surf the waves at the same time …. but other than that ……
I can just hear the tech help desk now… “Help desk, do you have a problem?“
“Like wow man I just had a wipeout“
“You wiped your harddrive?“
“No man, like I came on this like gnarly pipeline at Banzai Beach but when I like ….. wiped out ….man… total wipeout “
“You have a BSOD?“
“No man, the waves, totally awesome, but just can’t get the right carve today, and keep mullering, can you help?“
“Uh, sir, we do computer tech support here.“
“Dude, you aren’t the surf support hotline?“
“Well here on the stick below this screen was your 800 number“
PcMag and other magazines came out with an article on the “vulnerabity of the Security center” and Larry Osterman has a post on the issue. My take is that it’s a risk analysis issue. What is worse? That a malware is going to get in and overwrite the security center application or that the person is still running the same Norton Antivirus definition files that came with the computer two years ago when the computer was new?
Yeah, we need to stop making people be local administrators, but you know what? The ENTIRE INDUSTRY hasn’t woken up to this issue yet. Least Privilege is HARD to do and it should be soooo much easier than it is now. Every single application developer should be reprimanded if they are writing an app today that will have an impact in the future and it is not “least privilege” aware.
We’ve taught our end users that they need absolute control of their box and haven’t given them enough training at all to be able to handle “RunAS” or “SuDo”. At the same time, I would not be as computer enabled as we are today if Windows 95 demanded that we RunAs.
I’ve said this before, I’ll say it again, what I consider to be acceptable risk today, will not be acceptable risk tomorrow. Someone said to me that they call end users “dear Muggles”. I think we do need to have a wizard, a protector, a defender behind every user.
The polluted Internet | The Register:
“People shouldn’t have to be computer experts to own a computer. But without a firewall, router, mega patches, anti-virus and anti-spyware, my auntie Fern has little hope.”
… sad but true…..
If you don’t know who Jim Allchin, VP at Microsoft is, you need to be introduced to him. There’s a reason why he has white hair. He makes a lot of the technical decisions about the operating system that most of us use around here. The blogosphere is a buzzing over the changes to Longhorn just announced.
Jim Allchin is on Channel 9 talking about it
Mary Jo Foley is blogging about it
Along with Joe Wilcox
Jim Allchin has been at the MVP summit and in front of the audience he’s made statements like “We screwed up”. Once of the many reasons why I have a lot of trust in the man. He has the honesty to go in front of a group of people who are good at being blunt and honest and do likewise.
… so like when are we getting it? seems to be the big question in the newsgroup
[I just got an email on this as a matter of fact]
We need Windows 2003 sp1 to come out before be can get our wizardized ISA 2004 which will be included in Small Business Server Service Pack 1. If you want to put ISA 2004 on your server, remember that …..
a. You won’t have help from the newsgroups … I’m staying with what is official for our platform which is ISA 2000.
b. You will have to get help from the folks at ISAserver.org and trust me… sometimes those ISA guys are not exactly SBS friendly 🙂
c. You’ll have to buy the product outright and get the necessary cals if you want it NOW.
“Already know you that which you need“… Yoda
Stay with the force… patience, young padawan, patience.
ETA is 2005.
Ah …the lovely sound of God’s computer department telling me that “no, you are not going to do what you thought you were going to do, you are going to quickly arrange for a fast down time for swapping out a SCSI hard drive tomorrow that suddenly died today. Second drive of my Raid 5 drive decided that today it would go into “DEAD” mode. So while the other two are “OPTIMAL”, the one is quite, irretrivably, dead. So because the drive is on a Adaptec RAID card it nicely alerts you to this potential failure you have on your hands with this blood curdling screeching noise that about makes you go deaf.
So I was planning to migrate over to a new server and take this server and make it a member server a bit later in September [after SMB Nation]. God’s computer department just moved that time table up. I was spec’ing out servers anyway but it just puts a bit more urgency into the situation.
Oh well life in the computer age……
Check out the netstat -b command and how it can show you what executibleis creating the connection and listening port. Oh what fun… we might be able to better see trojans and malware 🙂
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]
-a Displays all connections and listening ports.
-b Displays the executable involved in creating each connection or
listening port. In some cases well-known executables host
multiple independent components, and in these cases the
sequence of components involved in creating the connection
or listening port is displayed. In this case the executable
name is in  at the bottom, on top is the component it called,
and so forth until TCP/IP was reached. Note that this option
can be time-consuming and will fail unless you have sufficient
-e Displays Ethernet statistics. This may be combined with the -s
-n Displays addresses and port numbers in numerical form.
-o Displays the owning process ID associated with each connection.
-p proto Shows connections for the protocol specified by proto; proto
may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s
option to display per-protocol statistics, proto may be any of:
IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are
shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
the -p option may be used to specify a subset of the default.
-v When used in conjunction with -b, will display sequence of
components involved in creating the connection or listening
port for all executables.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.
This looks fun!
Chris Quirke (new address) wrote:
Stop me if you’ve heard this one; consider this the formal heads-up!
This is a serious bug, as most affected users who install SP2 will assume
the system cannot be salvaged, and will wipe and rebuild from scratch.
Cari and I have both hit this issue, and found references to it elsewhere
in various forums etc. We know it affects some systems based on Intel’s
865 and 875 chipsets, which have been bulk products for a while now. We
suspect it only applies to Prescott generation processors.
Obviously I don’t have Prescott processors 🙂