Dear USA Today

I’d like to point out some problems with your study you did in particular about the claims on SBS 2003.

In your information you indicate that on a SBS 2003 box you had  “Mitnick and Ryan Russell, an independent security researcher and author of Hack Proofing Your Network, were contracted by Avantgarde to set up and carry out the experiment.”

To hijack the Windows Small Business Server, the attacker finagled his way into a function of the Windows operating system that allows file sharing between computers. He then uploaded a program that gave him full control.”

As a person who day in and day out is in the SBS newsgroups, this doesn’t happen.  We’re road kill out here.  We don’t have attackers specifically targeting our boxes so the scenerio you have described doesn’t happen.

The reality is we are more hurt by misconfigurations, weak passwords and what not.

You don’t give details as to whether this was an attack from the inside or remotely from the outside. Given our file and printer sharing ports are closed from the outside, but obviously open and needed from the inside I’m guessing {I could be wrong} that it appears that the firm has an Human Resource issue [how to fire someone, perhaps?] rather than worrying about outside attackers?  However since the article is unclear as to the technical detail of “finagle“, it’s hard to say from what location the attack was launched from.

Could a specifically targeted attack get into our systems?  Ever seen Dr. Jesper Johansson  aka Dr. J, “hack” his way into a fully patched network?  I have no doubt that you can “finagle” yourself into ANY network given enough time, expertise and talent [and a dash of social engineering thrown in if the normal methods don’t work].

Reality is folks, that Ryan Russell and Kevin Mitnick would not be wanting to go after SBS boxes.  The reality is that spybots and malware are our issues. Stupid passwords and SMTP auth attacks.

Security is about Risk.  Ryan and Kevin are so NOT my risk factors. 

  • Stupidly misconfiguring my SBS box
  • Weak passwords
  • Not patching
  • No backup
  • Not paying attention to the risks of my desktops

Now “THAT’S“ my risk factors.

{READ THIS FOLLOWUP – it was a stupid password that is our “finagle” vulnerability}

So Where EXACTLY is Jeff…and Wayne…. and Dean?

Sorry he’ll have to add descriptions later …… but for those of you wanting to know Where’s Jeff [besides in Melbourne for the Microsoft/HP/Trend SMB tour?

He’s in these pictures

You know… I think I see some lycra in there…. what do you think?

As she wipes a tear from her eye

Sniff sniff… as I do my first “send to, as attachment” out of Excel via Outlook, I got my first sidebar box in Outlook that reminded me I’m on my new and improved SBS 2003 box now and we’re no longer in Kansas [meaning SBS 2000] anymore!

See that?  That sucker is asking me… do you want to automagically set up a Sharepoint Shared space?  Oooh I’m getting gooseybumpies here.  You know about the document that talks about the best integration that you get is with Office 2003 and Sharepoint [and I would argue SBS 2003]?  Click on that link and see what I mean.

About shared attachments

When you send a file as a shared attachment, a Document Workspace site is created for the attachment in the Microsoft Windows SharePoint Services site that you specify. The Document Workspace carries the same name as the attached file.

Note  If you attach more than one file, the Document Workspace carries the name of the first file in the list of attachments.

Members of the Document Workspace

As the sender of the shared attachment, you become the administrator of the Document Workspace, and all the recipients become members of the Document Workspace, where they are members of the contributor site group.

Recipients can open the attachment, or they can follow the link that is added automatically to the message. The link goes to the home page of the Document Workspace, where a copy of the e-mail attachment is stored in the Shared Documents library.

Document updating

If the e-mail attachment is a document or Single File Web Page (MHTML) from Microsoft Office Word 2003, Microsoft Office Excel 2003, Microsoft Office PowerPoint 2003, a document from Microsoft Office Visio 2003, or an XML file from Word or Excel, members of the Document Workspace can open and work on their own copy of the attachment while the Microsoft Office program that they’re using to edit the document periodically gets updates from the Document Workspace. Members can also save their changes to the Document Workspace copy.

Mondo kewl, huh!

Catch them in Lycra while you can!

You have two last chances to see Jeff Middleton, Wayne Small and Dean Calvert, live, in person, with or without the lycra at the HP/Microsoft/Trend Micro SMB reseller summits down unda [note the pronoucement…it’s not under it’s unda].


Wednesday 1st Dec 2004

Crown Towers – Melbourne Crown Towers

8 Whiteman Street

Southbank  VIC  3006



Tuesday 7th Dec 2004

Brisbane Convention & Exhibition Centre Brisbane Convention & Exhibition Centre

Cnr Merivale & Glenelg Streets

South Brisbane  QLD  4101


 Dean [aka AquaMan] will be talking about – Systems Management is essential to the reliable operation of a server. This session focuses primarily on the systems management tools available with the Windows Server System for day to day server, client and patch management, HP Systems Insight Manager Tool and remote management capabilities through Remote Web Workplace and HP lights out management solutions.


Jeff [aka Superman] will be talking on – Windows Domain Migration This unique technical solution can redefine your SMB business and server support model, even put an end to the “business shutdown” or “the long-weekend server upgrade” approach to Windows Server and SBS upgrades. Direct shifts from NT4.0 Server to Windows 2003 domains become possible, as does a clean server installation recovery of Active Directory, salvage from a damaged solo Domain Controller or backup.  Swing Migration delivers a clean installed OS platform, with or without hardware replacement, retains the same server-name, same domain. ADMT is not required, no SID changes, no UNC namespace break, just a transparent server upgrade that includes the confidence of not impacting the workstations. This offers a documented process and keeps a customer’s domain in production, even solves complicated Exchange based organisations on a single domain controller such as SBS operating as a file server as well. Your technician can work offsite, offline, open-timeline and with nothing to undo if unexpected issues arise.

Wayne [aka Batman] is discussing Security and Mobility – A primary concern to most SMB’s is the need to secure there business from viruses, SPAM and to protect their business critical data. This session demonstrates the methods and practices used in securing a Small Business Server, introduces the HP dedicated ISA Firewall VPN Cache Server and covers vulnerability management.  Microsoft Exchange Server 2003 and Small Business Server 2003 are equipped to allow your customers to access their email, calendar, contacts, internet and line of business applications from virtually anywhere on a range of devices. This sessions examines how to build a services revenue stream for business around mobility, demonstrates how to configure and manage mobile access and solutions and looks at the mobile technologies available today and in the near future from HP and offers for your customers in market.

If I were you I’d hop on the nearest transportation and get there! 


So if the Airforce can get this, why can’t you?

Couple of stories today on the Air Force making a deal to get a “special security tweaked” version of XP.  And in the TaoSecurity blog, asks “Will Microsoft sell this “special version” elsewhere, and if so, is the Air Force the guinea pig paying to develop this version?”

Uh..sir… all the information YOU need to have this version is in this guide.  But here’s the catch.  The special version that works for the Air Force MAY NOT work for you.  In fact, YOU may be able to tweak and tune more securely than they can.

I’d probably guess they have a lot of legacy apps and interoperability they have to deal with so I’m going to go out on a limb and say that I just “might” be able to tweak down tighter than the Air Force can.. I could be wrong.

The bottom line folks… we’ve got the tools and information right NOW today to do exactly what the AirForce is getting. 

Read the …um… manual folks.  It takes a real good understanding of your network, not a deal with Microsoft to be secure.

And while you are at it… read the Threats and Countermeasures guide and the 2k3 security guide.

The perfect gift for Christmas

Want to give the perfect gift for Christmas?  XP sp2 that’s what.  So what are you missing out on if you don’t have SP2?

While Windows 98 will have critical patches released until June of 2006, the fact that you have to lower the security in your network to accomodate them in your network is unacceptable to me.  Remember you are only as strong as your weakest link. 

For those folks that say “I have apps who’s vendors won’t support XP sp2”, to that I say, let me know whom those vendors are.  Your vendors should not be the ones setting your security policy.

And Jethro?  Dude!  Get up to SP2 as fast as you can!  The people that I’m trying to jump up and down and get on XP sp2 are probably wheezing on Windows 95 and 98.  It almost sounds like you are already on XP sp1?  If so, what in the WORLD are you waiting for?  Granted, I think that XP sp2 without a server to control the features is like driving a fast car in second gear the whole way and I would argue that if you have 6 XP computers… dear… come on up to the pleasure us control freaks can get with group policy and XP sp2s and join us with a Windows 2003 server or better yet a SBS 2003 server to control those 6 machines!  Okay so maybe I’m a major control freak, but knowing that I can remotely patch, touch and control all my workstations just makes my day.

The only pain I had in upgrading to SP2 was two workstations that had digital video cards from nvidia.  That’s Nvidia not Windows at fault.  All of my other machines had no issues.  What’s cool now is that I have firewalls on my desktops that I control from my server.  I’ve limited the attack surfaces of both my server and my desktop.  Now once I kick my workstations down to user mode … that’s “my” Christmas present to myself...I’ll be in an ever better position to protect and defend all over the place.

Jethro… it’s not painful.  Not when you’ve made sure your machines are clean of spybot gunk like Charlie said.  And once it’s done you can rest snug as a bug knowing that your machines have the best protection around.

If I never post back to the blog, tell my Sister I’m stuck in the attic

We’re putting up the Bradley Christmas tree and this normally includes one of us [normally me] crawling on my knees in the attic to pull out the Christmas ornaments.  The good news is this year we found the spare tiny light bulbs.. the huge bag of tiny light bulbs…that is as big as it is because every year we can’t find the bag of spare tiny light bulbs until about December 26th and we buy more each year. All bulbs worked this year [we leave the light strings on the tree], so it’s fitting we found the bag when we don’t need it.  We’ll probably forget where we’re going to store it this Christmas season in case we need it so we’ll probably end up with more light bulbs after we go to the store and buy more because neither one will remember where we stuck the bag.

When I was a little girl we had a mondo kewl Christmas tree.  Aluminum tree with the color glo wheel.  Now THAT was a Christmas tree.  None of this warm, cozy Christmas tree stuff, this was George Jetson’s tree embodied.  To see how much it costs now…just don’t tell my Dad who probably sent it off to Salvation Army years ago how much they are selling for now.  But we didn’t have a hardwood…nah … our tree was 100% metal.  One day Mom was vacuming the living room and had to yell “timber” as she sent the tree tumbling over.

Okay enough of a break… time to crawl back in and drag out the rest of the ornaments.

P.S.  You don’t have to call my Sister.. I made it out.  🙂

Mouse potatoes – check out the resources here

If you are into learning online you might want to check out some of the resources and links for info.

First off are the full video webcasts or seminars that can be found here at the Microsoft online seminars.  Click around and take a look.  Some great topics out there.

Then there are the Office Live meeting style of webcasts which can be searched from [sort of anyway] through here.  It’s really not clear that if you uncheck everything except “on-demand” it appears to seach old webcasts.  I’m checking to see if there’s an easier way.

Then there are the chats [through the new interface that doesn’t need funky ports opened up]. 

Then there are e-courses that you can take online.  Michael Howard refers to several of the Security Dev courses here.

A couple of other sites that have great security online seminars.  Blackhat for one has online presentations.  Defcon has online stuff as well [check out their “see it“ “hear it“ sections.

Last but not least Jerry has a long list of excellent resources.

I know that I even will fire up an archived webcast and stick the video over on my second monitor and listen in while multi-tasking.  It’s a great way to at least keep up to date on the buzz words 🙂

If you run an SBS user group, we’re starting to do Office Live meeting presentations to groups amongst ourselves.  It’s really cool.  All it takes is a phone, a high speed connection and an Office Live meeting account and we’ve had presentations where I’m in Florida, Roger and 25 other people are in San Diego and another presenter is in Redmond.  I’ve used the technology as well to have presenters talk to my CalCPA tech groups. 

Think about remote presenting to your clients as well.  Nothin’ sells SBS more than showing what it can do.

P.S. Forgot one more source for Webcasts… the MSDN ones.

Coming to a bookstore near you next year

So in addition to putting in the server over the Thanksgiving weekend I was also reading a few more chapters in that future Security book that I’ve mentioned earlier in my blog that I’m giving feedback on.  [No, I wouldn’t even dare to call it editing]  I keep feeling like Michelangelo and Leonardo DaVinci are asking me “so what do you think?” and I’m like standing there going… “Mike, Leo, guys, it looks really good but can you just change a few things here and there?”

Keep a look out for it next year from Addison Wesley.  It’s about protecting your network but it’s way way way more than just RJ45 and tcp/ip packets.  It’s the whole she-bang from the bits and bytes to the people layer — you know — the really hard stuff to secure.  What’s cool about it is already it’s made me stop and think on how I’ve set up my new network.  I didn’t turn off SMB signing like I would have normally had just knee-jerk done.  I disabled nolmhash because I knew I had a no Win9X’s in my network.  I so totally winced when I had to get my scanner/copier/printer reset up and realized that FTP service was not enabled on my server and had to stick in the cdrom and enable it because I realized I was increasing my “attack surface“.  It’s already made me stop and think.  In fact as soon as I reincarnate my old server as a member server, I’m moving the FTP to that one.  Granted I’ll still have FTP inside my network enabled, but it won’t be on the “everything on it including the kitchen sink“ domain controller.

Reading the chapters has made me realized that my “eagerness to please and enable” introduces insecurity in my network.  In the newsgroup yesterday, [a] Andrew put forth a document that he wants to give to owners to make them realize that having their employees install software is not a wise move.  Javier made an excellent point that at one point in time he used to think the IT admin that locked down everything was a jerk and now he’s realizing that that person was just trying to protect his network and is doing the right thing.  SuperG makes the point that your employee’s computers are not “their computers“ even though the icon says “My computer“.

So I guess you probably want to know who the two authors are that are writing the book you should put on your “this is a book you must have in the future” list?  One is Jesper Johansson [whom I call Dr. J because I can never remember if it’s one n or two and one s or two without double checking] and the other is Steve Riley.  It’s been interesting how many times I’ve seen people mention stuff they’ve learned from their sessions as they’ve traveled the globe giving security summits.  And the funny thing is that I’ve read comments on listserves as varied as Florida CPA geeky listserve, my SBS listserves, to blogs, to web sites.  I keep joking they need to patent or trademark their jokes because I keep seeing them repeated elsewhere.

Put it on your wish list.  It’s a must get/must read in my opinion.

“Hey, Mike, the Chapel looks great but can you make the figures a little skinnier… and Leo… put a bit more smile on the girl will ya?”

[a] please note if you click on those links your default newsreader will launch you to the sbs2k3 newsgroup

The RSS feed is connected to the Sharepoint that is connected to the customer that is connected to..

Tim Barrett posted in the comment section a really kewl idea that I just had to pull up to the front blog.

Here’s the idea. 

  • You, the IT pro do a blog [ is free] of tips, tricks, announcements, happenings of interest to your customer.

  • You set up a Sharepoint feed reader on your client’s Sharepoint that suck in RSS feeds

  • You subscribe your client to your feed

  • Your client now gets announcments from you, not spam filtered, not stopped by email issues

  • Your client now has a direct communication link from you

So what do you need to accomplish this?  Most of the ingredients you already have or are to be had for free

Remember if the client is behind ISA you will need to add proxy info:

There are two ways you can use this web part within

your proxy server.  The first is to set your proxy

configuration in the Portal’s web.config file:




      <proxy proxyaddress=”server:port” bypassonlocal=”true” />




The second option is to configure the proxy server

settings on the web part.  In SHARED VIEW, the proxy

server/port settings are enabled for you to enter them.

And Nick found the command that adds the webpart to your sharepoint, but I also stuck the bat file here

C:\Program Files\Common Files\Microsoft Shared\web server extensions\60\BIN\STSADM.EXE” -o addwppack -filename “C:\Program Files\Smiling Goat\FeedReader\” -globalinstall -force

Nick also sent me his Front page part that can be used to easily import [and it still has his firm name on it :-).  I’ll ping him to double check to see if I’ve forgotten anything.  I know he had to walk me through a few steps… the main one being that batch file he did for me. [still needs to be easier for us non coders/admin types in my opinion]

Anne also has a service where she sets up Business blogs for folks, gives the person a tutorial on how they work, etc. if you still aren’t convinced that blogs are a business tool.  It’s a realtively inexpensive way to get a leg up in how the process of “blogging” works. 

It’s funny because for a while when Anne and I would go nutcase over blogs, some of our geek counterparts were rolling their eyes. There are some even saying that if you don’t have RSS.. that they just don’t listen to you. 

So check out adding RSS to your client’s Sharepoint!