Today is the second part of our interview series.  We talk with Samantha, the SBS 2003 client workstation today about her year in review

Q.  Good morning Samantha!  I see you are having your morning Mountain Dew!

A.  Well, yes, I’m just not a coffee drinker like the rest of you guys.

Q.  Well let’s get started, shall we?  Yesterday we talked with Sam the SBS 2003 server about his year, let’s talk about your year?

A. Ok!

Q.  Let’s cut right to the chase and ask you about what’s been on everyone’s list these days of issues – malware.  How was it this year?

A.  You and I both know it was pretty bad this year.  For my end users that were smart, surfed safely, and stayed in a position where they didn’t have full control of me and instead let Sam the SBS 2003 server control much of the details, they were pretty good.  For my end users that downloaded anything, clicked on anything and opened up email attachments willy nilly, they had some issues.

Q.  I hear though, you do have some protection that came out in August of this year, some third party addons to help and there is even more new products and plug ins coming to help out even more.

A.  That’s true.  First off I have Outlook 2003 for my end users [again, thanks to Sam the SBS 2003 server that licenses all my end users for that] there are some built in protections that I have.  For example, in Outlook if you leave on cached exchange mode which Sam automatically sets for me, I have junk filtering, I block nasty attachments, and I block photos from being automatically viewed.

Q.  That’s sounds pretty good.

A.  Yes it is.  Then if Sam the SBS 2003 server has Trend Micro Antivirus installed [and this is just one example, many of the vendors do this], there’s a malware addon that you can enable that helps to protect me. 

Q.  So let’s talk about what happened in August of this year, I hear you got a major update?

A.  Yes I did, a big new service pack for XP sp2.  Let me really stress to the listeners how much better I work when I have XP sp2 and Office 2003 with Sam the SBS 2003 server.  I really hook in really well with Sharepoint when I have Office 2003.  And with XP sp2 and Sam the SBS 2003, I really protect my workstations from willy nilly talking to one another.

Q.  I heard one of the Microsoft speakers talk about this, Steve Riley, I think?

A.  Yes, he’s writing a book that will include dicussion of this concept, that workstations shouldn’t just “talk to one another” that they should only talk to the server and thus they are better protected from things like blaster, sql slammer and what not.

Q.  Do you know what the book title is?

A.  Oh yes, it’s called Protecting your Windows Network and it will be out in 2005 from Addison Wesley.

Q.  Cool.  But let’s go back to that malware issue because I hear it was pretty bad. 

A.  Oh sure thing!  I agree it’s a huge issue and even my maker in Redmond knows and they bought a anti-spyware company and will be bringing out a public beta of this very very soon.  Also speaking of betas, I’ve been trying out the Windows Update Services beta and that is looking really nice.  I’m really looking forward to relying more and more on Sam the SBS 2003 server for lots more protection.

Q.  Yes, Sam mentioned that, that can you expand?

A.  Absolutely, as I said right now I run with my end users in a pretty trusting way, but Sam and I have been talking and for some of our setups, where the consultant, the VAR/VAP has sat down with the owner and talked about this, we’re going to run a bit more securely this year and take away those administrator rights on for my end users.

Q.  That’s sounds pretty cool.  Is this something all firms will be doing?

A.  It’s in the long term plans for all systems actually.  Some firms can do this now, and there’s honestly some firms that don’t see this as an issue.  But what’s cool about the relationship that Sam and I have, is that we’re pretty flexible and can set things up just about any way the owner wants us to go.  The biggest issue is not with the Microsoft applications running in this user mode, it’s the third party stuff.  Like the firewalls we’re running here, he and I can and do roll things out faster than bigger firms.

Q.  Wow, that’s great to know that you guys are so agile.  But, I hear it’s a pain to get those programs to run in user mode.

A. Yes it is, we have some tools like filemon, regmon, incontrol5, and a new chapter in Harry’s book coming to talk on this, and I honestly do think that more companies are beginning to realize the value of doing this, but it will take time.  Right now we’ve got a lot of people asking how to do this for Quickbooks, an accounting program.

Q.  So what I’m hearing from you is that letting Sam the SBS 2003 server be in control is really key to having a secure system.

A.  Yes, being under Sam’s protection, in a domain where I am, really helps me stay safe and secure.  It’s really been obvious that the more I let him protect me for, the better off I am.

Q.  That’s really good to know.  So we’re about out of time, any final words to our listeners today?

A.  Yes, remember that you really want to buy XP Professional version, retire all older version because I really work the best when all my end users are on the same platform.  If you have any questions at all about licensing and what not, I have some really smart people looking out for me that are on the Mssmallbiz site and listserve. If fact all of my support communities are pretty amazing.

Q.  We’ve heard that they are pretty special online places.

A.  Indeed!  I’d like to wish everyone a very Happy New Year and an invite to everyone to join Sam and me in the SBS communities!  From Nick’s to the Magical M&M’s, to yahoogroups that Sam mentioned yesterday, to the newsgroups, in fact, before I forget it I want to say a HUGE thank you to the original gentleman who really started the community feeling and to this day really sets the tone for the communities out here.

Q.  Is that Grey Lancaster that I’ve heard mentioned?

A.  Yes it is, he has a real “southern gentleman” way about him and he really makes sure that the communities of SBS are kind and helpful.  He’s pretty amazing.

Q.  Well we’re out of time Samantha, the SBS 2003 client workstation, it’s been great talking with you!

A.  Same here!

[Like I said, a little too much Dew for Susan]

[tomorrow we will interview Samantha the SBS workstation, but today we sit down one on one with Sam the SBS box to ask him how his year was]

Q.  So Sam, overall, how was 2004 for you?

A.  Pretty good, all in all.  I’ve added a lot more relatives to the SBS family and community this year, a lot of brand new faces, blogs, it’s been really fun to see a lot of new family members in SBSland.

Q.  Give us some highlights of the year, if you will?

A.  Sure thing, we started out the year on a solid footing with the release of Harry Brelsford’s SBS 2003 best practices book and we’ve been building momentum ever since.  It’s been really cool to see the increase in people in the 2003 newsgroups, in the yahoogroups – both the technical ones, the business ones and our new general small business one.

Q.  Any event in particular stand out in your mind?

A.  Oh yeah, couple of things that I was proud to be a part of.  First off we had the second year of the SMBnation conference in September and this time we had it in the place I was born, so that was a real treat for me.  Next Microsoft started a new community surrounding the small business space and that really took off with a bang which was really cool to see.  The Mssmallbiz web site, listserve and now blog really took off great.  I was proud to be associated in some small way with that effort. 

Q.  That’s really cool!  Now we have to ask the tough questions, okay?  One of the big issues we have today in technology is in Security.  Let’s be honest, here.  Weren’t you in the news recently about some security issues you had?

A.  You read that USA Today article too, huh?

Q.  Well, yeah.  Want to comment on that?

A.  Absolutely!  I’d love to tell my side of the story more often. Honestly, that was a really dumb test they did.  What they should have tested was Windows 2003 server, instead they tested me.  And I kept yelling at them that I wanted a strong password or passphrase, that I did not want to be sitting on the internet exposed without a firewall but they refused it listen to me every step of the way.  I mean talk about frustrating for me, when I was trying to get them to listen to the right way to set things up and they didn’t!

Q.  You mean they purposely set you up insecurely?

A.  Yes they did.  They wanted to prove the point that being on the web you need a firewall.  Geeze, I kept telling them that all along the way, but they refused to listen.  They did say that once they picked a secure password that I did stay on the web and didn’t get hurt.  Given that I was set up without my normal protection in place, I’d say I did pretty good given that no one should be out playing on the Internet without the right protection.  But it really does showcase the one place where my owners and end users need to help me out.  Choosing proper passwords.   In fact, this year I can honestly say that I “could” have not gotten any security patches throughout the year and I’d still be able to be in very fine shape at the end of the year.  What really was my soft spot this year was what spammers were trying to do to me. 

Q.  Spammers?  What do you mean?  Can you elaborate?

A.  Oh sure!  First off they tried to guess my passwords so they could authenticate on my mail system. This is called an SMTP auth attack in my biz.  If one of my owners or end users uses a dumb password, it makes me susceptible to password guessing.  This is one reason why it’s important for my owners and admins to review my audit log files.  This is one major advantage that I have over my older SBS 2000 relative, I natively do auditing, whereas my relative, you have to turn it on in his system, he doesn’t do it automatically like I do.

Q.  That’s a good feature to have turned on.

A.  Yes it is, I’d really recommend it to anyone still running SBS 2000 to enable it on their systems.

Q.  What other issues did you face?

A.  My other big issue regarding email is something called NDR attacks.  This is where a spammer tries to trick me into sending spam mail.  Javier, and Les, two really cool SBS MVPs that I know typed up some instructions to help people deal with these two issues.

Q.  Wow, that’s kinda scary.  What other issues did you face?

A.  Well obviously, I wasn’t hurt like Samantha [that’s my SBS client workstation] was surfing the web because I have two things going for me. 

Q.  What’s that?

A.  Well for one, I have a special protection on my Internet Explorer to block active X scripting.  You see some really smart guys looked at me while I was being built and tried to imagine all the bad things that people would try to do to me and the last thing they thought of was that my owner and admin would be really stupid and want to surf the Internet from me.  Then I have a smart owner that doesn’t use me as a workstation and treats me like a server, so that really helps out.

Q.  Why would an owner do that?

A.  Sometimes they don’t realize that my main job is to do work for them and not be used as a workstation.  Fortunately there’s this IE lockdown that is in place that protects me a lot.

Q.  That’s good to know.

A.  Yup, pretty much as long as you let me do what I am supposed to do, I really was not hurt by Malware like Samantha was this year.

Q.  Yup, I’ll be talking with Samantha about her year tomorrow, I hear she got beat up a bit.

A.  Yeah, we’ve been talking about some ways that she and I can work closer together and do something called group policy to help her.  All in all, I had a very good year from a security standpoint, and now we’re going to see if we can do more to strengthen her as well.  She did, though get a big boost from XP sp2 and the firewall she’s running now inside the network and there are some anti spyware tools that our birth place just bought to help out.

Q.  Sounds pretty promising.  Well we’re just about out of time Sam, any more thoughts before we end this interview?

A.  Well I’d like to point out a few last things, first off, don’t forget about the “Oh, Canada!“ event that kicks the year off in grand style up in Toronto on January 11th.  Also, everyone should look forward to the SBS 2003 Advanced book coming out soon from Harry Brelsford.  I’m also hoping that this year we really put more emphasis on Sharepoint, taking that to the next level.  Look also for a new service pack in the new year.

Q.  A new service pack?

A.  Yeah, I’ll be retiring ISA 2000 and adding a new member to the SBS family, called ISA 2004 and rolling up some other fixes and what not.  In fact, let me remind our listeners that there will be an week long ISA 2004 webcast series to get people ready. 

Q.  That’s really cool.  Thanks for taking time out of your server duties, Sam, to talk to us about your year.

A.  My pleasure.  Back to work!

[okay so maybe a little too much Egg Nog and Mountain Dew for Susan today]

Windows NT 4.0 Server, operating system, died, Friday, December 31, 2004 in Redmond, Washington.

Born 1996 in Redmond, Washington, he was the son of Windows NT 3.1 and Dave Cutler.

Windows NT 4.0 server worked for many years in many corporate offices and was for many years a beloved member of many firms.

He is survived by two sons, Windows 2000 Server and Windows 2003 Server, both of Redmond, and five cousins, Windows 2000 workstation, Windows XP Professional, Windows XP Home, Windows Tablet PC edition and Windows XP Media Center edition.  He was predeceased by his nephews Windows NT workstation, and Windows 95.  Currently another close relative, Windows 98 is on life support but the Doctors indicate has a few more years left.

Private visitation will be in Redmond.

A Christian burial will be celebrated at midnight [your local time zone] on December 31, 2004.

Windows NT 4.0 server had been in failing health but finally succumbed to the dreaded final “Blue Screen of Death”.

May you rest in peace.

If you’ve been seeing some of the tech news, you’ll know that a group overseas called Xfocus published some details of Internet Explorer vulnerabilties on the web right before Christmas.  And while the press can say [clearing their throats] “Microsoft hasn’t responded”, I can say that every time I sent in an email to the Secure alias [secure – at –] I got a response back.  They know and are “responding“ in their own quiet way when such things occur.

But in the meantime some general rules to keep safe until a patch is released:

  • Begin to push for running in lesser “rights“ on the desktop.  This isn’t easy at all, but it’s something that we all need to push our app vendors to do natively in 2005.  I don’t expect you guys to do this right away, but start thinking about preparing your end users and clients to not being able to download and install just willy-nilly.

  • Ensure that you always use up to date antivirus

  • Only surf where you know you’ll be safe [I know…this one is kinda dumb as there have been reports of “good sites“ that don’t keep themselves up to date on patches getting turned into “bad sites“ – but just try to be AWARE]

  • Block all unnecessary email attachments.  Whether you use the native to SBS Exchange attachment blocker or Trend’s blocker, PICK ONE and don’t even let this stuff get in your network.

  • Consider running IE with High security turned on, and only place those web sites into “trusted“ zones that you need fully functional for business purposes.

  • While you can use alternative browsers like Firefox, Mozilla, I’d still recommend that you not “install and forget it“.  Mozilla today just released a new patch for a security issue it had.  Remember that Windows update does not patch Firefox, Mozilla, so you are on your own.  The default for Firefox is to check every 7 days [apparently as I’m guessing from the about:config that I’m looking at.  Brian Livingston has a great primer on Firefox that he had to dig up from their web site and other locations.

  • Just in general be aware.  If an email sounds too good to be true, or is trying to sound like the sky is falling, check it out on the web site.


P.S.  Next time guys, send an email to the secure alias and work with them for a patch FIRST?  Don’t just disclose this stuff and then contact Microsoft?  Be part of the solution, not part of the problem.

Date: January 11, 2005
Time: 6:30 – 8:30 PM
Location: Microsoft Canada – Mississauga

OK Toronto and area SBSers! The first meeting of the year for the Toronto
Windows Server User Group (TWSUG) – and it is all SBS. And look a the
drawing cards we have for the event!

Session 1 – Migrating Windows Domains using Swing Migration
Presenter: Jeff Middleton – US Microsoft MVP for SBS 2003

Session 2 – Windows Small Business Server – A Year in Review
Presenter: Harry Brelsford – Author and US Microsoft MVP for SBS 2003

Event information here…

Jeff is just back from his 5 week presentation tour through Australia – with
resounding great response all the way. You want to know about his Swing
migration? Waiting to finally move up to SBS2k3? Here is an opportunity to
see, hear and ask those “what if?” questions about the process. Here is
Jeff’s web site…

Harry is in Toronto the same day with his own One-Day Workshop in Windows
Small Business Server 2003 – Strategies to build your SBS consulting
practice; How to integrate SBS with Office 2003; Technical tips and tricks
to extend SBS. Harry has graciously accepted an invitation to present at our
evening session. Check out Harry’s event here…

But wait – there is more!

We are up to a count of 9 SBS MVP’s that will be on site that evening! A
wonderful opportunity to meet the anchors of so many community resources you
depend upon. We want this to be your chance to ask questions, and share your
own hard earned knowledge with your Peers.

TWSUG membership is NOT required to attend. There is NO charge to attend.

Please – tell others about the event. We want this to be the start of a
really great year!

When we were little kids we were told by our parents to “don’t run with you have sharp objects in your hands” … like..scissors.  So remember my rant how I don’t trust any browser?  I want to revisit that a bit again tonight.  Active controls in a web browser are, I think, like “running with scissors”.  Why?  Because what I said before that they rely on me trusting too much.  While the whole concept of “active content” means great things have happened in the Internet space, it also means that the very way we have let our applications get away with being coded as horrifically as they are and haven’t really noticed how bad they are is contributing to the malware/spyware and other gunk we now have to deal with. 

While one could argue that Active X is worse than Darth Vadar, worse than ….oh I don’t know…. worse than offering me fresh fish [I really hate sushi…I“m really sorry… it’s chicken or beef for me], the fact is the real threat is there because Active X only plays in whatever “rights” you have on that system.  Run in user mode and Active X isn’t the issue we’re all running from.  Run like we’re all used to with full rights to every single registry key on that box and Active X starts making us start thinking of a tall guy in a dark plastic suit that is a heavy breather.  Active X is the bad guy it is because we’re running with scissors around here.  It can’t be sandboxed from the user rights we have.  Thus as long as we go “la di da ing“ through life accepting that my business applications, ones that I just bought during the 4th quarter of 2004, many of them still think they live in a Win98 world are just wonderful, we’re going to be stuck in the mess we’re in.

Tonight I was running some tests on one of my lovely applications that are not “Designed for Windows XP” but yet we all happily load it and run it on our XP systems.  Once in particular …well lets just say that I knew it was coded pretty poorly and now I’m certain more than ever that Vendors really need to step up to the plate more on securely coding these applications.

Now I’m not a coder by any means.  The last coding I did [other than a quick batch file here and there] was the misguided attempt to have beancounters learn cobol.  But it didn’t take a degree in computer science or a slew of certifications to take one look at what that testing program was trying to tell me.  That application of mine, the one that I put firm’s financial data in, looked to this untrained eye to probably make someone like Michael Howard  or Howard LeBlanc fall over in apoplexy.

In the document “Designed for Windows XP“ logo certification, the documents are pretty clear.  Support user mode and you get that certification.  So why the heck are we not beating up on vendors that DO NOT get certified on it and not giving awards for those vendors that DO get certified. 

As I’m typing this up I have an idea.  My term as Chairman of the Technology Committee of California CPA Society expires in May.  Perhaps one of my final duties can be to set up an “award” to the accounting application that meets security criteria.  Hmm…. I’ll bring it up at the next meeting. Or perhaps my AICPA geek group, CITPers can also do that?

I’ll showcase some of the vendors who ARE coding for least priviledge

Keep in mind that Peachtree 2003 is “compatible with XP“ and thus doesn’t meet the guidance.  Notice there is one major application missing that isn’t in the “designed for Windows XP“ logo program at all. 

Amazing isn’t it?  We run our daily business in an application that is not “designed for Windows XP“

That in this day and age we can accept The user doesn’t have sufficient permissions with the Windows user login. Users must have full Admin or Power User permissions that permit them to write to the Windows registry. “ as being acceptable from an accounting application…   shouldn’t we as CPAs, as fididuciaries of our client’s records demand better than this?

Pssst you can’t “intuit-itively“ figure out the app?

The designed for Windows XP logo includes this as a criteria

3.4     Support running as a Limited User

Applications must not require users to have unrestricted access (for example, Administrator privileges) to make changes to system or other files and settings. In other words, the application must function properly in a secure Windows environment. Complying with the previous requirements in this section will help to ensure that the application meets this requirement.

An application that does not install (executes without installing any components) must still support use by a Limited User.

A secure Windows environment is defined as the environment exposed to a Limited (non-Administrator) user by default on a clean-installed NTFS system. In this environment, users can only write to these specific locations on a local computer:
[Note 1]

·         Their own portions of the registry (HKEY_CURRENT_USER)
[Note 2]

·         Their own user profile directories (CSIDL_PROFILE)

·         A Shared Documents location (CSIDL_COMMON_DOCUMENTS) [Note 3]

·         A folder that the user creates from the system drive root

However, applications defaulting to use of these folders do not comply with the other requirements of this section.


Users can also write to subkeys and subdirectories of these locations. For example, users can write to CSIDL_PERSONAL (My Documents) because it is a subdirectory of CSIDL_PROFILE. Users have read-only access to the rest of the system.


[1] Applications can modify the default security for an application-specific subdirectory of CSIDL_COMMON_APPDATA. This may provide an additional location to which users can write for a given application.

Any modification of the default security for an application-specific subdirectory of CSIDL_COMMON_APPDATA must be documented when submitting your application.

[2] Users cannot write to the following subsections of HKCU:




[3] By default, users cannot write to other users’ shared documents; they can only read other users’ shared documents. Applications can modify this default security on an application-specific subdirectory of CSIDL_COMMON_DOCUMENTS.

Any modification of the default security on an application-specific subdirectory of CSIDL_COMMON_DOCUMENTS must be documented when submitting your application.

This requirement does not apply to all features.

When the major features of the application can be successfully run by a non-privileged user, minor features are allowed to fail gracefully. These minor features must not be installed by any default mechanism (for example, a minimal or typical install) other than a complete install and must not be considered important for the operation of the program. Examples of such minor features include components necessary to support legacy file formats.

Limited Users cannot perform several system administration functions such as disk defragmentation, backup/restore, changing system time, and so on. When most of the primary functionality of an application is system administration, the application must still run from a Limited User account and inform the user why none of the features can be used.

For any feature that a limited user cannot use, when submitting your application you must document what objects need to be opened for that feature to work, such as file system, registry keys, and so on.

When a limited user can’t use a feature, the application must degrade gracefully.

Test Cases – 3.4

As defined in “Designed for Microsoft Windows XP” Application Test Framework:

TC3.4              Does application support running as User1, a Limited User?



To the poster in the newsgroup who said “I wish they wouldn’t keep it a secret” that XP Home [s] cannot join a domain.

Let’s blog this up a bit so it’s more googlable shall we?

XP HOME platform are for “Homes, houses, condos, apartments, shacks, shantys, leantos, outhouses, etc., etc., etc.“ but they are not for BUSINESSES.  Get it?

The information on whether or not XP HOME can join a domain is on the XP Professional page.

“Windows XP Professional is required to access a domain-based network. If you’re not sure whether the network you will access is domain-based, talk to the person in charge of the network to make sure you choose the proper version of Windows XP.“

I love those kind of postings don’t you?  I AM in charge of the network and what if I don’t know the right answer? 

Like those messages that say “please contact your network administrator for more information“.  I AM the network admin and can’t get this thing running the way it’s suppose to.

XP professional is what you need to have computer JOIN A DOMAIN. 

I would argue that XP Professional is just plain better in general, with or without a domain, but that’s just my opinion.

Let’s blog it one more time for dear old Uncle Google

XP Home machines cannot join a domain.

XP Professional machines can.

XP MCE 2004 can join a domain.

XP MCE 2005 sort of can’t but I hear if you install them from stratch the bits are there and you can join them, but officially they aren’t supposed to be domained.

P.S. Changed the blog so that XP HOME would be better googlable  🙂  Thanks Sophos 

I’m bringing out to the blog an argument I’m having with someone on IM about the private versus “private” and Ipconfig posting issue just to make a point about the risks of life in general on the Internet.

I’m arguing that in a mere email, there is as much risk of information “leakage” about a firm as there is when we post in ipconfig in the newsgroups. 

Let me show you want I mean.  Send an email from your SBS firm network to an outside email box.  Open up the email and adjust it so you can see the headers [Outlook is a pain in the butt for doing this, Thunderbird much easier].

Okay let’s look at the clues that come from a email

  • Inside that email in your internal name.  Probably something.local or maybe .lan both clues that you are an SBS box.  Therefore there’s about a 99% chance that your internal IP address scheme is 192.168.16.x
  • Inside that email is your public IP address
  • Inside that email is the “stamp“ of what version of Exchange you are on.  So if I see “Produced by Microsoft Exchange V6.5.6944.0” or “Produced by Microsoft Exchange V6.5.7226” I know you either have or don’t have Exchange 2003 SP1.  [During the XP sp2 betas the beta testers would read the email headers of the MS folks and track what “next’ build number of XP sp2 they were on versus the beta participants…. sick puppies …weren’t we? 
  • Given that last I checked Dr. J’s job wasn’t to specifically target SBS boxes, I would argue that the fact that you can google the phrase “Remote Web Workplace“ and see potential SBS boxes and get just as much stuff from email headers that the risks are the in the same category. 

Will I still feel that way in a week…. a month… or a year… maybe not.  Probably not.  But I see that email headers “bleed out” just as much private information that we probably don’t realize.

So is Tony right about freaking out about ipconfig postings in the newsgroups?  Probably.  psssst.. just don’t anyone tell Tony I posted that….Jeff also states that to post that information indiscriminately in the newsgroup is not wise.  To post internal information in a public manner that is forever googlable is a bad idea.

But I would still argue that email is just as much of a “bleeder“ of information.

So …what do you disclose about YOUR firm by just sending emails?

Tony posts that one should santitize the Ipconfig/all posting that is done in the newsgroups and I’d like to clarify one point he’s made.  He says that you should clean out the 192.168.16.x and 10.0.0.x addresses in your post and I disagree.  While those are class c and class a “private” ranges they are so well known of internal IP address ranges that IMHO, you aren’t disclosing anything that your email header doesn’t post in more stuff on.  I would recommend taking off an “external” IP address [something your ISP gave you, but posting in ipconfig/all shouldn’t also expose your ISP’s DNS info [and it’s not like an ISP’s DNS isn’t googable anyway.  We as SBSers don’t “host” our own public DNS.

So what are the standard IP addresss that are considered “private“ but so used by everyone that it’s common knowledge?  There’s a page here that talks about the ‘standards“.  In general in SBS land, back in the SBS 4.0/4.5 days we used a “class a“ with a kind of “class c“ subnet mask.  What’s a subnet mask?  It’s the part of the IP address that lets that system know how big of a network range it’s going to talk to.

Back in SBS 4.0/4.5 we used with a mask.  That meant that as long as a computer had a IP address that started with 10.0.0.X, our server would “talk“ to that system.  You’ll also see it noted as a 10.0.0.X/24. 

Now in SBS 2003 our default “’base“ range is a classic “C“ address of 192.168.16.x [where the server is normally].  Again the subnet mask of makes that system “talk“ only to the 250 someodd systems in that range.  What that mask really means is this.

As per RFC 1918, these address are “non routable“ they are your “inside“ addresses.  What many consultants do is pick that 172.16.x.x range and that is more often than not, NOT in a SBS network and thus any static VPN routing that the internal firm may do won’t mess with that consultant’s own ranges and settings.

What do I mean by Class “A“, and Class “C“?  These are agreed upon naming ranges for “private“ non-routable addresses.  Typically the Class A is a 10.x.x.x with a netmask of and Class C is a 192.168.16.x with a net mask of, Thus in the SBS 4.0/4.5 days our 10.0.0.x/subnet of was kinda not exactly the best setup.  Our new default of 192.168.16.x is the proper way to name our internal range.


Range of Addresses


Any addresses in 10.x.x.x


Addresses in the range of 172.16.x.x-172.31.x.x


Addresses in the range of 192.168.0.x-192.168.255.x

In computers the use of “on“ and “off“ is really what everything talks in, so 255 is in reality the value of 11111111

Starting from right to left in a logarithmic fashion it’s the total of

128   64   32   16   8   4   2   1  = 255

   1    1     1     1    1   1   1   1  = 255

Which is telling that system match every single number from the IP “octet“ [between the “.“] to the IP address that you are comparing it to. So a with a subnet of can talk to a that also has a subnet of, because the “0“ at the end is telling the system “okay you talk to ANYTHING in the to range and I won’t care“.

See how it works?

So when your ISP gives you an external REALLY PUBLIC IP address and the net mask is set for, it’s saying the following:

128   64   32   16   8    _   _  _  = 248

   1    1     1     1    1   0   0   0  = 248

And because 1 + 2 + 4 = 7, your ISP has just given you only “that“ IP addresses that your public IP can talk to [normally a gateway IP address and 6 public IP addresses.   Get it? [Assuming I’m doing that right, someone correct me if I’m wrong]

So bottom line when you post your IPconfig /all in the public newsgroups DO clear out an PUBLIC Ip addresses that your ISP gave you but I would argue there’s no need to clear out the 192.168.16.x stuff.  Wouldn’t take a rocket scientist to know that we’re “supposed” to be using those inside our networks.


As it’s stated here on a web site:

  1. What is DHCP?

    DHCP stands for “Dynamic Host Configuration Protocol”.

  2. What is DHCP’s purpose?

    DHCP’s purpose is to enable individual computers on an IP network to extract their configurations from a server (the ‘DHCP server’) or servers, in particular, servers that have no exact information about the individual computers until they request the information. The overall purpose of this is to reduce the work necessary to administer a large IP network. The most significant piece of information distributed in this manner is the IP address.

I have found that things just work “better” if you let the SBS server be the DHCP “hander-outer”, that is, it NOT your Linksys/firewall/router is the one handing out the IP addresses.  Again, if you are migrating from peer to peer this is a bit unusual as you’ve been used to having a router that does this function.  But IMHO [in my humble opinion] the SBS network works the best [connectcomputer works better, wizards run nicer] if the SBS box is in charge of DHCP and DNS.  If you ensure that the router has it’s DHCP function disabled BEFORE you begin to set up the system, the SBS box will automagically set up the DHCP/DNS functions.  Go into the webbased interface and adjust the router to have DHCP disabled and then set up your SBS box.  It will no longer see another DHCP server and shut it’s own down. 

If the SBS box sees any other DHCP server [like your router] on it’s same subnet it will shut it’s own DHCP server down.  Don’t forget to run the VPN wizard as I’ve seen my server want to turn RRAS into a DHCP server without running that wizard.