Monthly Archives: March 2009

You are browsing the site archives by month.

The Official SBS Blog : SBS 2003 BPA configuration file has been updated!:

The Official SBS Blog : SBS 2003 BPA configuration file has been updated!:
http://blogs.technet.com/sbs/archive/2009/03/31/sbs-2003-bpa-configuration-file-has-been-updated.aspx



If you haven’t downloaded this, do so.  It adds some additional pre-checks for migration now.


SBS Best Practices Analyzer:
http://www.sbslinks.com/sbsbpa.htm

Microsoft Watch – Server – Microsoft Readies Windows Server 2008 Foundation

Microsoft Watch – Server – Microsoft Readies Windows Server 2008 Foundation:
http://www.microsoft-watch.com/content/server/microsoft_readies_windows_server_2008_foundation.html

Interestingly, the Microsoft documentation compares Foundation to Windows Server Standard rather than Small Business Server. Windows Server Foundation must then be a subset of Windows Server 2008 rather than SBS. Some key differences between Foundation and Standard:

  • 64-bit only, whereas Server Standard also comes in a 32-bit version
  • No virtualization, whereas Server Standard comes with one license
  • 15-user limitation, which means Microsoft’s target market is the very small business
  • Routing and Remote Access and Terminal Services Gateway are each limited to 50 users compared with 250 for Server Standard
  • Internet Authentication Service is limited to 10 users, versus 50 for Standard Server.

Windows Server Foundation is less than I expected. I had speculated that Microsoft would strip down features, using the existing “core” approach, to offer software specialized for different small business tasks. Instead, Microsoft has changed licensing terms, simply turning off broader capabilities available in higher-end Windows Server 2008 versions.

According to the marketing material, the software will be preinstalled on servers, which insinuates that there will be no boxed software. Microsoft’s key message to resellers:

Server Foundation provides organizations with the foundation to run popular business applications. It’s an affordable platform for core IT capabilities, including file and print sharing, remote access and security features. A familiar Windows experience makes it easy for organizations to get up and running.

Among questions the Microsoft sales material suggests that they should ask:

  • Do you have cost-conscious, small-business customers?
  • Do your customers want genuine software at an affordable price?
  • Do your small-business customers need to print, share files and connect to the Internet?
  • Do you want to optimize your existing investments in Windows Server to sell to more customers?

There are questions I still can’t answer about Windows Server Foundation:

  • Will it be installed on an appliance, like Lotus Foundations?
  • Will Microsoft bundle productivity and message applications?
  • What will a Windows Server Foundation system cost?

Based on information available to me, I must regard Server Foundation as a competitive response to Lotus Foundations and other Linux server software. The tweaked licensing terms tip off Microsoft’s intentions, as do the licensing terms allowing easy upgrades to Windows Server Standard. Microsoft already has a very good product for the target market: Small Business Server. Does it really need another?

To the partner who just the other day was looking for an economical package to serve is 5-10 user space cheaper than SBS 2008, yes this solves a need.  To the partner who is looking for a remote DC for a branch office, this serves a need.  To the partner looking for a cheap second server, yes this serves a need.

Stay tuned and more leaks out from Redmond about Foundation server.

 

Maybe we have to have that April 1st blow up the world war game before we’ll learn?

CBS 60 Minutes covers Conficker, malware epidemic | Zero Day | ZDNet.com:
http://blogs.zdnet.com/security/?p=3036

Did 60 minutes help or just report the facts very badly?

If I didn’t know better I would say that after watching 60 minutes that I am just going to stop using my computer.  Because obviously just using it for day to day stuff is obviously and utterly dangerous.  In that 15 minutes on the one hand the guy from Symantec is saying I’m screwed, on the other hand the guy from Google says he never sees the bad stuff.  Is that because he never uses the google search engine for things like “March Madness”, which at one time offered up bogus antispyware offerings.


I’m not ready to throw in the towel and say Lauren would be better off with a Mac or Ubuntu to keep her safe as I think that’s too easy of an answer and to lame of a solution.  It’s also merely pushing off to tomorrow what the real issue is today:


We are not educating ourselves as to how to operate technology.


From business to home users, none of us ever get nearly the training we should for operating technology.  I also think it’s not wise to merely give a teenager who has been known to download music from various sources an alternative OS platform and say “go for it” as that’s not teaching safe computing. 


Right now we absolutely are horrific at giving people good answers and good information about real risks for them.  We scare people like Leslie and company just did and then give no good information on how to protect ourselves.  “I thought the firewall was good enough, it wasn’t” but then don’t get into the real issue of how many third party outbound filtering firewalls do not give good enough information for people to make informed decisions. 


The other night the movie of War Games was on TV.


Just like Joshua we have to learn that playing tic-tac-toe like we’re doing with the computer bad guys doesn’t get us anywhere.



Leslie you blew it.  We’re all blowing it.  We’re making everyone fear April 1st and giving them no long term lessons out of this.


From a comment on that Zero day blog….


Hype and panic? Or legitimate threat even for consciencious users?
I watched that 60 Minutes program, and came away with more questions than answers. The report seemed to express that even when users are vigilant about keeping their PCs up-to-date and even when users use good anti-malware and even if users follow proper procedures, like not downloading porn off of torrents, then Conficker might “get ‘em”. Just how much validity is there to that threat? I really get frustrated by media stories that use lines like, “it turns out that even our computers here at CBS weren’t secure enough!” That doesn’t prove anything. A large corporation like CBS has a large, extensive, complex computer network with many, many end users with highly variable computer skills. Of course network administrators for large corporations have their work cut out for them. But what about the person who runs ONE PC behind ONE router, installs all updates as soon as they’re available, and runs anti-malware like AVG and Windows Defender? The one part of the 60 Minutes report I DID like was the Google guy who said, “I’ve been on the Internet since the beginning, and I’ve never had a problem.” Is that a good rule-of-thumb? If you have NEVER had a malware issue with your PC because you follow good practices, maybe you shouldn’t worry too much when the media hypes the next big worm. Just keep following the same practices you always have.


The bad guys win when all we do is confuse people.


The risk of the PCs in a corporate office are not the same risks as a single stand alone system.


The risks of Conficker entering CBS from an employee bringing in an infected USB flash drive, or a system not being patches (we don’t know if they are running NT systems or other non supported/non patched system, the piece doesn’t go into detail), nor does it go into their patching practices. 


No one is truly listing what activities bring the risk to a stand alone system.  There are vague references to bittorrents and music downloads but it really isn’t detailing out the true risk for folks.  Is that because we really don’t know or is it because we really don’t want to be honest where the risks are coming from because we don’t want to shut down that means of entry?  If USB flash drives are truly a massive vector, maybe we should be sending out a patch that turns off autoruns rather than just fixing it?


And on a related rant, is the bittorrent issue.  It floors me the number of people that should know better don’t.  They should know better than to download from bittorrents, but do anyway.  They should at least ensure that they take hash values of the iso’s and compare them to hash values published so that you know you are getting good isos.  And then there’s the Win7 issue.  It floors me the number of people running post 7000 builds that they are getting from bittorrents.  There’s a part of me that wonders if these leaked builds are from TAP/NDA customers if they know what the meaning of NDA is?  There’s a part of me that wonders if Microsoft is secretly leaking them to build a buzz factor.  Regardless which camp leaked them, the fact that people are downloading them in the first place, or at least not taking the precautions they should be doing is mind blowing.  We are clearly not caring one bit about proper computer operations.  All we want is our free music, our free beer and especially our latest build of Win7.


Meanwhile we’re learning no processes and procedures to lessen the risks of the actions of what we are doing.


Maybe we have to have that April 1st blow up the world war game before we’ll learn?


How secure is your VoIP?

One of the issues that people don’t think of necessarily when they look at VOIP implementations is the security issues that may occur with them.  Whether it’s Unified Communications Server or Trixbox, the fact that your computer system is no longer this ignored POTS system in the back office but now a computer system possibly on the same network as your domain controller, servers and the like should not be overlooked for weaknesses and issues.


Tony Bradley (great last name, but no relation) of Evangelyze.net is one of the gurus in the space of VoIP security and Unified Communictions Security.  If you haven’t been thinking about the security of Unified Communications, check out his blog for more thoughts, ideas, issues, that you may need to address. 


For those into managed services his firm offers audits, consulting, 24/7 proactive monitoring of VoIP/UC security as well in case you need any of those services and didn’t know where to look for resources.  Check out his podcast on Response Point too.

Separation of duties the PCI DSS way

 

“For a firm to be compliant with some parts of regulations these days you need separation of duties that SBS 2003 and SBS 2008 can’t muster.”

Susan,

Maybe I am missing the whole point here.

I think your statement is FUD. MS sells additional licenses to Windows 2008 server separately; you may add as many as you need to your SBS domain for isolation of services. What regulation requires more than that?

John

Honestly it’s not FUD.  And I’m specifically referring to SBS 2003 and SBS 2008 standard. It’s PCI-DSS requirements that I don’t think SBS can pass, but I don’t think we should be trying to pass them honestly, because I don’t think any server should be storing credit card data.

Check out the PCI-DSS requirements. 2.2.1 requires — “Implement only one primary function per server” among other requirements including DMZs and isolation of the data.  Mind you they aren’t just about storage of credit card data but if you haven’t read them before, do so.

https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html

That’s why in cases where you transacting credit card data I’d ask if it truly needs to be stored on that server in the first place.  I think we should question ANY company’s storage of credit card data for any reason, regardless if it’s on a SBS server or not.

Blowing up drive mirroring

One of the cool things about having a HyperV test lab is that you can do things like blow up servers and it doesn’t matter.


So as a follow up I was asked about booting from the secondary drive when the primary fails. 


MirrorDynamicDisksServer2003 < NexusDocumentation < TWiki:
http://www.freebsd.uwaterloo.ca/twiki/bin/view/NexusDocumentation/MirrorDynamicDisksServer2003


When I blew off the main C: drive on my HyperV test I was indeed able to boot into that secondary plex.  When you set up a software mirror you will note that you now get a new boot screen like so:



Now let’s test that the system will work from the mirror.


We’re just going to nuke that drive.



Once we nuke the disk we will select the secondary drive option to test the boot up.


If we’d let it boot from the first drive, it would fail.



But if we choose Windows 2008 – Secondary Plex by scrolling down to it and choosing it as the bootable option, we can boot the box.



Select the secondary plex and the box will boot even though we’ve just blown off the main drive.



Remember we just nuked the hard drive and the system is still booting up.


When we log in we find that we are missing a drive.  (remember I removed it from the HyperV setup but the vhd is still on the computer undeleted)


As you can see it’s booted up but it knows it’s not a happy camper.



Okay so now let’s test putting that drive back online.


In our HyperV test, we’re going to go back into the settings and add that existing vhd back.  We click on New and then copy the location back in and click ok.


We turn it back on and let it boot back as it was.


We will have an unhappy camper in Disk Management, so make sure you go back and fix the mirror. 



You can’t reactivate the missing disk you have to import the foreign disk.



Choose the mirrored drive and set the mirror back up as it should be.


Now back to happy campers.


Now I’m sure you’ll ask but what if you need to blast off the original drive.  No prob, you just go into the boot.ini file and edit out the so that the system boots from the main drive, then you rebuild the mirror with a new disk. 


Alternatively you can use fixmbr – http://pcsupport.about.com/od/termsf/p/fixmbr.htm and that will set up a new boot record.


Bottom line, get a box, load up a hyperV, build a SBS and start blowing things up.


 

More tips for SQL 2008

The Official SBS Blog : Requirements for Installing SQL 2008 Standard Edition for Small Business:
http://blogs.technet.com/sbs/archive/2009/03/23/requirements-for-installing-sql-2008-standard-edition-for-small-business.aspx

To follow up on this post, some other issues you need to be aware of if you attempt to install SQL 2008 ON the same server as the SBS 2008. (Keeping in mind it would be best if you put the SQL on a second server or a virtualized server rather than on the SBS itself)


One thing you will have to do is remove the SQL 2005 management tools from the server and then install the SQL 2008 management express tools.  You can’t load the 2k8 Full server tools on the 2k8 box.


Cannot install SQL Server Management tool on Windows XP or Windows Vista platform using the SQL 2008 DVD included in SBS 2008 premium edition:
http://support.microsoft.com/kb/958978


Microsoft SQL Server 2008 – Installation Made Easy
http://www.packtpub.com/article/microsoft-sql-server-2008-installation-made-easy


Windows Small Business Server 2008 Technical FAQ
http://technet.microsoft.com/en-us/sbs/cc817589.aspx

“Can I install SQL Server 2008 from Windows Small Business Server 2008
Premium Edition on the first server?

Yes, this is a supported scenario. However the SQL Server 2008 management
tools will not install on the same server; you must install them on another

server.”



If you haven’t yet installed .NET 3.5 sp1 it will install that first.


Then it will install the 4.5 installer 
http://support.microsoft.com/default.aspx?scid=kb;en-us;942288


Two warnings you will get as well



As I said, consider that you are putting it on a DC.



Then only pick those specific pieces you need.  Check with the vendor to see exactly what parts you need and install only the minimum.



And don’t forget you’ll need to remove the SQL 2005 express tools before you can install it “ON” the server.



 

The Official SBS Blog : Requirements for Installing SQL 2008 Standard Edition for Small Business:

The Official SBS Blog : Requirements for Installing SQL 2008 Standard Edition for Small Business:
http://blogs.technet.com/sbs/archive/2009/03/23/requirements-for-installing-sql-2008-standard-edition-for-small-business.aspx


Basic Software Raid in SBS 2008

I was wondering if you know where I could learn how to set up software mirrored disks for the C: drive in a SBS 2008 system. This is an AT BIOS machine (not EFI), and using MBR disks (not GPT). Microsoft has kb951985 for the GPT disk case, I’m looking for a corresponding procedure for MBR disks.


MBR is pretty easy.  A step by step is here:  http://www.techotopia.com/index.php/Mirroring_Windows_Server_2008_System_Disks but basically the process is that once you add a second drive to the server the drive will want to be initiallized.  Choose the type of drive of MBR


Go into computer management and it will see the new drive.



Click on Disk Management and you’ll need to then initialize the disk.



Choose MBR as the type of drive. 


Now convert the main drive to a dynamic drive to prepare it for software mirroring.  (Of course make a backup first).



Choose the drive



Click through the “are you really sure” messages.



Now that the main drive is dynamic, right mouse click on that C drive and and choose “Add Mirror”



 Select the other drive to make the mirror on.



Convert the mirror to a dynamic drive as well



You’ll notice the sync is now underway.



Some RAID purists will say you need a hardware raid and that software isn’t good enough. One thing to keep in mind is that with this basic software raid you don’t have a lot of diagnostics as to what is going on with the underlying raid sync. 


But if you want cheap raid, throw another drive in a system and see how easy it is to set it up.

Things I’d really like to know…

… exactly who named Conficker, Conficker?


… and exactly what does Conficker mean anyway?


… and why did they change “Add/remove Programs” to “Program and Features” in Vista and Windows 7?


… how many additional seconds of my life will be spent scrolling down to “Programs and Features’?


… why do people care if it’s “S-Q-L” or “Sequel”?  I mean, regardless of if I call it “S-Q-L” or “Sequel” I still don’t fully know what I’m doing when I’m dealing with it.  So regardless if I know which is the true and proper way to refer to it, doesn’t change the fact that I still don’t know what I’m doing when I launch the Management Express console.


… Facebook may have 200 million people signed up …but how many REALLY use Facebook? Or how many like me are occasional users and primarily because everyone I know stuck their MVP summit photos up there so if you wanted to see them you had to sign up?


Today’s list of things I’d really like to know …