While I’m a person who recommends that you don’t have to be first to install a Service pack, lately I’ve seen a little bit of a disturbing trend where someone will get a bad install or a BSOD and they will roll back to pre service pack without doing more investigation.

First some rules when it comes to the worse case scenerio of a BSOD.  That to me is not necessarily the worse thing you can happen to your system.  Worst case is that the system doesn’t boot and provides no clues at all.  A BSOD with a dump file left on the box means that you can debug what freaked out the system.  A BSOD on one system doesn’t mean that you’ll get a BSOD on another system.


BSOD’s 99.999999999% of the time are a third party driver.  Firing up the debugger and running it more often than not will point you in the right direction of what needs to be tracked down.

Do take a backup.

Do plan.

Do consider a Service pack a time that you need to also update the bios on the server, the nic drivers and in general look over the other “stuff” of a server that may need updating.

Don’t willy nilly install it without planning.  But one person’s story of a bad or failed install may not be indicative of the experience you have.  Not all servers are alike.  Not all systems have the same drivers.

So a story about one person’s incident may not be signs of across the board issues.

Listening to the gang in Seattle at the SBS build day and found a “I didn’t know that” tidbit in Tyler’s slide deck:

If you use group policy preferences to map drives AND the vista workstations are local admins still, the mapped drives won’t ‘take’ unless you put in this registry key.  This key, aka the enable linked connections (that Chad’s blogged about as well) will only impact you when your Vista’s are local admins.

Create EnableLinkedConnections DWORD registry key:
HK_LM\Software\Microsoft\Windows\Current Version\Policies\System\EnableLinkedConnections = 1

Drive Mapping via Group Policy Preferences not working for Vista clients – Aimless Ramblings from a Blithering Lunatic . . .:

Some other key take aways that I talked about:

Tattoo this blog post to your forehead:
The Official SBS Blog : SBS 2008 Migrations from SBS 2003 – Keys to Success:

Don’t install a patch that needs WGA UNTIL you’ve put the proper key in the box:
MPECS Inc. Blog: Ack! SBS 2008 Not Genuine!:

Philip’s Checklist:
MPECS Inc. Blog: SBS 2008 Setup Checklist V1.2.0:

This not fixed in Win2k3 sp2:
The Official SBS Blog : Cannot resolve names in certain top level domains like .co.uk.:

This is included in Win2k8 sp2 so if you install SP2 you’ll get this needed fix
New AFD connections fail when software that uses TDI drivers is installed on a Windows Server 2008 or Windows Vista SP1 system that is running on a computer that has multiple processors:



So I was asked if the use of OpenDNS makes a noticable slow down in surfing.  Not that I’ve seen.  And actually I think it speeds it up.  Like I said I do have little weird page issues only because I choose to block doubleclick.net but that’s my choice.  (For example the final checkout page at Amazon has ads that are blocked by Opendns so as you ‘exit’ the store it will warn you that some content is not ssl protected.  Since I’m exiting the store anyway, it makes no impact to the security of the transaction.

Impact on surfing?  None that I can see.

Ability to instantly block bad sites across all networks?  Including my Dad’s?  Priceless.

After this morning’s presentation on “Stupid users and Attackers” I’ve been asked what categories and sites I block using OpenDNS.  One nice thing about OpenDNS is that I can manage several networks just from one console.  So the sites I block on one network can be different from another.

For example at the office I found that I had to reopen the “proxy-anonymizer” as there was a site we used (I forget now which one) that was being blocked. I also have uploaded a custom logo so that when people know they’ve been blocked, they know we mean it to be blocked.

But you may need to play around with the settings and not use the high and choose custom settings based on the needs of the firms.

I’ve also added some specific urls and blocked domains that I feel don’t add anything but risk.  This is where my choice to block doubleclick comes in. Does is slightly make Amazon.com give off a weird message when you check out?  Yes it does, but if you tell people what to expect, it’s not an issue.

And if the top things blocked are stuff like this?  I don’t think it needs to be in my networks in the first place.

Links to to detailed pages that show the group policy settings

Under Domain Controllers
Default Domain Controllers Policy

Under MyBusinessOU, Computers, SBSComputers

Under MyBusinessOU, Users, SBSUsers
Small Business Server Folder Redirection Policy

An entire zip file of the raw (as in no wizards run) Group policy settings of a freshly built SBS 2008 box if you need to do any comparisons for any reason is located here: http://msmvps.com/media/p/1693429.aspx

If you want to make your own Windows 7 Tshirt – you can download the images from here:
http://cid-c756c44362cd94ad.skydrive.live.com/browse.aspx/Windows%207?uc=2  They are in various image types and sizes for your use.

You can print out the images (some of them are large for good resolution) and then print them with a color printer on iron on transfer paper –examples include the products below:

If you want to get a more “professional” image of the UAC pull up your Defense in Depth Slider – I’ve uploaded the image to CafePress.com so that you can buy shirts from them:

Remember to bring your UAC slider bar all the way to the top

That’s what the shirt is all about.  Zip your slider up for best protection!

Ignore this post.  I picked the SBS 2008 box that was in the middle of the migration from SBS 2003 to SBS 2008.

I’ll redo this post (and format them a better way) and post up the default Group policy settings.

Starting off with the first policy – Default Domain Policy


Default Domain Policy
Data collected on: 5/28/2009 3:12:20 PM


Domain smallbusiness.local
Owner SMALLBUSINESS\Domain Admins
Created 5/24/2009 10:01:50 PM
Modified 5/25/2009 8:48:04 PM
User Revisions 1 (AD), 1 (sysvol)
Computer Revisions 7 (AD), 7 (sysvol)
Unique ID {31B2F340-016D-11D2-945F-00C04FB984F9}
GPO Status Enabled

Location Enforced Link Status Path
smallbusiness No Enabled smallbusiness.local

This list only includes links in the domain of the GPO.

Security Filtering

The settings in this GPO can only apply to the following groups, users, and computers:
NT AUTHORITY\Authenticated Users
WMI Filtering
WMI Filter Name None
Description Not applicable

These groups and users have the specified permission for this GPO
Name Allowed Permissions Inherited
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
SMALLBUSINESS\Domain Admins Edit settings, delete, modify security No
SMALLBUSINESS\Enterprise Admins Edit settings, delete, modify security No

Computer Configuration (Enabled)

Windows Settings
Security Settings

Account Policies/Password Policy
Policy Setting
Enforce password history 24 passwords remembered
Maximum password age 0 days
Minimum password age 0 days
Minimum password length 0 characters
Password must meet complexity requirements Disabled
Store passwords using reversible encryption Disabled

Account Policies/Account Lockout Policy
Policy Setting
Account lockout duration 10 minutes
Account lockout threshold 50 invalid logon attempts
Reset account lockout counter after 10 minutes

Account Policies/Kerberos Policy
Policy Setting
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock synchronization 5 minutes
Local Policies/Security Options

Network Security
Policy Setting
Network security: Force logoff when logon hours expire Disabled
Public Key Policies/Encrypting File System

Issued To Issued By Expiration Date Intended Purposes
Administrator Administrator 5/23/2012 10:05:09 PM File Recovery

For additional information about individual settings, launch Group Policy Object Editor.

Public Key Policies/Trusted Root Certification Authorities
Policy Setting
Allow users to select new root certification authorities (CAs) to trust Enabled
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only

User Configuration (Enabled)
Windows Settings
Remote Installation Services

Client Installation Wizard options
Policy Setting
Custom Setup Disabled
Restart Setup Disabled
Tools Disabled

Tomorrow I’ll be doing a presentation that while it has SBS 2008 in the title, isn’t just about SBS.  It’s really about Risk assessment.

If you attend I’ll be giving away to one lucky random attendee, a copy of Mark Minasi’s Securing your Windows Systems CDrom – http://www.minasi.com/seccd/

Who knows, I may throw in a bonus Windows 7 tshirt to a lucky viewer!

Which is the bigger threat to a small firm? External attackers or Stupid Users? Perhaps both? Join Susan Bradley, Patch Watch author for Brian Livingston’s Windows Secrets as she guides you down the resources and tools she uses to secure and protect a small firm from both kinds of attackers. Along the way she’ll point out the security features of SBS 2008 and resources to keeping both the server and users safe and secure on the Internet Highway.


How many of you have found rogue antivirus programs on workstations?

How many of you have found enough IE toolbars to sink a ship on a workstation?

Is Google a risk to use as a search engine?

How many of you get calls from clients that have to deal with users going to twitter, facebook, and have you considered what the impact of these social sites have on the security and privacy of the employees of the network?

What proactive steps are you doing to ensure that you are balancing the needs of the business with the needs to secure the business?

Do you need to worry about Zero Day attacks?

What’s the best way to secure a Windows XP machine?

Does Cloud offerings help or do they bring risks as well?

All of this and more will be answered on 5/29/09 at 9:00 AM Pacific.  Sign up here:  https://training.partner.microsoft.com/plc/details.aspx?publisher=12&delivery=259640