Monthly Archives: December 2009

You are browsing the site archives by month.

Exchange 2007 sp2 on SBS 2008

When you install Exchange sp2 on a SBS 2008 any issues you hit will not be because of SBS or unique to the SBS tool but stuff you would hit regardless of the installation and are pure Exchange issues.


For example… one that Nick Whittome hit during his testing was an error that he got while installing SP2:


“Setup previously failed while performing the action “Install”. You cannot resume setup by performing the action “BuildToBuildUpgrade”.


http://www.google.com/search?q=You+cannot+resume+setup+by+performing+the+action+%22BuildToBuildUpgrade&rls=com.microsoft:en-us&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1


As you can see this is an issue that “normal” Exchange has seen.  So if you hit issues, it’s not unique to SBS and you may need to google on the exact error message you get.  Plan on about an hour for the download of the SP2 package (at least on my DSL speed) and about an hour to install SP2 on a box… and as I said before TAKE A BACKUP.  Go into the Backup console and kick a special one.

Exchange sp2 wrapper tool is out on the download site

TAKE A GOOD BACKUP FIRST

Download details: Microsoft Exchange Server 2007 SP2 Installation Tool:
http://www.microsoft.com/downloads/details.aspx?FamilyID=ffd2fe61-9278-489e-9b96-3816394c9cb6&displayLang=en

Keep in mind any SP2 installation issue that Exchange box might normally 
hit (and I'll blog later about the ones I've seen the normal Exchange 
folks hit) you may hit regardless.

It takes an hour to download the sp2
It takes an hour to install SP2

Book the time accordingly.

TAKE A GOOD BACKUP FIRST

(I'll blog more on this topic but I'm about to leave for LA/Disneyland for the New Year's weekend)

TSGateway and domain credentials

One of my users that has XP as a remote machine was saying that they couldn’t log into RWW.  They would get to the TS Gateway and enter in the information and it would say that they were getting a bad password.  So I fired up a virtual XP to see if I could walk through the screens to see what they were hitting.


And I see the problem.  XP’s do the log in one way, Vista/Win7’s do the log ins differently.



On a XP machine when it gets to that TSgateway screen it does not enter in the DOMAIN\username like it automatically does in Vista and Windows 7.


So if your XP users are complaining that they can’t log in and get a bad password, what happens is without the DOMAIN\username they end up on the local account on the box, not the domain account.  And of course, the password for the local account is not the same.


So in that screen make sure your XP folks know to type in DOMAIN\username.  I’ve typed up instructions for folks that access the firm remotely but apparently I missed that instruction.

What are we doing to ourselves?

We’ve built a beast.   Or building a beast.  We’ve built a business model (or lack thereof) that is destroying content.


With the Christmas holidays I missed the announcement that Brian Krebs was leaving Washington Post.  Another really good source of information from the traditional media that is now no longer at the place it used to be. 


Security Fix – Farewell 2009, and The Washington Post:
http://voices.washingtonpost.com/securityfix/2009/12/farewell_2009_and_the_washingt.html
Krebs on Security:
http://www.krebsonsecurity.com/
briankrebs (briankrebs) on Twitter:
http://twitter.com/briankrebs

The good news is that he’s opened up a space on the Internet.  Here’s hoping that he can continue to maintain the level of information that site has brought to security.  To make sure he does I clicked on that paypal and donated.


Back in 2003 the security researcher “Rain Forest Puppy” wrote this note — http://www.wiretrip.net/rfp/txt/evolution.txt.  I think it still holds true today.


Don’t lose sight of security.  Security is a state of being, not a state
of budget.  He with the most firewalls still does not win.  Put down that
honeypot and keep up to date on your patches.  Demand better security from
vendors and hold them responsible.  Use what you have, and make sure you
know how to use it properly and effectively.

And above all else, don’t abuse or take for granted sources of help and
information.  Without them, you might find yourself lost or
inconvenienced.

Consumer Electronics Show

Microsoft at International Consumer Electronics Show (CES) 2010 Virtual Pressroom:
http://www.microsoft.com/presspass/events/ces/

As we close out the old year, the new year and the Consumer Electronics Show is right around the corner.


For whatever reason I didn’t realize it was next week.  We’ll see what press comes out of next week.  Looks like Apple is planning an event at the end of the month and bypassing CES.

So I’m closing out the year still without access to the MVLS web site

https://www.microsoft.com/licensing/servicecenter/Registration.aspx


So I’m closing out the year still without access to the MVLS web site and I know from others posting that they are in the same condition.


Granted OEM software distribution sucks (like we’ve had two Windows 7 consumerish newly purchased computers arrive and neither one had true media and you had to burn in your own), but you do have the software somewhere. 


What this has done for me is question deeply if I want to buy Open Value licenses in the future.  The value of Open Value to many is the upgrade, not the benefits of the platform itself. 


It’s getting harder and harder to justify open value based on the time wasted to try and get access and the real (and not perceived) benefits.


So for all those of you that are still banging your head, keep the faith.


Or try to at least.

Why keeping your clients’ data private and secure matters

Event Details:
http://www.calcpa.org/Public/Catalog/CourseDetails.aspx?courseID=098092127A

REGISTRATION STATUS: OPEN




Date: Friday, January 08, 2010
Time: 12:00 – 2:00pm (Registration at 11:40 )
Facility: TBA
Area: Webcast
CPE Credit: 2.0 CPE (Continuing Professional Education)
Instructor: Susan E. Bradley
NASBA Subject Area: Computer Science
Delivery: Group Internet-Based
Course Level: Beginning
Fee: $0 CalCPA Members, $99 Nonmembers


This FREE for CalCPA members webcast is being sponsored by the CalCPA State Technology Committee


As data systems become more complex, they become more valuable. CPAs, in particular, need to stay ahead of the curve if they want to keep their clients’ data safe. This two part webcast is designed to provide you with the tools you need.


Part 1: Why keeping your clients’ data private and secure matters 12:00 – 1:00 pm


Join Susan Bradley, CPA, GSEC, CITP, CFF and Dana Epp, Microsoft Enterprise Security MVP and CEO of ScorpionSoft as they traverse the legal and regulatory minefield of privacy regulations, laws, and “best practices”. We’ll cover what specific laws and regulation currently impact the handling of client data as well as warn you about the impact of upcoming laws and regulations. We’ll provide you with guidance to identify and track personal identity information in your office and provide you with the guidance to set up your own security policy to protect that data.


Part 2: Implementing privacy and security of your clients’ data 1:00 – 2:00 p.m.


Susan and Dana will guide you through the specific solutions to deploy to protect data at rest and in transit in your organization. We’ll discuss software, hardware and the reasons to choose a solution and how to implement it within your organization.


Objectives:


  • To assist the CPA in identifying what laws and regulations impact the need to protecting and securing client data.
  • To provide the CPA with resources to set up a security policy.
  • To provide a framework for identifying and classifying sensitive data in a firm and provide guidance as to necessary protection for the data.
  • To assist the CPA in identifying what technologies and software will assist in protecting and securing client data.


  • Major Topics:


  • data
  • encryption
  • security
  • information technology
  • Designed for:
    Any CPA concerned with the safety and security of his or her clients’ financial data.

    Prerequisite:
    none

    Advanced Preparation:
    none

    Setting up a Member Server Group Policy

    I’ve done this twice now and it annoys me every time I do it.


    I set up a server in a SBS 2008 domain.  I join it to the domain.  It initially goes into the SBScomputers OU that has a prebuilt group policy to allow for remote desktop and firewall exclusions for remote desktop.  I change the server from the SBSComputers OU to the SBSServers OU and if I don’t remember to then manually go back in to the system/remote tab and edit the ability to remote into the server I’ve locked myself out.


    So I built a group policy rule so I won’t do that anymore.


    First build a WMI filter:


    Launch the group policy management console.  Go in the WMI Filter section, right mouse click and click new.  Title up the policy, put in a description, click add.


    Leave the root\CIMv2 namespace as is and in the Query section copy and paste in:


    Select * from WIN32_OperatingSystem where ProductType=3


    You will note that in the Windows SBS Client the query value is like this:


    select * from Win32_OperatingSystem Where ProductType!=2


    The “!” stands for “does not equal” so that one reads “filter on everything BUT the Domain controller.  The one I’m building is specifically targeting Server OS’s.

    http://www.eventlogblog.com/blog/2009/10/useful-wmi-queries-to-filter-g.html


    Workstation
    Select * from WIN32_OperatingSystem where ProductType=1
    Domain Controller
    Select * from WIN32_OperatingSystem where ProductType=2
    Server
    Select * from WIN32_OperatingSystem where ProductType=3



    Now we go into the SBSServer OU, right mouse click and click on “Create a GPO in this domain and Link it here”



     Call the group policy something descriptive.  Now go down to Computer Configuration, then to Policies, then to Administrative templates, then to Windows components, then to Terminal Services, then to Terminal Server, then to Connections,  and ensure that “Allow users to connect remotely using Terminal Services” is enabled. 



    Next go to  Computer Configuration, then to Policies, then to Windows Settings, then to Security settings then to Windows Firewall with Advanced Network Security and go to inbound rules.


    Right mouse click and click on “New Rules”.  Choose predefined rules and choose Remote Desktop (TCP-IN), then Distributed Transaction Coordinator, then Windows Management Instrumentation.  You can thin these down if you like, but for me those three core ones allow me to manage the box remotely better.


    So the resulting firewall will look like this:



    So there you go, a specific group polcy for member servers.


    Word of advice when setting up servers that later will be installed in an office or remote location.  Stick logmein free on there until you get the server stable and policies working just so.  You can accidentally log yourself out of RDP, but chances are the logmein beacon will still work just fine so you can figure out what you did and undo it.

    Don’t forget to flip


    Just a reminder when setting up a new server don’t forget to flip the box.  When you go to scan for updates click on that little “Find out more” and flip it over to Microsoft update.  This ensures that you will get updates for all of the products on the box not just the operating system.

    Distribution group issue on migrated groups

    This hit me today.  One of my old migrated distribution group lists wouldn’t work and when I went to edit them I got a ‘Validation Error This field cannot be empty’ when I tried to edit the members of the distributions groups.


    Found the solution in the SBS 2008 newsgroups:


    https://connect.microsoft.com/SBS08/community/discussion/richui/default.aspx


    1. Open adsiedit.msc and connect to the Default Naming Context.
    2. Expand Default naming context -> DC=domain,DC=local -> OU=MyBusiness ->
    OU=Distribution Groups.
    3. Find a group that was created post migration and view its properties.
    Look for msExchVersion = 4535486012416. (Verify if the number list matches
    this one or not. I suspect it will, but want you to be sure.)
    4. Now go view the properties of a migrated group and look for
    msExchVersion. It may not be there or it may be empty.
        – If it’s empty, set it to the value 4535486012416 or whatever the group
    you found in #3 was set to.
        – If msExchVersion is not there, you may have to click the Filter button
    and alter the settings to see if it’s not set to appear.
    5. Once you’ve set msExchVersion to the appropriate value, click OK out and
    then try your edits to the group.


    Sure enough, that was the fix.