What happens behind the scenes when using the Microsoft Support Diagnostic Tool

What happens behind the scenes when using the Microsoft Support Diagnostic Tool – The Official SBS Blog – Site Home – TechNet Blogs:

I want that.

I want to open a support case just for that.

Have you ever opened up the cab files of the Microsoft diagnostic tools and looked around as to what can be gleaned from their tools?  The next time you have a support case and get that tool to be run on your system, save a copy locally and open up the resulting .cab file. 

Wallow in the information you can glean from that. 

Ask yourself if YOU look for all of those things when you review a server.


The .net out of band is up on Microsoft update/Windows Update.

The .net out of band is up on Microsoft update/Windows Update.
 For desktops this is not a risk.  You do not run a web server.
You can have as many as three updates offered up to you on your Windows XP.

For SBS 2003 servers you will need three updates (ugh) and it will need 
a reboot.

For workstations there is no need to rush to update.  In fact this is 
one of those things that you may just want to hide the patch (especially 
since we all LOVE to update .net on our desktops.

For servers, I honestly do not think this is a rush to the server and 
patch now kind of issue for Small Business Servers.  We're smaller 
targets at less risk for this attack.  Definitely test first.

Should I be concerned?

Should I be concerned about this vulnerability if I don’t store any sensitive information in my viewstate?

“Yes you should.  There is a combination of attacks that was publicly demonstrated that can leak the contents of your web.config file, including any sensitive, unencrypted, information in the file.  You should apply the workaround to block the padding oracle attack in its initial stage of the attack.  The security update will fix this vulnerability.”

I know, I know…. Geeze shut up Susan and patch already if you are that worried about this.

Sorry but I want to understand here.

Yoda has config info in some of his config files up on the server.  You open them up in notepad and bingo, there’s the authentication information for stuff on the server.  (Guess I shouldn’t admit that huh?)  But he’s been patched already.

So I haven’t looked at EVERY web config file on the SBS 2008 or SBS 2003 mind you, but of the ones I browsed through, I’m not seeing anything sensitive.  Both RWW on sbs 2003 and sbs 2008 (and obviously Home server) uses Viewstate…but…. passwords aren’t saved.

As others have said, the Microsoft guidance too often focuses on the patch and not the risk of the patching. 

More discussion here to explode your brain tonight – http://www.troyhunt..com/2010/09/fear-uncertainty-and-and-padding-oracle.html

Before Microsoft was all in for the cloud, Karl wrote the book on it.

Before Microsoft was all in for the cloud, Karl wrote the book on it.

And if you don’t jump on this now you’ll price for gaining that knowledge will go up too!

Check out Karl’s blog (that you should have ready already anyway and if you didn’t add it to your RSS reader now) and sign up for his pre day training before Friday!

Small Biz Thoughts by Karl Palachuk: Walking Into the Cloud – Prices Go Up Friday!:

This is your chance to get that base of information regarding positioning yourself for the era of some full on premises, some Aurorafied.

Update Rollup 1 for Exchange Server 2007 Service Pack 3 (KB2279665)

*Update Rollup 1 for Exchange Server 2007 Service Pack 3 (KB2279665)* 
This update rollup resolves problems that were found in Exchange Server 
2007 Service Pack 3 (SP3) since Exchange Server 2007 SP3 was released 
and replaces previously released update rollups for Exchange Server 2007 

Sync'd up on WSUS tonight but does not include the remote file access in 
OWA fix that was broken in SP3.

That fix will be in update rollup 2.
So if you depend on remote file access via OWA don't install SP3 yet.  Remember that SP3 is not offered up on WSUS.

Yo, set up your proofs

Go here:


Now that you are there, set up your “proofs”… you know … your proofs… what you need to prove you are who you are so you can easily and quickly gain your liveID back

Add your email, your mobile phone and hook it to your trusted PC.


And while there…tell a friend…

Small Business Server 7 Overview Interview:

Small Business Server 7 Overview Interview:
Bjorn Levidow, Group Program Manager for SBS, tells us about some of the new enhancements in the next version of Windows Small Business Server 2008 (SBS 2008), currently called “SBS 7” for short. You can download the SBS 7 Preview by going to this Connect site

My take on the out of band .NET patch and what you should be doing

Upcoming Patch Watch update » Windows Secrets Lounge:

My take…don’t panic, test… wait for the MU deployment.


We underestimated the importance of BCM to our small business customers

Outlook 2010 with Business Contact Manager: You Spoke, We Listened – Business Contact Manager Team Blog – Site Home – MSDN Blogs:

“When we made this decision, we underestimated the importance of BCM to our small business customers and those who purchased previous versions of Office in retail stores or pre-installed on PCs. “

Proving that we don’t buy Office through VL

Consider allowing unique Office 2010 rights to SBSv7 | Microsoft Connect:

Which is what my bug in the SBSv7 beta is all about.  Be realistic about how we buy software.  We don’t buy it via VL. 

A little Indian?


All of us that use Intel processors use a Little Endian in our byte order.  No that’s not Indian, that’s Endian.  As in processing numbers from the Little end or big end. 

This standardization of process ensures that every computer can process things in the same fashion.  We all start “eating ” our data from the same small end in the Intel processor chip world.


Which amazingly enough we owe the term “endian” to a Swift novel, eggs and a computer geek.