Download details: Windows Server 2003 Resource Kit Tools:
Robocopy.zip – Robust Copying Utility:
Real-World Scripting: Data Migration with Robocopy, Part 2:
Here is a great article from Thomas Shinder that compares ISA to other packet filter solutions. Thanks, Les for the tip!
Also, if you don’t even know how to spell ISA, then read Chad Gross’s ISA for Dummies article:
These comments come from Les:
This reply is a little more than you need, hope you don’t mind. But the answer is contained within ;-). I was hoping to clean it up a bit before posting (but that may never happen). It’s relevent to several recent posts.
Basically, I’ve been trying to get the best spam/antivirus protection I can with SBS2k3 OOB and Trend Micro CSM SMB – no other third party products.
If you don’t use CSM, then just ignore those parts. I have been experimenting with this configuration for a while, and am very pleased with the present result.
I believe I have this under control presently. Possibly at the expense of a few legit emails (but very few, if any).
Without any third party apps except Trend CSM – here is what I use.
a) Internet Message Format
Out of Office responses
Preserve sender’s display name on message.
b) Message Delivery > properties
Sender Filtering Tab
Filter messages with blank sender
Drop connection if address matches filter
Recipient Filtering Tab
Filter recipients who are not in the directory
c) Default SMTP Server
| General | Advanced | Edit (all unassigned)
Apply Sender Filter (although I have no filters presently)
Apply Recipient Filter
Apply Connection Filter (although I have none of these either, presently)
Send copy of NDR reports is blank.
2. Trend Scanmail eManager
Notifications Button: None
Approved Senders Button: I have had to add a few to the list, but not many –
mostly list subscriptions.
Blocked Senders Button: None – useless against a reasonably competent
b) Content Filter
Anti-spam, hoaxes, chainmail, and Melissa Virus enabled.
The other items will do a *lot* of blocking – too much when your threshold
is set to high.
The automatic updates don’t work. No reason, no error. But the Update button does. I’ve been meaning to take this up with Trend, but haven’t yet looked into it. There are reasonably frequent updates, and they do make a difference. I update whenever I think of it, generally at least monthly.
d) Log Files
Log files are daily, set to delete after 30 days. The reporting is useful here, especially for initial tuning.
Attachment Blocking is *not* enabled in Scanmail, but it is in Exchange. I think you want to go with one or the other, not both. I may turn off attachment blocking in Exchange, and instead do it in Scanmail as there are more options in scanmail.
Virus actions are set to delete, delete, delete, delete.
b) Active Message Filter
Filter Inbound Messages *see Outlook section for a note.
virus scan – windows event log only
outbreak alert – email me, and event log.
attachment blocking – windows event log.
d) Quarantine Manager
This is where you go to check on the blocked items, including eManager spam blocked mail. You spend some time here initially tuning things for your environment.
Quarantine Maintenance is set to delete at 7 days. Works well.
Junk Mail was identifying about 50% of what got through to the mailbox with Scanmail Filter Inbound turned OFF, and the old junk mail pattern file (or whatever they call it)
A new junk mail pattern file was released (office update) not long ago, I installed it a few days ago. This has caught 100 % of what got through to the mailbox, no false positives thus far.
With the Scanmail Filter Inbound turned ON, you can even keep your junk mail folder almost empty by letting Scanmail handle attachment blocking instead of Exchange. Much of the junk mail that does get through has attachments, mostly replaced by either Exchange (blocked att. type) or Scanmail (virus). With scanmail doing attachment blocking, you can elect to kill these before
they come to the mail store.
Notes: (these are out of date, and system specific – just examples – YMMV).
In the past 48 hours, my inbox has been 100% clean of junk. Junk Mail folder has about 100 that made it through the Exchange, Emanager, and Scanmail filters. (this is with Scanmail Filter Inbound Off)
**** New info – with the Scanmail Filter Inbound *on*, junk mail has been reduced to about 10 per 24 hours. I’ve been checking the blocked emails in Scanmail console, and have been pleasantly surprised at the lack of false positives.
The exchange server has about 25 mailboxes, there are 3 or 4 heavy email users, and about 10 very heavily spammed addresses.
eManager filtered out 392 emails.
Scanmail scanned 1341 emails, 19 had viruses and were deleted.
Presently, I’m happy with the tools I have ;-).
Les Connor [SBS MVP]
SBS Rocks !
Thanks to Chad Gross for this!
Assigning the Firewall Client to client PCs via Group Policies is pretty simple & straight-forward with SBS2k3:
1) Open Start | Administrative Tools | Group Policy Management
2) Expand Forest | Domains | <yourdomain> | My Business | Computers
3) Highlight SBSComputers
4) Click on Action | Create and Link a GPO here
5) Name your new GPO (e.g. ‘Microsoft Firewall Client Installation Policy’)
6) Your new GPO should now appear in the right-hand pane of the management console. Right-click on the GPO and select ‘Edit’
7) Expand Computer Configuration | Software Settings | Software Installation
8) Action | New | Package
9) Enter the UNC path to the firewall client installer file
(\\<servername>\mspclnt\ms_fwc.msi by default)
10) Select ‘Assigned’ as the deployment method & click OK.
11) Close the Group Policy Editor console
12) Back in the Group Policy Management Console, right-click on your GPO and select ‘Enforced’
That’s it – your GPO for deploying the Firewall Client is now in place. As for when this change takes place, this depends . . .
If you create & enforce this GPO before joining workstations to the domain, this GPO will be part of the overall group policies that the workstation receives upon joining the domain.
If you create & enforce this GPO after clients have been joined to the domain, you have two options:
1) touch each PC to manually update the Group Policies by running gpupdate /force at the
2) By default, group policies are updated every 90 minutes – so you could wait for the backgroup update to refresh the policy.
3) Reboot the machine which will update the Group Policies.
The interesting thing to remember is that when you assign an application to a Computer, the software installation actually occurs at startup before you get a logon banner. Therefore, if you create & enforce this GPO after PCs have been joined to the domain, the PCs will still have to be rebooted for the firewall client to actually be installed. As a result, to make this installation as truly efficient as possible, I create & enforce this GPO before joining PCs to the domain. This minimizes the number of reboots that have to occur when configuring client PCs.
Another little trick re: minimizing Administrator requirements at each PC – with SBS2k3, when the firewall client is installed, it configures IE to use ISA as it’s proxy. Only problem is that it only does this for the user profile that installs the firewall client. (And with a GPO install assigned to the Computer, no user gets this configured). Naturally, this means that IE needs to be configured for each user that logs into the PC. Ugh, right?
Not quite :^)
1. On your SBS, navigate to C:\Program Files\Microsoft Windows Small Business Server\ClientSetup\Clients\Setup.
2. Open the install.ins file with notepad.
3. Find the [Proxy] section and edit it so that it looks like:
4. Save the file. The next time any user logs in to any PC, their IE will be properly configured to use ISA as a proxy. This is something else that is very beneficial if you do it early during your server configuration (and before you have users asking why they can’t get out to the internet :^)
Q: I have uninstalled ISA server from the SBS2003 Premium, from Control Panel > Add/Remove software. Now the LAN NIC is disabled and the DHCP won’t work. How should I complete the uninstallation and what should I do to get a SBS without ISA?
A: Just re-run your Configure Internet Access Wizard from the Server Management console.
Q: Is there an easy way to block the messenger services (especially msn messenger) at say the SBS2003 server level (ie so no client computers can connect)?
A: You can handle that by a GP and the options within the Group Policy to
either allow Messenger to work or even load as far as that goes.
Open Server Management and then Drill down to Advanced Management and then Group Policy Management and then Domains and then Your Domain Name and then Group Policy
Objects and then right click on Small Business Server Client Computer and
This will open the Policy Editor and under Computer Configuration and then Windows Components and then Windows Messenger you have 2 options there to turn off Messenger for running and or loading initially.
Also in this Policy there is a place to not allow certain Applications to run. Just add the exe for Yahoo here and this will block that from running also. This works on 2000 Pro Workstations and above.
A user accidentally deleted the Firewall Client fromt he list of apps to be installed. These instructions are from SBS2003 Premiuminstallsteps.htm from the Premium Technologies CD:
To add Firewall Client for deployment to client computers
1. Click Start, and then click Server Management.
2. In the console tree, double-click Client Computers, and then in the details pane, click Set Up Client Applications.
3. On the Available applications page, click Add. The Application Information dialog box appears.
4. In the Application Name box, type Firewall Client, and then type or browse to \\Servername\Mspclnt\Setup.exe.
5. Follow the instructions to complete the wizard.
6. When prompted to assign the new application to client computers, click Yes. The Assign Applications Wizard appears.
7. Follow the instructions to complete the wizard.
Note: The Set Up Client Applications Wizard only works with client computers running Windows 2000 Professional and Windows XP Professional. If you have a client computer running a different operating system, you must connect to the share manually from the client computer. At the client computer, click
Start, click Run, and then type \\Servername\Mspclnt\Setup.exe.
To check the name of your server, click Start, right-click My Computer, and then click Properties. The computer name is the first label before the
period listed in the Full computer name, for example, servername.smallbusiness.local.