Learning about GPO’s

A newbie SBS’er wanted to know about documentations to read to deploy group policy. Here were suggestions from Brandy Nee [MSFT]:

I suggest you that start with the “Implementing Common Desktop Management Scenarios with the Group Policy Management Console”.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/csws2003.mspx


This white paper is more basic for you to start with SBS 2K3 server. It includes coverage of Windows Server 2003 and the Group Policy Management Console (GPMC). I also found some additional information for you, please see:

Windows Server 2003 Group Policy
http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx

Frequently Asked Questions About the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/gpmcfaq.mspx

Administering Group Policy with the GPMC
http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx

Also, I would to install the SBS2003 update for enabling XP2 firewall via GPO in an SBS2003 network:
http://www.microsoft.com/downloads/details.aspx?FamilyID=D70097C2-4317-40E0-B7DA-FEB52C6B6386&displaylang=en


And here’s a four part article that describes the new GPO features of Windows 2003:
http://www.enterpriseitplanet.com/security/features/article.php/2200561

2005-07-24 “Raindrops Keep Falling”

It’s summer time here in Florida … lot’s of hot, humid days, rain showers (usually right at rush hour), but  bearable weather in the evenings. The afternoon showers are as predictable as the spam emails that arrive daily in our email boxes. So to all the spammers and phishers in the world … this week’s song goes out to you!

Raindrops Keep Falling on My Head
Spammers Keep Sending Me Their Junk
WAV: http://members.aol.com/Carouself/Wavs/RAINDROPS.MP3

Spammers keep sending me their junk
And just like the guy whose feet are too big for his bunk,
spammers are like punks
Those spammers keep mailing junk to me, they keep mailing
 
So I just did me some tweaking to my files.
And I said I didn’t like the way those spams were flagged,
making me so mad,
those spam mails are gonna get removed, and deleted
 
And there’s one thing I know:
The spams they send to meet me,
won’t defeat me,
It won’t be long till happiness steps up to greet me.
 
Spammers keep sending junk my way
but that doesn’t mean my e-mail box will soon be full
I’ve filtered out their bull
‘Cause I’m gonna stop those spammers now with my filters
Because I’m free.
Nothing’s worrying me.


Kevin Weilbacher [SBS-MVP]
“The days pass by so quickly now, the nights are seldom long”

2005-07-17 “Sloop John B”

Somehow, I missed doing a song of the week last week, and this weekend nearly got away from me again. Over the Fourth of July festivities, they had members of the Beach Boys performing at the US Capitol. So, here’s one of the songs that my children still love to sing:

 

Sloop John B

aka Sloop Bill Gates

 


 

We come on the sloop Bill Gates
My brand new server is great
Around Seattle town we did roam
Coding all night
Tryin’ to make it work right
Well I feel so broke up
I want to go home

So hoist up the Bill Gate’s sail
The service pack’s still in the mail
Call for the MVPs ashore
Let me go home, let me go home
I wanna go home, yeah yeah
Well I feel so broke up
I wanna go home

The first mate, Ballmer, got drunk
And broke into Bill Gate’s trunk
The constable had to come and take him away
Still running DOS at home
Why don’t you leave me alone, yeah yeah
Well I feel so broke up I wanna go home

So hoist up the Bill Gate’s sail
See how the hard drives hum
Call for the MVPs ashore
Let me go home, let me go home
I wanna go home, let me go home
Why don’t you let me go home
(Hoist up the Bill Gate’s sail)
Hoist up the Bill Gate
I feel so broke up I wanna go home
Let me go home


Kevin Weilbacher [SBS-MVP]
“The days pass by so quickly now, the nights are seldom long”

2005-07-02 “Tomorrow”

In the United States, we are celebrating our Independence Day – the 4th of July. One my employees is British, and we were talking about the fact that Canada, Ireland, and even France (Bastille Day) have similar type day. But what about the British? Her repsonse was that “everyone tries to break away from Britain … who’s Britain going to break away from?”.

Well, no matter your political or national persuasion, let’s enjoy this weekend, and pray that achieving peace in the world is more than a dream … ’cause remember, the sun will come out tomorrow … hey, what a grand idea for a song!

 

Tomorrow (from the musical, Annie)


The spam’ll come in, tomorrow,
Bet your bottom dollar, that tomorrow,
There’ll be spam,

Just thinkin’ about, the spyware,
Removing all that cr*p that causes sorrow,
till’ there’s none,

When I’m stuck with a day that’s full of pop-ups,
I just stick out my chin, and grin, and say,

Oh, the spam’ll come back tomorrow,
So you gotta’ hang on till’ tomorrow,
Come what may:

Tomorrow, tomorrow, they’ll come back tomorrow,
We’re only a spam away,


Kevin Weilbacher [SBS-MVP]
“The days pass by so quickly now, the nights are seldom long”

2005-06-26 “Singin’ in the Rain”

Summertime in Florida means picnics, baseball games, swimming pools, out of town relatives coming in for a visit, and afternoon showers. Somehow, I did all of that, plus some real work, all this past week!

Someone asked me the other day why I am always singing, and so happy. I tell them if you’ve got a minute, I’ll give you the short answer; but if you’ve got an hour I’ll give you the longer answer! Well, one of my all time favorite movie scenes is Gene Kelly singing “I’m Singin’ In the Rain”. If you’ve never seen the movie, go and rent it.

 

Singing In The Rain

aka Working Thru The Night

 



I’m working thru the night
Just working thru the night
What a horrible feelin’
My server ain’t right
I’m yelling out loud
So dark up above
My patches won’t load
And I’ve had just enough!

Let the stormy clouds chase
Every spam from this place
Come on with the fix
I’ve a frown on my face
I search thru the web
With no solution in sight
Just working, just working thru the night


Kevin Weilbacher [SBS-MVP]
“The days pass by so quickly now, the nights are seldom long”

Exchange 2003, ActiveSync and SSL – Oh, My!

So, a person has a SBS2k3 w/SP1 installed.  Exchange activesync works with SSL turned off via wireless synchronization locally and over the internet. The questions are:


1.)  What are the security related risks, if any, by not using SSL?

2.)  When I try to enable SSL I copy the cert over to the PPC and attempt to run it and it says cannot access certificate. I’m grabbing the cert from \\servername\clientapps\sbscert.  I did install the certificate component from add/remove programs.  Does this screw with it?  I was grabbing at straws trying to figure it out.I don’t know if it matters at all, but I can install a cert if I go to http:\\servername\certsrv and install a DES cert but not the other one.  I get an internet_45 error after that cert is installed.

If question 1 doesn’t lead to significant security risks question 2 becomes mostly moot, although I would like to figure out WHY it won’t install.
Thanks.


Jerry Zhao (MSFT) from Microsoft had the answer:


For the function of the SSL, you can refer to the following articles:

What is TLS/SSL?
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/ed5ae700-e05e-45ef-b536-45795dbb99a2.mspx
XADM: How Secure Sockets Layer Works
http://support.microsoft.com/default.aspx?scid=kb;en-us;245152

As for your question 2, from the Exchange 2003 viewpoint, the OMA/Server ActiveSync features don’t require certificates if you don’t plan to enable SSL for the HTTP connections for these mobile features. Also, in the mobile devices with PocketPC 2003 or later as OS, you can choose either using HTTPS or not using HTTPS when you try to use Exchange 2003 OMA/Server ActiveSync features. If you choose using HTTPS, you may have to obtain a certificate from an well-known third party CA or set up and issue your own certificate by using the Windows 2003 CA service, and then implement the certificate in your Exchange 2003 Server to enable SSL for OMA and Server ActiveSync.

NOTE: If you plan to set up Windows 2003 CA Service and issue your own certificate, it will not be trusted by your PPC mobile devices by default and you may want to use the following tool on your PPC devices to disable the SSL check:

http://www.microsoft.com/downloads/details.aspx?FamilyId=D88753B8-8B3A-4F1D-8E94-530A67614DF1&displaylang=en

Treo 650 and SBS2003

Here’s my initial experience with setting up a Treo 650 to an SBS2003 server.


In all cases, I used the VersaMail utility software. Some vendors may automatically install VersaMail on their Treo’s, whereas others supply it on the CDROM and you must upload (install) VersaMail on your Treo.


I’ve configured and tested the Treo 650 both accessing Exchange server directly via Activesync, as well as using IMAP to pull email in. Using Activesync, the Treo automatically pulls in emails on a scheduled basis you select (5 min, 15 min, etc.). With IMAP, however, I kept getting errors when the prescheduled download of email would kick in. This happened with two different SBS2003 servers. But clicking ‘Get’ to manually pull down new email always works for me.


Exchange/Activesync Basic Settings:
1. Account name: Home
2. Mail Service: Exchange Active Sync
3. Username/password: my SBS username and password
(note: I did not have to add a leading “domain\“ to my username)
4. Email Address: my SBS public email address
5. Mail server: kwsupport.tzo.com


Advanced Settings:
6. Incoming port: 443
7. Use SSL is checked
8. Proxy Server: 80
9. Proxy authentication: unchecked


IMAP Settings:
1. Make sure you enable IMAP services on your SBS server
2. Account name: Home2
3. Mail Service: Other/IMAP
4. Username/password: my SBS username/password
5. Email address: my SBS public email address
6. Incoming mail server: kwsupport.tzo.com
7. Outgoing mail server: I used my ISP’s mail server (outgoing.verizon.net)


Advanced Settings:
8. Port #: 143
9. SSL was NOT selected
10. Outgoing Server Settings:
- Port 25
- Use Secure SSL connection
- Use authentication (enter username/password for your outgoing ISP )

Moving / Deleting SP1 uninstall directories

In the public newsgroup recently someone asked:  I have 2 locations of what seem to be installation files for SP1 for our
SBS 2003 server: c:\Windows\$NtService Pack Uninstall$ and c:\windows\Service Pack Files. Can they be deleted now? The update appears to have installed correctly. I need the space on that volume!


Our man on the spot in England (Steve Foster) had the clear, concise answer:


Yes, you can archive the %NTServicePackUninstall$ files off somewhere (these are only needed if you uninstall the service pack for any reason).

However, do not delete the ServicePackFiles folder, as it is needed since it acts as a supplementary install source for future system modifications (eg add RIS , Mac Services, etc). You can safely set the folder to be compressed by NTFS, though (mind you, it probably won’t compress much).