Here in the US, the 4th Thursday of November is always our Thanksgiving holiday.  I had a great day with my family.  My immediate family alternates from year to year, one year we’re with Dad’s extended family, and the other year we’re with Mom’s.  This year we were with Mom’s family, and it was the first time in a few years that the entire family was together, including my aunt, uncle & cousins from Illinois.  We were especially thankful for our newest addition – a new cousin Gracyn who was born a month ago.  She’s the first baby we’ve had in the family for over 19 years, and my cousin Amanda is still pouting about losing her place as the baby of the family :^)   But seriously, this little girl is going to be so spoiled by her aunts, uncles & cousins that it isn’t funny . . .  :^)   I finally got a few photos with her.  There’s this one, this one, and finally my favorite . . .

I’m also thankful for the truly great people that I am so honored to be able to count among my friends.  They inspire me and amaze me all at the same time.  I’m thankful for the SBS community – the amazing people that make our community the gold standard . . .

So wherever you are, and even if you aren’t in the US – take a moment to count your blessings and convey thanks to those people in your life who make a difference.  As for me, I’m starting to make my Christmas list for Gracyn . . . sure she’s a newborn, but you can never start spoiling too soon . . .  :^)

Ok – so I’m pn-site with a client today, and log in to an XP Pro SP2 workstation.  The login script fires off, and proceeds to update Trend’s OfficeScan module.  In order to do the update, the OfficeScan service is stopped which results in one of our Security Center balloon notifications saying that ‘Your computer might be at risk . . . ‘    Which got me thinking . . .  The SP2 team did a great job with the Security Center, keeping an eye on Patching / Firewall / Anti-Virus.  However, I’d like to turn it up a notch.  Specifically, I want another Security Center warning:

WARNING:  Your computer *is* at risk because you are running with elevated (Power User or Administrator) privileges.  Click here to understand why this is dangerous and how to correct this issue.

Furthermore, I think IE should be automatically set to high-security (just like our Win2k3 servers are by default) whenever anyone with Administrative privileges logs in. 

I’m so freakin fed up with all of the nasty stuff that is out in the wild – preying on the innocent.  The simple fact of the matter is that all of this stuff is virtually harmless if we’re running with least privilege.  Malware launched by a web site we visit is stopped in it’s tracks because our user account doesn’t have the necessary rights to install software.  If it can’t install – it can’t hijack our browsers, track our surfing habits, or throw pop-ups at us.  And I’m getting equally disgruntled at OEMs who’s answer to every support call is to insert the recovery CD . . .

I want everyone to repeat after me:

*  I have a right to have a safe & secure online experience!
*  I have a right to take control over my PC!
*  I don’t have to suffer through dozens of SPAM messages daily!
*  Software vendors do NOT have the right to force me to subject myself to risk and accept lower security in order to use their product!
*  OEMs do not have the right to disregard my data and insist on a complete format & reinstall of the operating system before supporting their machine!

It is time we took back control of our computing experience – recapture it from the OEMs, the ISPs and the Software Vendors.  It is time we stand up, and fight back.  It is almost 2005 . . .  Judas – look how long the security model of Win2k / XP has been around – there is ABSOLUTELY NO REASON THAT SOFTWARE VENDORS SHOULD BE REQUIRING LOCAL ADMINISTRATOR RIGHTS AFTER THEY’VE HAD YEARS TO GET THIS RIGHT! 

And I’m sorry – but this is not a Microsoft problem.  This, unfortunately, is the evolution of the internet.  I don’t care if you’re running Windows, Mac OS X or some flavor of Linux – you’ve got security issues to patch for.  I don’t care if you’re browsing with IE, Firefox or Netscape – you have security issues to patch for.  I for one refuse to change my OS or my browser – because I will not let the perpetrators of these attacks (and yes, I believe malware and viri are in deed attacks) dictate my computing environment.  Yes – I use Windows.  Yes – I use Internet Explorer.  I have never had a single virus on any of my machines.  With the exception of the occassional tracking cookie, I’ve never had any form of malware on any of my machines.  It can be done – and with surprisingly little effort.

So – I want to challenge everyone.  We’re a little over 5 weeks from 2005, but I want everyone to start thinking / acting on a New Year’s Resolution:  if you have clients who aren’t running least-privilege on their desktops, find out what applications need tweaked, and get those desktops down to least privilege.  Then take those applications and submit them to www.threatcode.com.  Educate your clients and users – explain that they have the power to take back control of their online experience.  We will not be intimidated, manipulated or scared into changing our operating systems or web browsers, or allowing 3rd parties to dictate our security levels!

Ok, I’m going to try to make this quick.  After I left the office this afternoon, I stopped to check out the new Best Buy that opened up close to home.  While I was there, I picked up the Harry Potter and the Prisoner of Azkaban (great movie – but the book was WAY better.)  I want to watch it yet tonight, but I’ve gotten caught up in some email, and I want to get this post out since it’s been in my head all day.  So . . .

I’m going to go out on a limb here and say that Microsoft Office is probably one of the most under-valued application suites in the small business space.  Come on – just take a look at all of the functionality available under the hood.  You can do more with Office than most small businesses could ever imagine.  Let’s take Excel as an example.  We’ve all seen what most small businesses use Excel for – it can usually be boiled down to lists of some form (maybe for a mail merge), or using the built-in functionality in Peachtree or QuickBooks to dump a report to Excel and sort it differently.  You do have a few that may use some basic formulas to sum columns, etc. – but not much else.

There is SO MUCH we can do with Office that it isn’t even funny.  I myself am an Access junkie – and spend a lot of time messing around with VBA in both Access & Excel.  I’m working with one client where we’ve built some reports in Excel that save them so much time & effort it isn’t funny.  I’d normally do something like this in Access, but they had a previous solution that was using Excel, and that’s what everyone was used to.  They upgraded their accounting system, which required that the solution be recreated since the entire underlying data connections weren’t valid anymore (and the previous individual who created the original solution had key functionality embedded in XLAs that were locked down and inaccessible to edit – and he was long gone).  This particular client has extended the functionality of their accounting software by creating a Project Status Report (PSR) template.  Whenever they are awarded a job, they enter their itemized breakdown of cost & revenue estimates, and also list each subcontractor with the subcontractor’s contract amount.  The PSR also allows for Change Order information to be added.  One of the custom solutions we have pulls all of the job data out of the accounting solution and organizes it according to their job designations.  This results in a single Excel workbook with multiple worksheets – one for each job class (A Jobs, B Jobs, C Jobs, etc.), one for only the active jobs for each class (A Active, B Active, C Active, etc.) one for each Project Manager, and a summary sheet that provides statistics by Project Manager (total projects, % of total revenues, markup estimated, markup earned, etc.  In addition, as this custom workbook is built, as it is processing each job from the accounting system, it looks to see if there is a PSR for that job.  If so, it opens the PSR and updates all of the individual line items (cost incurred to date), and updates the total billings from each subcontractor for that job.  If a subcontractor’s total billings exceed their contract amount, another workbook is opened with adds a worksheet for that subcontractor and builds a custom Account Ledger for all activity for that subcontractor / job, and adds the job, subcontractor, total contract amount, total billings amount and total overage amount to the summary sheet.  They have a lot of data, so it takes this about 7-8 minutes to run.  (70% of that is due to the lackluster performance of the ODBC driver for their accounting application).  When it is all said and done, they have up-to-date performance numbers for each of their Project Managers, PSRs give an exact picture of how a job is evolving, and the subcontractor workbook gives a single report of all subs who have overbilled their contract, as well as a custom ledger for each subcontractor showing exactly the information / activity our client wants to include to help their sub reconcile the discrepancy . . .   Cool huh?   And it’s all thanks to the built-in functionality of MS Office.

Ok, so regulars know that ever since it was originally posted, my ‘Oh Stormy Night‘ post has been the most popular – thanks solely to the mention of a certain product, which has brought Googlers en masse.  Well, I was reviewing the stats and discovered that we have a new leader.  With just over 1,400 views, the OWA Authentication Timeout post is now king of the hill . . . :^)

Wired News: Advertisers Muscle Into RSS:
http://www.wired.com/news/ebiz/0,1272,65745,00.html

** Updated on 11/12/04  5:19 P.M. CST (GMT -6)
The original post is further down – this is the update.

I’m sorry.  Where’s the duct tape?  Because I need to seal a few outbound ports and keep from hurting myself :^)

Here’s the skinny:  Almost all of our clients are running Trend Micro’s C/S/M for SMB for their Anti-Spam solution – however this one client is a non-profit and already had Symantec Corporate A/V, so they went with SpamCatcher that they were able to get from TechSoup.  Well, SpamCatcher works a little differently than Trend’s Anti-Spam.  SpamCatcher doesn’t integrate directly with Exchange – instead, when it is running on the Exchange server, it has to be configured to listen on port 25, then Exchange is reconfigured to listen on port 26.  As a result, SpamCatcher receives the emails on 25, then delivers them to Exchange on 26.  SO – since this is an SBS, SpamCatcher & Exchange are running on the same box, so Exchange is receiving its emails from it’s own IP.  Since Exchange on SBS is configured by default to allow itself to relay, this in effect opened this Exchange server up as an Open Relay – even though it was otherwise properly configured.

This also means that this IS NOT an issue with njabl.org – it was a uncommon configuration on this one server.  My bad :^(    Go ahead and whip me, beat me, and send me to my room without supper . . .

SO – the moral of the story is that if you’re running any sort of Anti-Spam / Anti-Virus / Anti-whatever that works similarly (actually receiving your email, then resending to Exchange on a different port), then you are most likely going to be an Open Relay. 

The other moral of the story is to remember to think THEN blog . . .   :^)

** End update – original post follows:

I received an email today from a client where they forwarded an NDR that they received.  The NDR indicated that their message had been blocked because they were blacklisted.  The specific blacklist indicated was njabl.org.  I went to the njabl.org site and performed a search on the client’s (static) IP, and sure enough – a result was returned.  In addition, the result included a message header from an automated open relay test njabl.org performed on the client’s server.  And there, right in front of my eyes was a message header that clearly showed that this client’s SBS had received the email and relayed it.  Remember – in a default configuration, Exchange on SBS 2003 is NOT an open relay.  That’s about when panic started to set in . . .

So I remote’d in to the client’s SBS and verified the relay settings for their Default SMTP Virtual Server – and everything was set how it should be – it was restricted to allow relaying only from the following list, which inluded the IPs of the SBS (internal, loopback & external).  The option ‘Allow all computers which successfully authenticate to relay, regardless the list above’ was unchecked, and the Users / Groups permissions was configured only to allow Authenticated Users to submit. 

Hmmm.   Next step was to take a look at my Message Tracking Center.  Sure enough, Exchange shows where it received the message and submitted it back to njabl.org.  What the #&%@ ?!?

I was getting ready to dig through my Exchange logs, when I took another look at the message header that njabl.org had displayed when I searched their database – and there it was, in plain sight.  The section of the header that showed where my SBS received their test message read:

Received: from rt.njabl.org ([192.168.16.2]) by  with Microsoft SMTPSVC(6.0.3790.0);

Ok, remember where I said above that there were three IPs in the Allow list in the Default SMTP Virtual Server relay settings – the internal IP, loopback IP & external IP?  This is a default configuration, and perfectly normal and secure (usually).  Take a look at that header line again – does the IP for rt.njabl.org look familiar?  Yep – that’s the default internal IP for an SBS – and by default, our Exchange is configured to allow relaying via that IP.  So this client’s SBS relayed njabl.org’s test message, not because it was an Open Relay, but because it just so happened that their server used to send the test message is publicly advertising a private IP that happens to be allowed.

I emailed njabl.org about this, and requested that they reconfigure their sending server to advertise a public IP, as they will be getting false positives from our SBS boxes in a default configuration.

So – my recommendation for the time being is to do a search on njabl.org to verify that your SBS servers are not wrongly listed as Open Relays, and to edit your Default SMTP Virtual Server relay settings by removing the IPs from the allow list.  Under normal conditions, this will not affect your performance  / functionality at all, but will protect you from being wrongly listed as an Open Relay by njabl.org if they don’t change their current procedures.

Ok, I blogged a couple weeks ago about part 2 of Jesper Johansson’s 3 part series in comparing passwords and passphrases.  Well, the good Dr. J’s 3rd & final installment is now available:

http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint110104.mspx

Ok kids – if you’re interested in the happenings with the new MSN Search product, you can follow the team blog at
http://blogs.msdn.com/msnsearch   or pull the feed from    http://blogs.msdn.com/msnsearch/Rss.aspx

Yesterday we got a call from a partner who sells / installs digital multi-function machines (those nice big copier / printer / scanner / fax units) who ran into a networking issue with a customer where he was trying to install a new unit and asked for assistance.  He claimed they had a Windows 2000 server and Win2k / XP workstations.  So I met him at this client, and proceeded to figure out why this one Win2k workstation wouldn’t see the network.  Well, I find that I can successfully ping the router, but I’m unable to browse the network.  I went back to the server to see if there was anything going on in the event logs.  Well, there was stuff going on – but nothing that would pertain to this issue.  So I grabbed the netbios name of the server while I was there, and went back to the problem PC to see if I had good name resolution.  I’m not sure why, but I opted to see if I could get to the server’s shares via  Run | \\<servername>  – well that worked.  Just as I was closing that window, I noticed a share on this Win2k Server that caught my eye:

mspclnt

As everyone knows – that’s the share for the ISA Firewall Client.  Now, looking at the shape of this LAN and only 6 PCs – I seriously doubted that they had splurged for ISA.  I went back to the server for a closer look – no SBS consoles or the like.  Then I opened the Add/Remove Programs snap-in and sure enough, there it was:  Microsoft Small Business Server.

Further investigation of the server & workstations revealed:

Two nics in the server – 192.168.1.1 & 192.168.1.2 – both plugged into the switch
All PCs configured with a static IP, using ISP’s DNS servers
No forwarders in DNS snap-in (hence ICW never ran)
Only 2 PCs actually joined to the domain – 4 others in workgroup
Total of 3 workgroups on the network – (Snap Server in it’s own?)
Snap Server not configured to use Windows domain authentication
All users accessing Snap Server via root credentials
Hodge-podge of A/V (whatever came on each PC – Norton here … McAfee there …)

And yes, it is a legal office  :^)      Luckily, we were able to step in just in time – someone had just about talked them into going with Merak Mail Server because   “Exchange is only for big corporations”   Wow . . . there’s a convincing argument . . .

Anyway – after a quick clean-up of some basic settings (like DNS), this looks like it is actually going to turn into a new SBS2k3 deployment in the next couple of weeks . . . I’ve gotta remember to buy Dan (the copier guy) a beer  :^)