 | Site Updates in progress | | I'm currently working on a number of major updates to SBSfaq.com so please bear with me if things break. The first major upgrade will be a move from WSS 2.0 to WSS 3.0 and I've targetted this for the weekend of November 17 & 18. Thanks for your patience |
| Windows Home Server has RTM'd | | You may well have heard of Windows Home Server - it's the cool new server level product aimed at the home users and technical enthusiast. It was finalised and released to manufacturing on Friday and will be available over the coming months in various forms from a number of OEMs. I know that HP have some nice plans for this product. |
| Sharepoint MSNBC Webparts not updating | | I have installed the MSNBC Technology News webpart at a few sites and in the last few weeks I've noticed they the are no longer updating. At first I thought it was something that I had done and given it was not high priority I decided to leave it to later to investigate. Now I understand that it's by design and the webparts will soon be withdrawn altogether. MS have advised as such in the following KB. |
| RDP Test Page | | |
| Exchange 2007 on SBS 2003 | | Ok - I've had a few people ask me so here's the story. Exchange 2007 will not be running on SBS 2003. The SBS team are focused on the next release of SBS - code named "Cougar" and are not going to be doing any further improvements to SBS 2003 or SBS 2003 R2. Having said that, they will be releasing a minor update for SBS 2003 SP1 and SBS 2003 R2 to make Vista and Outlook 2007 work better with SBS. Therefore just like ISA 2006, you will need to wait until Cougar to get any improvements to SBS 2003. Some may say that's not fair, but hey - do you REALLY want the SBS team trying to keep plonking new stuff onto an old operating system (ie - Windows 2003 Server) - I mean - it's nearly 2007 now so it's 4 years old already! |
| Sharepoint Services v3.0 released along with SBS 2003 Whitepaper | | Microsoft have just released Windows Sharepoint Services v3.0 to the web for download. Along with it, the SBS team have released a whitepaper on how to install WSS v3.0 alongside the existing Companyweb so that you can begin to take advantage of the cool new improvements in WSS v3.0 today.
More information on WSS v3.0 here
WSS v3.0 can be downloaded direct from here
SBSfaq.com will be shortly upgrading to WSS v3.0 so stay tuned for more exciting improvements as we take sharepoint above and beyond the typical installation.
|
| IE 7 in the corporate environment - Sandi Hardmeier - IE MVP | | Wayne Note: Sandi prepared this article for me to help clarify some of the panic out there in the community about IE7 being released to the public via automatic distribution methods. Sandi's website www.ie-vista.com was the first site worldwide to have good information about IE 7 well before the launch of the product even in beta. Thanks Sandi.
Internet Explorer 7 was released with much fanfare on 18 October 2006 after a beta testing cycle lasting roughly 1 ½ years. In the first three days after the final version’s release it was downloaded over 4 million times.
I am encouraging home users to update to IE7 as soon as possible to take advantage of all of the security benefits that come along with it. The corporate environment, on the other hand, is a different beast. We all have line of business (LOB) applications that we cannot afford to break and Web sites that are essential to our business that must remain accessible.
Network administrators are understandably nervous about the fact that IE7 will be distributed via Automatic Update, WSUS and SMS2003. Rest assured, though, that IE7 WILL NOT INSTALL WITHOUT WSUS / SMS / SUS ADMIN OR USER CONSENT.
SBS 2003 R2, WSUS, SYSTEMS MANAGEMENT SERVER 2003 and SUS
There has been some confusion about what will happen when IE7 is released to WSUS because IE7 has been referred to as a “high priority” update when offered via Windows, Microsoft or Automatic Updates. This, of course, led to many administrators worrying that IE7 would be automatically approved and installed on SBS2003 R2 if WSUS had been left at its default settings. This is not the case.
IE7 is being released to WSUS/SUS/SMS as an "update rollup" therefore it is not auto-approved under default WSUS settings. The reference to “high priority” that has had some people very concerned refers to the update’s behaviour AFTER installation has been approved by the WSUS admin – that is, it will behave as a high priority update, but only after approval. The only way that IE7 will automatically be approved is if the WSUS admin has chosen to adjust WSUS’s settings to automatically approve update rollups.
Side note: IE7 will not be distributed via SUS 1.0 or SUS 1.0/SP1.
Automatic Update, Windows Update and Microsoft Update
IE7 will be offered to the user only if he or she has local administrator rights. If the user is running as a limited user he or she will NOT be offered IE7.
Also, IE7 will not download and install silently, even if the user has local admin rights and AU is set to download and install updates automatically. Instead, the user will see a large window advising that IE7 has been downloaded and is available to install. At this stage the user will be given three choices; install, don't install, or install later.
Internet Explorer 7 will be offered as a high-priority update if a local admin user has Automatic Updates enabled or if they perform a manual scan for updates using the “Express” install option on the Windows Update or Microsoft Update sites.
IE7 will also be offered as a recommended update to a local admin user who performs a manual update scan on the Windows Update and Microsoft Update sites using the “Custom” install option (this should be taken into consideration by corporations planning to use the Blocker Toolkit – see below).
If you are responsible for a corporate network and want to be sure that IE7 is not offered to your users as a High Priority Update via Automatic Updates, or via the “Express” install option on the Windows Update/Microsoft Update sites you can set a registry kill-bit as follows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\7.0
“DoNotAllowIE70”
When the key value name is set to 0, or does not exist, distribution is not blocked.
When the key value name is set to 1, distribution is blocked.
A very easy way to roll out the registry script in an SBS environment would be to simply create a *.reg file and incorporate it into your users’ log-in script. Alternatively, you can use the Blocker Toolkit that has been released by MS. The Blocker Toolkit contains an executable blocker script and a Group Policy Administrative Template (.ADM file), and will prevent machines from receiving Internet Explorer 7 as a high-priority update via Automatic Updates and the “Express” install option on the Windows Update and Microsoft Update sites.
IMPORTANT NOTE: The Blocker Toolkit will not stop users who are local administrators from manually installing Internet Explorer 7, whether it be as an Recommended update from the Windows Update or Microsoft Update sites, by downloading it from the Microsoft Download Center, or by installing it via external media. Also, Internet Explorer 7 can still be deployed using SUS, WSUS, SMS, and other methods even if the blocking mechanism is activated.
The Blocker Toolkit can be downloaded from the following URL:
Additional languages
IE7 is now available in Finnish, French, German, Japanese and Spanish but will not appear in WSUS/SUS/SMS, Automatic, Windows or Microsoft Updates until a few weeks after this article goes live.
IE7 support
Microsoft will provide free, unlimited customer support for IE7 throughout the product lifecycle.
My Web site, www.ie-vista.com has been supporting IE7 users since July/August 2005 and contains comprehensive “how to” articles and screenshots, as well as a Knowledge Base and known issues, installation and troubleshooting advice.
|
| Which Antispyware is best | | Ok - so I guess your looking to see what is the best Antispyware product on the market. Some people know that I am a staunch TrendMicro advocate as I believe their products really do rock. This time however I am going to leave the answer to a very learned colleague of mine - Ms Sandi Hardmeier - she's an IE MVP who focuses particularly on the detection and prevention of spyware. She's recently blogged about it in response to a question asked in a forum I participate in. Hope this helps explain things better. http://msmvps.com/blogs/spywaresucks/archive/2006/09/26/141240.aspx |
| Today we make history! | | That's right - in just a few short hours, the SBS MVPs of Australia will make history by storming TechEd Australia, taking over one of the presentation rooms and presenting 5, count that FIVE sessions centered around SBS! It's a world first - seating capacity for the room is 125 people and we believe that we will fill it to overflowing. We start the day with me presenting SBS R2 - what's under the covers that makes you WANT to pay for it, then I present Jeff's TechEd session on DR with my own spin on it, followed by Dean and Stuart presenting on Sharepoint for SBS, then Dean presenting Mobility and last but not least, the great Henry Craven presenting all you wanted to know about Exchange DR on an SBS box but were afraid to ask. SMBNation has donated a number of books on SBS for prizes at the session. I've been given permission to video tape all sessions and will publish them on SBSfaq.com in the coming weeks! May the DemoGods smile down on us and our presentations run smooth. |
| ISA 2006 Releases to Manufacturing | | I've heard overnight that ISA 2006 has released to manufacturing this week. This is the next generation of MS true firewall software and I believe has some really cool features in it. However we in SBS land will not be getting it at all. I understand that MS have taken input and will not be doing anything about ISA 2006 until the Cougar release of SBS. This IS A GOOD THING! Personally I believe that MS should focus on getting development of Cougar done and include ISA 2006 in those plans rather than try to constantly update SBS 2003 with new bits as they come along. The exception here could have been the Windows R2 bits that are missing from SBS 2003. So - what does it mean to us - Nothing... nada...zip? If you happen to install it on SBS then youre in unsupported territory. Don't do it. Don't even think about it. Let's give the SBS team credit here too - they are focusing on bringing a new SBS version to market. Let's let them focus on that instead of asking "Why don't we get ISA 2006 in SBS 2003..." |
| SBS 2003 R2 - Stop ship and product recall | | Ok - today Microsoft announced that they would stop ship on the SBS 2003 R2 product media. They've discovered that the media contains some incorrect revisions of the code that is not the same as the final released code. Apparently it's the right time to do a stop ship as relatively few people have been affected by this so far. They will re-release the final code and media once more in the coming weeks. I am aware of some of the technical issues surrounding this and I'm currently running the incorrectly released code myself on a few servers. I've not noticed any ill side effects at this point, which makes me believe that the issues whilst significant enough for Microsoft to do a stop ship are not major show stoppers. Microsoft will release more information about the issue over the coming days and will ensure that any affected customers have a mechanism to get up to the proper code once released. Personally whilst I think this is a major oops on the part of Microsoft, I don't think it will really affect the product itself in the long run. The press have reported this story in a few places so far - links below. |
| Mobility on the radio | | Recently, a number of the SBS MVPs got together in Dallas, Texas for some training on SBS 2003 R2. On the Sunday prior to the training, Eric Neale - local Dallas SBS MVP and all round good guy, persuaded us to sit in a radio station recording studio and talk about a few of the things near and dear to our hearts. The first few recordings are now up for your listening pleasure - check the discussion we've had on mobility from a world wide perspective. http://www.eoncall.com/Broadcasts/eOnCallBusinessEdition/tabid/55/Default.aspx |
| SBS Community Survey - give MS your feedback now! | | The Small Business Server Product Team would like to hear from the SBS User Community. This direct anonymous survey of the SBS User Community is brought to you by the SBS Product Team. You are invited to participate in the Windows Small Business Server Community program on the Microsoft Connect Web site at http://connect.microsoft.com. This site has been set up to directly gather feedback anonymously from the SBS User Community. Your role in the SBS Community is important to Microsoft. Microsoft Connect enables you to connect with Microsoft developers, product managers, and other development team members to help make Microsoft products the best they can be. To accept this invitation and become a member of this program, please follow these steps: Use your Internet connection to visit the Web site at http://connect.microsoft.com. Click on "Invitations" on the left-side menu. You will need to sign in using a valid Passport and before you can continue to the "Invitations" page. Enter your Invitation ID in the blank. Your invitation ID is: COMM-GKXK-WJKV Click "Go." If you have not previously registered with Microsoft Connect, you may be required to register before continuing with the invitation process. This a light registration and we will not use any information that you provide to contact you later unless you tell us otherwise. Please follow the steps shown to you by that program to become an active participant. Once you complete the steps, you will be automatically approved. From that point forward you should be able to log into this site using your passport account and take any surveys that are available to you. Here is the link to the survey: SBS Community Survey. You will find this link on the main page of the http://connect.microsoft.com site under Small Business Server Community Site. |
| SBS2003 R2 now has Windows 2003 R2 features! | | Yes - you heard it team - Chris Phillips - GM for the Windows Server division announced today that SBS 2003 R2 will have the Windows 2003 R2 Storage Resource Manager as part of it's feature set.
In an Executive Chat today, Chris slipped in the announcement that SBS 2003 R2 would include some of the features of Windows 2003 R2. An extract of the chat below...
ChrisPhillips-MS (Expert):
Q: [22] Besides integrated WSUS, what is the feature upgrades of R2?
A: We have expanded mailbox store in Exchange up 75GB, SRM, expanded CAL rights, and in Premium, SQL 2005 Workgroup Edition.
Chris-MS (Expert):
Q: [113] Chris - you mentioned SRM is being added to SBS 2003 R2 - when did this change and what functionality will it give our clients?
A: In case some of the folks missed my answer about features in R2. A new one I mentioned is we put the SRM feature of WS03 R2 and added it to SBS R2. We evaluated the other WS03 R2 features and felt that the rest were not relevant enough for SBS R2. In addition to the SRM features of additional quota capability (directory quotas, data screening, and reporting), it also means that .Net 2.0 and MMC 3.0 (interesting for application developers) is available.
Wayne - so I guess that means that MS are listening to the community - originally SBS 2003 R2 was to be "built on Windows 2003 R2", but then Microsoft decided to change that as they didn't feel that SBS customers needed any of the features of Windows R2 - now I believe based on community feedback they have decided that yes indeed - we do need some of these features.
Thanks Microsoft - Thanks Chris for listening.
|
| TrendMicro release updates for leading SMB Antivirus/Antispyware packages | | Trend Micro today have announced the release of updates for their leading antivirus and antispyware packages for the SMB market.
Trend Client Server Suite for SMB and Client Server Messaging Suite for SMB have been upgraded to v3.0 Service Pack 1 - the service pack resolves a number of issues that have been experienced and reportedly increases the antispam capabilities of the software
Trend Antispyware for SMB is now at version 3.2 and incorporates a number of fixes to common issues.
And last but not least, Trend Interscan Viruswall for SMB v6.0 has been released. This is a new release of the package that scans web downloads, FTP downloads and SMTP email before it enters the network.
SBSfaq.com will shortly release guides for all of the above products that have been tried and tested on SBS 2003 networks. |
| UK SBSer saves business from closure. | | UK SBSer Susanne Dansey has been busy out there in the community making a difference to others. Check out the story on how Susanne saved a business from closure using SBS 2003.
|
| World Speed Record set for SBS Build | | Harry's just announced that back in November, Mark O'Shea and I set the world speed record for the build and deployment of an SBS network. Not only did we set the build record, we did it 5 times in 5 different locations around Australia all with different real world problems along the way. There is shortly to be a webcast of the Sydney event which was video taped.
The network included
- a HP ML350 server, with SBS 2003 Standard,
- setup of 5 users on the network,
- deployment of 1 PC complete with all applications installed,
- configuration and connection to the internet via a netgear firewall router,
- installation and configuration of WSUS,
- uploading content to WSUS,
- having the SBS server and PC registered and detected by WSUS
- sending email out to audience members mobile phones as proof that it was a real live demonstration
Overall it was a heap of fun - I blogged a little about the problems we had in the first few roadshows here http://msmvps.com/blogs/sbsfaq/archive/2005/11/11/75101.aspx
More to come on this shortly. |
| Microsoft improves WSUS to include SBS | | Microsoft this week has added an SBS specific category to WSUS that will allow it to deploy patches specifically for SBS 2003. This move comes after many requests from the community for Microsoft to make patching SBS 2003 easier and not just contain patches for the individual component products. The first two patches for SBS 2003 are focused on the POP3 connector. Both patches have been available for individual download from Microsoft for some time. Microsoft Update also now includes these patches to improve security and stability for SBS systems not using WSUS. The patches in question are KB 833992 and KB 835734. |
| Paypal Accepted | | Many people have asked along the way if they can make a donation to help say "Thanks" for the help that I've given over the years. Finally I put a donations button on the page for people that would like to say thank you. |
| SMBNation 2005 - Mobility Presentation | | Many people have asked about the presentation I gave yesterday at SMBNation in Seattle. They are putting it up on the website as we speak - but I thought I'd post it here.
Many thanks for all those people that attended the presentation and for the very positive feedback you've given me afterwards. I'd hope that next year we'll have more seats for you all |
| TechEd 2005 - Australia and New Zealand | | I'm presenting at TechEd in New Zealand and Australia this week, and in order to get people the links to some of the stuff I've talked about I'm posting it here. My presentation is all about SBS 2003 SP1 with ISA 2004 and how you can increase your clients security using ISA 2004 and a number of the improvements in SBS 2003 SP1. Once TechEd is over I will post the presentation here as well - but for you will have to be happy with the links. Windows 2003 Server SP1 hardening - some of this is pre-done in SBS2003 and you need to tweak it some more. Check out the Windows 2003 Security guide for more information http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx
Windows XP SP2 is deployed by default with SBS 2003 SP1 and forces the XP firewall on with certain exclusions. These are specified in the group policy settings.
Exchange 2003 SP1 has some enhancements too particularly in the areas of SMTP Tar-Pitting
ISA 2004 SP1 has a number of things you can do to improve it’s performance and security
I’ll put together some more SBS specific documentation on these things as I get time (seemingly never at the moment – but that’s life).
I hope you’ve enjoyed the presentation and that you’ve picked up a tip or two on how to do things differently from what you may have done now.
|
| Longhorn becomes Windows Vista | | On Friday Microsoft formally announced the new name for the product formerly known as Longhorn. Windows Vista is the new name for the product destined for release in it's final form sometime in 2006. Beta 1 will be available for the public around August 3rd 2005. Microsoft has also released the tag line for the product "Bringing clarity to your world" which gives an insight into how they feel that the new product will help people deal with the information overload that is currently beset the average worker. Microsoft have also released the base website from which they will launch even more information - http://www.microsoft.com/windowsvista/default.mspx
Serveral sources have already begun to discuss the shortened name for Windows Vista as being WinVi. One wonders though - this is the 7th version of the Windows operating system that has been released. Is there a link between the VI being the roman number for 7? I'm sure that the conspiracy theorists will be having a fun time with this.
I'm looking forward to getting my hands on Windows Vista now so that I can put it through it's paces with SBS 2003 SP1 and see how it performs. |
| Higher Exchange limit for SBS2003 after Exchange 2003 SP2 is released | | Microsoft today announced that with the upcoming release of Service Pack 2 for Exchange 2003, that they will include a number of new improvements. The key one is the increase of the Exchange database store from 16GB to 75GB. This will carry through to SBS2003 as well. Now that's what I like - realistic limits.
Microsoft made this decision based on huge community feedback proving once more that they do indeed listen to what we all tell them. Thanks Microsoft. |
| SBS 2003 Service Pack 1 is released | | After much beta testing, Service Pack 1 for SBS 2003 has been released. Now this is NOT a service pack that you want to go out and install tomorrow. Instead it's one that you will want to plan for, do good backups and then apply. You won’t be able to apply it remotely either – therefore the need to visit the customer site and do it after-hours is going to slow down the rollout of this patch. In all you will need around 4 hours or so to put this bundle of patches together. I’ve been running it inhouse now for the past 2 weeks and it has resolved a number of issues that I’ve had some of which have been fixed by specific hotfixes. My servers that I’ve applied this to now seem to respond better and response is snappier than before – I guess that’s because of the performance improvements in Windows 2003 Service Pack 1 that’s a part of this.
You will need to enter your Product code from the yellow sticker into the website in order to validate that you are the owner of SBS2003 Premium
|
| SBS SP1 is almost here... | |
SBS SP1 will not auto deploy via Windows Update or Automatic Updates as it contains components including;
- Windows 2003 Service Pack 1
- Sharepoint Services Service Pack 1
- Exchange Server 2003 Service Pack 1
- SQL SP4 for the inbuilt instances of MSDE on SBS
Some of the components can not be patched via the current automatic update methods and as such you will want to get it and install it yourself in a controller manner.
For the SBS 2003 Premium customers, they will also get
- ISA Server 2004 with Service Pack 1
- SQL 2000 with Service Pack 4
SBS 2003 Premium customers will need to obtain the media kit in order to perform the upgrade to ISA 2004 with Service Pack 1 - MS will make available links as they come to hand.
On the client side of the equation, SBS SP1 will automatically deploy Windows XP SP2 to the client workstations, ActiveSync 3.8 and Office 2003 SP1 - so your workstations will be better patched than they may be right now.
There are a number of SBS 2003 specific patches in there too that affect things like the POP3 connector, SBS Backup, Group Policy for Firewall on XP SP2 and a few other minor issues.
You should start preparing for SBS SP1 by checking with your server manufacturer to see if there are any BIOS or Firmware upgrades required for the Windows 2003 SP1 components, with DELL there are known issues with their Openmanage product that will preclude you from installing SBS SP1 right away - they are addressing them and will release an update when available.
Stay tuned for more info on SBS SP1 as it comes to hand. |
| MS Issues more info on W2003 SP1 with SBS2003 - Must Read! | | Microsoft are responding quickly to the issue of people who want to apply W2003 SP1 to SBS2003. They and I still maintain that if you do not experience something that directly affects you right NOW then wait for the full SBS2003 SP1 due within the next 60 days.
If you MUST apply W2003 SP1 NOW then read the following document first so that your aware of the issues.
Thanks to the SBS Dev team for the fast action on this.
|
| Windows 2003 SP1 released - DO NOT APPLY TO SBS2003 | | The following was posted by Sean Daniel - one of the Program Managers on the SBS Development team.
There has been quite a few questions regarding Windows erver 2003 SP1 and it's support on Windows Small Business Server 2003: I hope this post will clear up any of the confusion here. If you have immediate questions, please feel free to follow up in the public Microsoft Newsgroup at: microsoft.public.windows.server.sbs I will attempt to answer your questions as best I can.
Windows Server 2003 SP1 is supported on Windows Small Business Server 2003, but there are some known integration issues that are resolved in the Small Business Server SP1
(available within the next 60 days). With the Windows Server SP1 installed, you may encounter the known issues and our recommendation is to:
a) Be patient with the issue and wait for Windows Small Business Server 2003 SP1
b) Un-install Windows Server 2003 SP1, and wait for Windows Small Business Server 2003 SP1, which includes Windows Server SP1
Furthermore, a KB Article will be written to further address these issues, I will post it to the public newsgroup when it is available.
In the mean time here is the short list of the known issues:
- Remote Access Wizard hangs when creating the connection manager package
- Small Business Server Change IP tool will fail
o Change IP tool will continue to fail after un-install of WS SP1
o Workaround: Remove WS SP1, disable DHCP, re-run CEICW
- Power Users retain SharePoint Administration privileges even after the role is changed to Reader
- Re-Install of Exchange fails
- Re-Install of Intranet component fails
- Fax Services won't start and the Fax Configuration Wizard cannot be run after un-installing Windows Server SP1
- DHCP service may not start after a restore
|
| Exchange Security Best Practices | | As part of our commitment to help customers improve and maintain security, Microsoft Product Support Services works to provide proactive information that can help customers implement best security practices. With the recent activity in mass mailer e-mail worms, we wanted to advise you of some Exchange security best practices that you can use to improve your security and availability. Specifically, we wanted to let you know of some best practices around:
- Configuring attachment blocking using Microsoft Outlook
- Excluding certain directories from file-level virus scanners
- Preparing for an Exchange disaster recovery
- Closing an open relay
Configuring Attachment Blocking Using Microsoft Outlook
An effective way that most mass mailer e-mail worms can be prevented is through the use of the Attachment Blocking capabilities in Microsoft Outlook. By default, Attachment Blocking in Microsoft Outlook blocks the
executable attachment types that most mass mailer e-mail worms use to propagate. Even those mass mailer e-mail worms that use attached .zip files can be blocked by adding .zip files to the blocked attachment types.
Outlook 2003, Outlook XP and Outlook 2000 SP2
By default, Microsoft Office Outlook 2003, Outlook 2002 in Microsoft Office XP, and Outlook 2000 SP2 provide an attachment security feature. This security feature is designed to increase the security protection for certain types of e-mail attachments. This feature provides explicit warning language when attachments are opened, and you have to save the attachment to the file system before opening it. This can help you avoid accidentally releasing viruses that hide in certain file types. While Microsoft does not recommend reducing e-mail client security levels, there may be instances when an organization wants to customize or remove the additional protections provided by Microsoft Outlook.
Best practice: You can modify default security settings for the Outlook 2003 client by using the Outlook Security template, which you install as a form in Outlook. To install this form, read the following Knowledge Base article:
Outlook 2000 SP1, Outlook 2000, Outlook 98 and Outlook 97
Microsoft Outlook® 2000 Service Pack 1 (SP1), Outlook 2000 without service packs, Outlook 98, and Outlook 97 do not have mechanisms to block attachments. If you are using one of these versions, virus and worm protection must be provided on the server running Exchange.
Best practice: Upgrade to Outlook 2000 Service Pack 2 (SP2) to protect the client or install the appropriate e-mail security update:
Exclude Certain Directories from File-level Virus Scanners
File-level scanners scan a file when it is used or at a scheduled interval and can lock or quarantine an Exchange log or database file while Exchange tries to use the file. This can cause a sever failure in Exchange Server 2003 and earlier versions and can also generate -1018 errors.
Best practice: Make sure that you exclude the following directories on all the drives. In Exchange 2003, exclude:
- Exchsrvr\MDBData
- SRS
In Exchange 2000 Server, exclude:
- Exchsrvr\MDBData
- SRS
Important: Do not scan the M: drive. File-level scanning of your M: drive can cause calendar items to disappear from users' folders.
In Exchange Server 5.5, exclude:
- Exchsrvr\MDBData
- DSAData
Preparing for an Exchange Disaster Recovery
When preparing for a Disaster Recovery situation, thinking through a few key questions will help guide you to the necessary steps. Do you need to recover data from a backup (private or public store) and have questions about how to setup the recovery environment or the restore itself? What do you need to setup for Active Directory® directory service and DNS? Do you need to have the same organization, administrator group, server, and store
names as the production environment?
Best practice: Test your backup files monthly and become familiar with the processes themselves. Should it ever become necessary to restore data to your production environment, your familiarity with the procedure will lessen the downtime of your servers.
Closing an Open Relay
The top causes for open relays with Exchange include:
- The SMTP service is live on the Internet and not enforcing authentication to relay.
- The SMTP server has accounts locally or is part of a domain that has poor passwords or no password at all.
Best practice: The following list of known accounts have the potential of being compromised and should either be disabled or should have a strong password. These accounts have been logged in past cases through the event viewer after turning up diagnostic logging. Remember, the passwords should never match the logon name.
- Webmaster
- Admin
- Root
- Test
- Master
- Web
- www
- administrator
- backup
- server
- data
- abc
- guest
These articles should help guide you to configuring and preventing your Microsoft Exchange Server from becoming an open relay and how to look for key clues in the future to ensure it doesn't relay.
If you have any questions regarding this alert, you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.
|
| MS 04-007 First wave exploit on the loose - more to come | | Ok - you were warned to patch those machines or unplug from the net - here's the first barrage and it's "only" a DoS attack. Watch out for variants http://isc.sans.org/diary.html If you didn't patch before then do it NOW! While you still can. |
| Remote Web Workplace - How it works Part 1 | | I've seen lots of questions on the SBS2K Yahoo list and other about how Remote Web Workplace works - Harry Brelsfords new book on SBS2003 has a whole chapter alone on RWW and its functionality. I've written basic paper on one of the most used aspects of it which is the ability to connect to your office based WinXP machine remotely via the RWW. You can download the paper here from our downloads section.
Also Microsoft will be holding a webcast later this week on the RWW. This is being presented by Ray Fong who is almost legendary in his support of SBS2003 - I had the chance to meet and spend time with Ray when in the USA last year and he really knows his stuff. 833983 - Support WebCast: An overview of Microsoft Windows Small Business Server 2003 Remote Web Workplace feature: http://support.microsoft.com/default.aspx?scid=kb;EN-US;833983 |
| Microsoft issues patch for Sharepoint Services / Companyweb bug | | |
| Sharepoint Installation Issues / Companyweb not working | | There has been a bug discovered in the installation routine for the Sharepoint Services portion of SBS2003 - all editions. This issue manifests itself by the failure of the Companyweb site to correctly install if the system is installed with a date after 24th November 2003. The immediate workaround is to set your date back to prior to November 24th 2003 and then complete the installation. Once installed you can set the date to the correct date without any major consequences. More information can be found from Microsoft at http://www.microsoft.com/windowsserver2003/sbs/techinfo/sharepointinstall.mspx |
| Mail Relaying - new ways they are getting through your security | | Traditionally we all configure our SMTP servers on Small Business Server to ensure that they are not open relay hosts that would allow spammers to router junk mail through our systems. And up until recently that has been sufficient to keep them away. The only problem is that now the spammers are fighting back and getting smarter with their nefarious little Spam utilities in an attempt to relay through our systems again. What follows is an investigation that I have been doing over the last week and also some suggestions on how to reduce your potential exposure to this new problem. The customer is running an SBS2000 server fully patched to current standards. The call came in from the customer that their remote sites (connected via VPN) were experiencing large numbers of dropouts and extremely slow performance since around lunchtime today. We connected in and sure enough the customers normally fast ISDN connection felt like a dead slow modem connection. We checked internet usage (via the ISPs website) and found it had increased in the last few hours - inbound and outbound usage had increased at the same time and by the same amount (give or take a few MB). We ran a netstat command netstat -an | find ":25" to check what was connected or trying to connect to us. This command shows just those items on port 25. The following is an extract of what it returned - I've masked the customers actual address with the xxx.xxx of course. TCP 203.48.xxx.xxx:25 218.70.140.162:3025 ESTABLISHED TCP 203.48.xxx.xxx:25 218.70.140.162:3109 ESTABLISHED TCP 203.48.xxx.xxx:25 218.70.140.162:3149 ESTABLISHED TCP 203.48.xxx.xxx:25 218.70.140.162:3209 ESTABLISHED TCP 203.48.xxx.xxx:25 218.70.140.162:3292 ESTABLISHED TCP 203.48.xxx.xxx:25 218.70.140.162:3380 ESTABLISHED TCP 203.48.xxx.xxx:25 218.70.140.162:3418 ESTABLISHED TCP 203.48.xxx.xxx:13629 204.127.134.23:25 FIN_WAIT_2 TCP 203.48.xxx.xxx:13916 65.54.254.140:25 TIME_WAIT TCP 203.48.xxx.xxx:14022 207.126.97.23:25 ESTABLISHED TCP 203.48.xxx.xxx:14088 149.174.40.136:25 TIME_WAIT TCP 203.48.xxx.xxx:14403 216.144.3.10:25 TIME_WAIT TCP 203.48.xxx.xxx:14407 64.12.137.184:25 TIME_WAIT TCP 203.48.xxx.xxx:14623 216.148.227.126:25 TIME_WAIT TCP 203.48.xxx.xxx:15079 24.221.80.186:25 TIME_WAIT TCP 203.48.xxx.xxx:15091 212.227.126.152:25 TIME_WAIT So effectively this showed that the customer was being used as a potential relay host for spammers out there. We checked the Exchange SMTP service queues and there were around 22,000 emails in the process of going out! The first thing was to stop the SMTP service so that we could get some performance back and give us some room to move. We then put in place an ISA packet filter to block all inbound and outbound traffic to port 25 - that way we could start the SMTP service and review it's configuration. We checked it's configuration and it was configured to relay email only for authenticated users as per Microsoft recommendations. We reviewed and actioned MS KB 324958 which confirmed that we had not misconfigured the SMTP server service, the article also assisted with a very good process to flush out the mail queues. With the mail queues now empty, the question still remained - how did a supposedly correctly configured SMTP service relay mail? We turned to the security event logs which had been logging failed login attempts and found nothing of interest aside from a the occasional user that keyed in the wrong password. We then checked over our user accounts list and found that the guest account had been enabled - we thought for a moment that we had been compromised, but a call to the customer revealed that they had enabled the guest account themselves last week (without checking with us) as they thought it had to be enabled. So the spammer was actually authenticating with the SMTP server using the guest account. Ok so this was not good - we disabled the guest account and then removed the previously applied blocking packet filter to allow inbound and outbound mail once more. We continued to monitor the connection via the netstat command and soon found our spammer was trying to connect again - from a different IP though in the same subnet as the original, but this time he was not having much luck and no spam email flowed. He kept trying for a short time and then seemed to stop. We were cleaning up and about to disconnect when we noticed a large number of logon failures in the security logs. These failures showed that users with the names of administrator, admin, sysadmin, backup, master, data and the like were having password authentication failures - the attempts corresponded to the tries of our spammer!!! So the spammers were trying to authenticate now using a variety of accounts and password combinations - aside from the administrator account, the other accounts did not even exist in the customers domain. We disabled the SMTP Server services' ability to relay for anyone other than the internal IP subnet and external network card regardless of authentication - this step would prevent any future password style attacks on it's relay ability. The only downside was that some remote staff used the POP3/SMTP facilities with their Outlook Express clients - we reconfigured these guys to use VPN first so that the could still use this facility. I proceeded to review a number of our other customer sites' security event logs and found that the spammers had been probing a few sites (dependant on IP subnets) since early May for open relays, but only in early June did they start to try to use authentication in combination with a few basic account names in attempts at relaying. This was a worrying trend as even though we recommend strong passwords to all clients, it's not an easy thing for them to accept. This whole episode has reinforced the need to have strong passwords with all users and to set security logs to log failed login attempts at a minimum. I was discussing this with a Microsoft security person, who suggests that this may be a growing trend of the hackers working with the spammers to try to keep the spam email flowing - a very concerning situation. Any feedback or comments you have on this would be welcome - wayne@correct.com.au |
| Just what is the problem with Disaster Recovery on SBS2000? | | SBS2000 is built up Windows 2000 Server which includes NT Backup application that provides full support for backup of data, email and the key sections of an SBS2000 server. Under normal circumstances, this works well for the recovery of individual data files, System State restores, and the Exchange mail system management. However, Windows 2000 contains a flaw relavent in a disaster recovery scenario in which you need to perform Bare Metal Restore, essentially a recovery or migration of the entire server to a clean drive in a previously known good condition. Even with this perfect backup on hand, you may find yourself stuck and potentially not able to recover the server in it's original state, much less a fully functional state. A return to fully operational state may require the completed restore to be then followed by a full-reinstallation of SBS on top of the restored system, followed by full Service Pack and patch repairs. This potentially means recovery requires a long day, not the couple hours you might expect, and the resulting condition is not the known good condition, rather a repaired condition from corruption caused during the restore.
The specific issue involves Short Filename SFN restore mismatches, effectively breaking the SFN path reference stored in places like the registry, but which no long point correctly to the new SFN file reference location recreated on the drive during the restore process. This condition is predictable, but generally to complex manually resolve. The flawed results occur in any file by file restore application, not even the third party Intelligent Disaster Recovery options will be able to help unless they are based upon a virtual partition image of the entire hard drive structure. SBS MVP, Jeff Middleton is a highly respected Technical guru who has taken the time to document this problem, how to prove to yourself it occurs, and it's potential ramifications. Check it out to learn more about the hidden dangers of relying too heavily on this type of recovery. Jeffs white paper can be downloaded from the downloads section of this site. |
| Trend & Slow Performance on Win9x platforms | | Trend has announced that they have a major issue with their later versions of the OfficeScan client engine 6.510 and Windows 9x platforms with low amounts of RAM (ie 32MB or less). They made some improvements in the 6.510 engine that altered how it handled memory and it required up to 4 times the original RAM than the previous engine version. Trend have released publicly a fix for the issue which can be obtained at http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=13805 The problem shows itself as EXTREMELY slow performance on the Win9x systems, eg 30 seconds for the Start bar to show after you press the Start button and excessive hard drive activity as the system tries to compensate for the lack of physical RAM. As matter of best practice it is suggested that this patch be applied to all Win9x sites to prevent issues for your clients. |