THE OFFICIAL BLOG OF THE SBS "DIVA"

On a couple of listserves, WSUS, and Focus on MS, I've seen some folks talk about how their first indication that Office 2003 sp2 was when their workstations popped up with a “you have patches to install” icon.

Hands down the Security folks have the SDcubed +C nailed.. Secure by Design, Secure by Default, Secure by deployment and Communication.... the Security patches are communicated to us ahead of time, we know what code is installing on our box.

But if you want us admins to 'trust' enabling autoupdate on our workstations, you HAVE to inform us that you are going to be releasing Serivce Packs that will be coming down on Microsoft. Update.  Yes,  I know it's not a security bulletin and thus not your communication responsibility, but go wack the team upside the head in Service Packs that should be communicating better.

If you want me to enable auto updates, then let me know what's coming down on my box.  I should not use the “updates are being downloaded icon” to be my communication vehicle for such things. 

Gentlemen, I want an RSS feed of any bits that hit my machines.  As an admin, I've been asking for a email notification for Security patches for many years now.  I've upgraded my request... these days I want an RSS feed.  But the bottom line is, I'm not the only one who was blindsided by that SP coming out.  And as I'm the controller of my network at the office, I don't want to have to use my Laptop where the AU is enabled to be my “what new code is going to be offered to me indicator”.

There's a SBA [small business accounting 2006] blog!

 http://sba2006.blogspot.com

One of the things that I said needed fixing in SBA 2006 now is fixed... Suckage.  SBA needed to...had to... pull over ALL transactions from Quickbooks.  The original version did not.  They've just relased the update to allow the software to be 100% pull of transactions from Quickbooks to SBA.

This download provides the update to Microsoft Office Small Business Accounting 2006 to enable import of transactions from Intuit QuickBooks.

Someone said that it wasn't CPAs that would drive SBA...but rather the customers.  So true... your customer will buy it and you'll need to learn it.  I'd sign up for the MPAN program to get a head start..

And since this is my laptop, and I'm on the road, I'm probably going to say “wait” and install later.

 Office 2003 Service Pack 2 provides the latest updates to Microsoft Office 2003.

Now I should 'fess up ...and fix up...the fact that I was running ... oh sorry Dana.... Local admin again because I was needing to adjust network connections so Steve and I could share my Aircard connection on the road.  And the RunAs just wasn't working.  We wonder if it was because I have a blank admin passoword.  Now why would I do that you say?  For one.... I put this laptop in my backpack and it goes with me everywhere so I ensure I have physical security of it, secondly a blank admin password means that the Admin account cannot be accessed over the Network.

So Dana... I'm flipping myself back to restricted user since today is registration day at the Summit.

From the mailbag today...

For what it's worth, the KB announcing WSS SP2 does NOT include SBS2003 in the 'Supported Operating Systems' list and when I ran MU on my SBS box, WSS SP2 did NOT show up in the list of available updates. Then again, SP1 does not explicitly specify SBS, either. Still... based on that, SP2 is not getting installed until a SBSized version shows up, or until many other people have successful installs!

First off... you won't find 'generic' service packs that explicity say they support SBS when we are just merely the sum of our parts.  If you are expecting any patch for Windows 2003 to say “SBS”, you will have a long wait.  Any patch/;service pack that goes on 'normal' Windows 2003 goes on SBS.  Flat out don't expect a KB or patch to explicitly state SBS unless it's “ONLY” for SBS.

Next, I'll have to check the MU on my own box, but you 'can' install it manually you know.  We will be installing it later on our own machines.

Lastly, the SBS Dev team pinged us today in fact that this patch has been tested and approved on SBS boxes. 

Bottom line, unless EXPLICITLY stated in the KB that it  'can't' go on SBS, it's approved on our boxes.

Update... got a ping that this Sharepoint SP2 “will' be on MU/WU ...just a bit later on.  It just happens to be only on the download site for the time being.  So, for now it's on the Download center but will be on the WU/MU in the future.

Again, this IS fully supported on SBS boxes.

I got a ping today and in the email this was included....

“My biggest concern is that the last 3 calls to Microsoft's Business Down Critical Support have yielded no help whatsoever and the communication issues have been a huge issue as well.  Our techs don't even want to call support any more as a result, and I want to pass this concern on to someone who can make sure it is heard”

Ouch... that hurts...and something that is a real shame to hear.... if you don't like what you are seeing give feedback... it's the only way things will change and get better.

If you are... boy do we have an offer for you!  Level Platforms and Microsoft has teamed up with a cool offer!!

Check it out!

Steve Foster did the [hack] fix for the backup script and the link is specifically here.

You need to sign up for the sbs2k-subscribe@yahoogroups.com and log in and set up a profile and download the adjusted script/hack there.

Bill reminds us that Windows Sharepoint Services sp2 has been released.

Now, keep in mind that ANY service pack for our parts is perfectly fine to put on a SBS box, but I personally am not at home and I won't be testing this yet. 

We do have some special customizations for Sharepoint, so if you'd rather one of us crazies in the newsgroup installed it first, triple checked to ensure that there are no issues with this SP2 on our SBS boxes, I would say you are a wise person.

Installing patches on SBS boxes is only fun for me the wacko SBS patcher.  It's really NOT fun at all if a patch affects the system,even if it's a minor annoyance.  It breaks the confidence of the client in your ability to be their outsourced CIO.  I know many consultants who, if they are traveling, or busy with other projects will wait on service packs like this Service pack.

If you've set up WSUS to pull down service packs and auto apply them, you are indeed a 'bleeding edger'.  Just remember that those of us who are more into control, we don't set up our servers to auto patch anything.

P.S.  I have no idea what will happen if you install Sharepoint SP2 and then attempt to install the SBS 2003 sp1 bundle.

Met a lovely Austrailian couple on their way to see their daughter in Canada.

Met Ben's mother [fellow MVP]

Met a husband and wife from the states tonight, and each time I'm sure bored them with geek talk of “Patch Tuesday.  But that's six folks that now know that second Tuesday of the month they should expect a patch from Microsoft.

Talking with travelers it reminds me that it does need to get eaiser to operate a computer... it's still way too geeky.

On the train eating lunch and of course I get into my “bore the other people at the table by talking geek talk” aka patching, security issues and what not.... and we start trying to describe what we are and why we're going to Seattle and the lady across the table starts saying that her son was going to be up in Redmond starting Wednesday.

She says he doesn't work at Microsoft, but he does a lot about Digital Media and helps online.... hmmmm we start to think....

Steve and I look at each other and say “will he be there Wednesday through Saturday?”  Yes.  We look at each other even more..... “What's his name?”

Ben Waggoner, Microsoft MVP for digital media... Steve Foster and I had lunch with your Mum on the Amtrak to Seattle... hope to meet you in person!

Wouldn't it be funny if he ends up in the same hotel as we do?

We walked into the “other' store in San Francisco.  The Apple store.  And while one could argue that the tack that Microsoft has taken with it's 'open' platform that allows anyone to upgrade and build on the Windows platform, man could Microsoft take a page or two or three or four out of Apple's marketing playbook.

Young, hip.  With a presentation section that had a young woman talking about 'using' the Mac to the “Genius bar” that allowed you to book expertise to help you migrate data from one Mac to another Mac or... uh... migrate from a PC to a Mac. 

And with displays that are pleasing, uncluttered....not like the glaring, noisy, jarring Best Buy with the absolute information overload of varieties of Personal computers and laptops.  

Designs of systems that just are clean and stylish.  Don't tell Steve Foster this, but even challenges his Acer Ferrari laptop up for a coolness award.

Training ...education...not just shoving stuff and warranties at you with blaring rock music in the background.

Mac, I have to give you guys hands down credit.... in the marketing and buzz department you kick.... you majorly kick.

Sitting in the Emeryville train station waiting for the 10:12 Amtrak from Emeryville to Seattle...and Steve Foster and I are sharing out the Sony Ericsson Aircard between my laptop connection .... so the two of us are sitting here ...me blogging him IMing to folks asking Steve ...why in the world is he taking the train when he could drive or fly there faster.. well mainly because I asked him to. 

I find that train travel is very relaxing and some of the routes even have WiFi...and well.. with the Aircard, we're sort of bringing our own.

Now if we could just figure out how to do streaming video of the season premier of Desparate Housewives we'd be all set......

So sitting outside the Meteron in San Francisco where they have wireless network..... and here's what I had to agree with....

Acceptable Use Policy
  
This document provides a general description of this hot spot's policy on the Acceptable Use of this wireless public network.
 
Activities that adversely affect the ability of other people or systems to use this wireless network or the Internet are prohibited, including launching of denial of service attacks from your computer. Users of this wireless network shall not knowingly collect or solicit personal information from a minor or use this Service to harm a minor. A minor is defined as any person under the age of 18 years old.

Security Information and Liability Disclaimer

THIS SERVICE PROVIDER provides public wireless access to the internet.  Public wireless services are not inherently secure. Computer viruses, worms and other programs can damage the user's computer. Hackers may attempt to penetrate the user's computer and download information from the user's computer. Unprotected access to files on user's computer may be visible to hackers. Communications can be intercepted by equipment and software designed for that purpose. This network does not use WEP encryption. Operator of this hot spot strongly recommends that users of this wireless network take measures to ensure the security of their wireless connections, such as VPNs, encryption and personal firewalls.

This is a public wireless network. By connecting, you may be exposing yourself to privacy invasion, viruses, or other malicious programs. You are solely responsible for protecting your privacy and equipment from such programs and attacks. Metreon is not liable for damages arising from the public nature of the network.

Super G and Steve F and I were laughing ...who protects us from the minors?

Walking along the streets of San Francisco and seeing the Internet cafe's always brings up the issue of security and keystroke loggers.  Steve Foster suggested that you turn on the accessibility keyboard so that you aren't 'typing' in your password but using the mouse to enter in your password instead of a keystrokes.

I never thought of that one....

In my office, our policy is to not use Internet kiosks for access back to the corporate network.

<btw I titled this wireless first and I renamed it Internet access as wireless had nothing to do with the post... too much wind in the brain hanging off the edge of the Cable Car,,,what can I say>

Geek clothes....

...more geek clothes....

... Blogging T Shirt.....

Power cords......

Cell phone power.... [and btw you would think that a cigarette lighter that's supposed to be a mini usb would fit my Audiovox but it didn't and Steve and I were in Yosemite today with my dead cell phone... cut off... no email...no IM... no...oh yeah we were taking the day off weren't we?

Check the weather report ......

Get maps to San Francisco and Frys....

Print out PDF with full detailed info on where we 'think' we will be.

I know I'm going to forget something....

oh..yeah....

Don't forget the train tickets.....

From the mailbag the other day....

Susan,

Okay, so I'm pretty sure that WEP has been "dead" as a viable wireless security option for at least 3 years, right?  I mean, sure, there's plenty of home users using WEP or WPA because it's easy, but I think even in the SMB community, we're not advocating WEP, or even WPA anymore.

About 4 years ago I had a few clients fired-up about 802.11b; secured with 128-bit WEP keys. did a few implementations, and then interest seemed to dry-up in the SMB market that I served.  Well now, finally. in 2005 I'm starting to see some renewed interest.  Not just among the "let's replace our Ethernet infrastructure with wireless" crowd, but among customers who actually generate revenue.  

What I'm seeing that they want 1 of 2 things - sometimes both.

1)         Internet-only WLAN for use by guests/contractors/etc., where ease-of-use is paramount, but with the capability of accessing the corporate LAN for employees via some secured means.

2)         A "really-reliable" and "really-secure" wireless infrastructure to co-exist with the Ethernet infrastructure (everyone complains that the WLAN drops occasionally, but I have very little confidence that any solution will be notably "better").

(Granted, for the life of me, I can't figure out why everyone insists on sitting at their desks and using the WLAN, when they have an Ethernet port on the wall that they can plug into, but I digress.).

In working up a technical overview, I'm coming up with the options, and wanted to run them by you, and get your take.

Goal: WLAN for guests.

Option A: Build a solution with an open AP and some solution to redirect all traffic to a given gateway/registration web address.  Then offer a PPTP or IPSEC VPN tunnel into the company LAN for employees. 

Option B: Buy an out-of-the-box solution like a Sonicwall TZ170 which purports to support all that stuff. 

Goal: Secure, corporate LAN for SMB:

Option A: RADUIS backed 802.1x WLAN solution. Cons:  Need some infrastructure improvements (switches, services, etc), and owner buyoff on time commitment.

Option B:  WEP-enabled AP on the outside of the LAN; require VPN access through RRAS to access LAN.  Or, any other suggestions?

I haven't done anything with 802.1x yet for any SMB customers, so there's going to be a learning curve.  I'd really like to do this, because it would add value, and be a good learning experience, but I don't think I'm going to get owner-buyoff on this right now.  Have you done much with wireless lately, and if so, what's your take?

Uh.... Mr. Mailbag... I'm right behind you.  I don't have wireless on the “inside” of my networks either...they are still 'outside'.  Now they are running WPA these days and not WEP [as WEP should be shot dead], but I've yet to take the time to read the SBS Admin book [Charlie Russel/Jason Gerand] and go through their excellent guide on how to do that.  I'm not quite ready [nor truly have a need yet] at my office, but truly should do it here at home.  For example, poor Steve Foster who is staying here this week has no access to printers or anything else even though he's able to get to the Internet.

What I'd really like is like what we get to see when we go to Microsoft... smart card deployment that unless you have the magic card, you cannot get on their network period, and you REALLY can't get on their wireless.  Fire up the netstumbler and you can see the poor device go crazy with MSLAN way before you see the true campus off the freeway.  But they are just that...secured... and you can't get on them.

So Nick?  After I get back from my trip to the Mothership Redmond, I'll be cracking open that Russel/Gerand book myself.

I'll let you know how I go...

From the mailbag comes this question....

How in the heck do you know who's on first (let alone second and third)?

I am sitting here reading your blog, and checking out several of my clients' server via remote desktop and I need to reboot one of them. You know, it used to be a simple thing, but now, with RWW, Sharepoint, VPN, GoToMyPC, et al, how do we know who is logged on and working and using the network when it appears to be in a restful state? I always go to the Computer Management console and look at open files under Shared files, but that really doesn't cut it either. Any tools to do this, or just close your eyes and hit the button???

Also, one other thing, have you heard of any way to audit actual logins and logouts? Not those 100's of 1000's of login entries in the security event log. Just, Freddie logged in at 8:45AM and out at 5:02PM and then logged in at 7:30 from home and out at 3:02AM. That kind of thing. You know, for all the emphasis on security, actually tracking who is doing what to whom is woefully inadequate in Microsoft's world.

Data.  I will agree with you that audit logs throw off a lot of data.  And it's data that we need a filter for all this data, don't we?  Too much information, unfiltered is just that... information. 

I'll answer the easy one first on how I do it.  I know in my office I have a way that i can tell if someone is logged in... I have Live Communicaiton Server because I had SA on SBS 2000.  When I remote in to do patching, in addition to doing exactly what you do, I have a better check.... I can fire up Live Communication Service [aka the internal lunch menu instant messaging system] and I can see if anyone has a 'live' IM.  If they are I can ping them and send a message to them saying I'm patching. 

The other way to do it is to set aside a maintenance window.  “Between the hours of # and # your systems may be rebooted“ or something like that. 

As far as tracking logins and logoffs, I know that Dana does centralized logging with third party auditing tools and the guys from PSS Security use some specialized tools to filter out auditing.  I know that I just use the native filtering when I analyze the logs, but I agree it could be easier.

I'll leave it to the folks that suffer the 'captcha' to comment, and anyone else feel free to ping me with ideas at sbradcpa - at - pacbell.net.

P.S. ...if someone is using gotomypc inside a SBS network... go ahead a reboot.... I truly can't find a reason why you would need that inside your network anyway....

Many times there are two camps of folks learning about SBS....

Camp A - aka 'what's the catch' when they find out about the pricing of SBS

Camp B - aka 'do we have to use the wizards?

This download is for a bit of both worlds....

The slide deck and questions/answers from the Web cast address some of the common myths in Windows Small Business Server environments.

I hope you are following the TS2 blogs.....because if you did you'd find out the following....

Also, we've received word that PSS will support the hosting of the SBA database on a SBS 2003 Standard Server!

Hoooraay!!