THE OFFICIAL BLOG OF THE SBS "DIVA"

And no, I'm not talking about 45 minutes before 2007... I'm taking about 45 minutes to go of Season 1 of the Show 24 that we got on DVD for Christmas and we've been watching it all day.... and if this truly was 24 hours in one guy's life... I'd quit that job wouldn't you?  Way too stressful!

... so for all of you in the Pacific time zone.... Happy 2007!

In our SBS world the addition of .NET 2.0 sometimes mangles our Remote Web Workplaces, Companywebs and what not... and the trick is to go into IIS, into the properties of the web sites and ensure that all the default SBS sites are on .net 1.1 and not 2.0.

Down at friends for the New Year and we can't get the XBox/Media Center extensions loaded up and I'm wondering if .NET 2.0 is messin' with it.

I've found this blog post http://blogs.msdn.com/astebner/archive/2005/12/06/500801.aspx and this one http://blogs.msdn.com/astebner/archive/2006/06/01/613975.aspx and the .net sp1 won't install...

And in searching I'm finding this KB http://support.microsoft.com/kb/922377 and I had to laugh... that's the first time I've seen in a KB article a link to a blog... that shows you, doesn't it, how "authoritative" we are now when dealing with blogs, doesn't it?  They are linked in KBs.

So now off to go clean up some .NETs.

(for the record I had to "reinstall" .net 2.0 in order to uninstall it, then I reinstalled .net 1.0 and .net 1.1.  Then I ensured that this value was in the registry, and that did the trick... just remember sometimes on .net .... it's easier to pretend to reinstall it to get yourself in a position to uninstall it.

Using the Sierra Wireless Aircard and when there is 3G connectivity you can tell that the speed is definitely faster (and as Chris Rue would say) would be sweeeeeetttt for Remote Web Workplace on the road.  Even Edge/GPRS isn't that bad and certainly better than dial up.

But so far.. I've hit "pockets" of 3Gism on this road trip and certainly it's not as solid of 3G coverage as one would think traveling from Fresno to Bakerfield to Los Angeles to Anaheim (yes, going to Disneyland for the New Year...blogging will be light)

But if you have solid 3Gism... remoting will be very nice.

It's time for that annual traditon of sitting down and belly button gazing.  And it's a good idea for us all to look back while we plan forwrd. 

Vlad's done his.. http://www.vladville.com/2006/12/new-year-resolution-time.html and to be honest with you, I don't think he needed to apologize for things said.... because at the end of the day.... I feel that all of us (most of us) know that all this stuff isn't a religion, it's just about business. 

I think at the end of this year, as the new year begins, as new products come out, we all need to step back and look at the business side of things.

Because we can always solve the technology problems, I would argue... it's the solutions needed for the business that need our attention. 

So start with your business.

Grab a sheet of paper. (hopefully grab your December 30th accounting program and pull up an end of the year to date balance sheet.  Now then, pencil out what your budget is for the coming year.  If you are savvy, you'll project your budget by month.  Plan on your cash flows.  Plan your education budget for the year, plan on our sales targets, plan on your expense categories.

Now I want you to think about your future.  What's your retirement plans like? If you are single shop...what are you doing to ensure that your retirement years are reasonably taken care of?  Are you spending on things that will give you value and revenue?

So do a bit of reflection... of planning... of thinking of where you want your business to be at in a year....plan for it....so that this time next year, it will be a reality.

The other day the conversation came up about blank passwords on accounts in Win2k3 and XP and I made the point that in a default installed system, that a blank password on an account meant that it could not be remotely accessable from the Internet.  The argument can be made that if you could physically secure a device, that the account would actually be more secure as it could not be remotely accessed.

I went on to say that my Tablet PC had an administrative account that had a blank password. 

Now to many that seems like a insane thing to do for a person who has volunteered on various Security groups and has a GSEC certification to boot.

But I do it for a reason.  To remind me that key data should never be on that device in the first place.  Part of it is to prove the point that when you work in an industry like mine, client information and client data should never be on a mobile device.  The laptop is used for Remote web workplace, blogging, internet access and personal (but not business) emails.  There is truly more client data on my cell phone than there is on that laptop.  Because the laptop is designed (on purpose) to be an expendable device, it's a reminder to never put any information on that laptop that I care about.  Because truly, if I lose the laptop, regardless if I have a password on an account or not, law number 3 of computers states that should I lose physical security of a device, it's no longer mine.

http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

Oh, the things a bad guy can do if he can lay his hands on your computer! Here's a sampling, going from Stone Age to Space Age:

Always make sure that a computer is physically protected in a way that's consistent with its value—and remember that the value of a computer includes not only the value of the hardware itself, but the value of the data on it, and the value of the access to your network that a bad guy could gain. At a minimum, business-critical computers like domain controllers, database servers, and print/file servers should always be in a locked room that only people charged with administration and maintenance can access. But you may want to consider protecting other computers as well, and potentially using additional protective measures.

If you travel with a laptop, it's absolutely critical that you protect it. The same features that make laptops great to travel with – small size, light weight, and so forth—also make them easy to steal. There are a variety of locks and alarms available for laptops, and some models let you remove the hard drive and carry it with you. You also can use features like the Encrypting File System in Microsoft Windows® 2000 to mitigate the damage if someone succeeded in stealing the computer. But the only way you can know with 100% certainty that your data is safe and the hardware hasn't been tampered with is to keep the laptop on your person at all times while traveling.

So if you design your system from the beginning with the thought that the device you use is expendable.... then you don't use it as anything other than a conduit.  Thus no Outlook over http is allowed.  And as far as the risk of the device having a connection information left on it?  What's the risk of a Remote Web Workplace web address if you have strong password and Scorpion Software's RWW Guard?  If Internet temp files are dumped on exit?  If the risk of the device having data left behind on it is so great, then it should be encrypted.  If the risk of the device having an access/connection information on it, then don't access from it.  See where I'm going here?

Remember that if you have physical access to a system, it is trivial to reset the password.   And if you reset the password it's owned.  Thus the lack of a password on one of the accounts, therefore, is a mental reminder to me to consider that laptop expendable.  That to keep it physically secure.  To never store data on it.  And if it's not physically secure, that it's worthless to me as a secured and and therefore securable device.

Truly there is more risk to me of the loss of my cell phone with a domain password, with Outlook sync'd to the office server, than there is in a Vista Tablet pc that is not domain joined, dumps IE temp files, and is small enough that it travels everywhere I do and doesn't have client data on it as I Remote Web Workplace back to the office.

Steal my laptop?  Go ahead.  Steal my cellphone?  And I'm using the remote wipe features of Exchange 2003 sp2/Mobile pack stuff.  In fact, if you truly do care about the information on that laptop such that you'd never let it leave your site without a password, then you install a remote "nuke and pave" program so that should it leave your physical custody, you still have a bit of control over that Law #3 above.  Now I'd argue if you lost a laptop, you'd probably for a little more comfort sake and piece of mind, change the passwords on your accounts even with my remote access policy.

But see where I'm trying to get you to see here?  That the risk is a direct relationship to the data on the device.  And the risk is physical security.  And once you lose that... it really doesn't matter anymore if the password is one that's long and complex .... or even blank.

Game is over.  Bad guys have won.

So unless that key data is encrypted on that device, or stored elsewhere, or ... better yet, not on the device in the first place and merely used as nothing more than a dumb terminal of sorts.... whether you use a blank password ....or not..... if you lose physical access... you've already lost.

Protect the data.  The device is expendable.

P.S.  On Vista this is more of a exercise in just being unusual since the built in Administrator account is disabled anyway  ;-)

BTW in the Exchange 2003, custom event sinks aren't worth the time and effort and this is much easier and way more dependable... Exchange 2007 will better support native disclaimers (or so I'm told)

This disclaimer was added by Policy Patrol: <http://www.policypatrol.com>

http://blogs.technet.com/edwalt/archive/2006/12/29/when-a-user-logs-onto-rww-the-screen-hangs-at-loading.aspx

Guess that puts that old wives tale about how SBS can only have one server in the domain 'eh?

Granted they were offline and thus causing the issue with RWW...but 24 servers 'eh? 

Before the change, I could literally see pings from various countries entering my network via the open port 25 that I used to accept inbound email connections.  Using an add on tool to ISA Server 2004, the Firewall Dashboard from Scorpion Software, you could see the various countries and IP addresses: 

Figure 1 - Scorpion Software's Firewall Dashboard showing various SMTP connections


While attempts to guess a username and password on a mail connection on a network that has passphrases or a password policy that ensures that they are long, strong and not easily crackable at all, should not be a concern to the savvy network administrator, the reality is for many firms is that they would prefer to reduce an exposed attack surface if it's reasonable to do so.  There have been cases where firms have been subjected to dictionary attacks and have had a password cracked merely to use the mail server and authenticate it to be used in more spam attacks.  These attacks called SMTP auth attacks have increased over the years.  In addition, the concern that I have with my firm located in California with data of California residents, is that should an attacker use a SMTP auth attack and through my own stupidity or misconfiguration, a password is cracked, that event would warrant a event under a law in California called SB1386 whereby I would need to notify clients of my firm's that their sensitive data may have been breached.

In our case, it is extremely reasonable and extremely easy to limit the connections to our mail server ports with a bit of judicious editing to our ISA server policy that allows connections to our mail server.  The service that I use, ExchangeDefender only connects to my server from a specific set of IP addresses.  Therefore, to ensure that we only accept inbound port 25 connections from those servers, we will set up rules in ISA Server 2004 to better protect the server and limit SMTP connections to only those 5 IP ranges.  This will then in turn, close down the potential for SMTP auth attacks and other misdirected connections to the port 25 in my server, thus reducing even more of an already limited attack surface via the server.

Our first step in the process is to determine the IP addresses that we need to restrict port 25 to.  The IP addresses are all Class C addresses.  We begin by launching the ISA management console as shown below:

Figure 2 - Default rules as provided by the SBS 2003 "Connect to Email and Internet Wizard"


In my case, my version of ISA server 2004 is installed on the SBS 2003 network server and has a rule wizard that has pre-built the access to the server for email.  I will edit that rule to provide the additional restrictions I need, but I need to remember that should I need to rerun the Connect to Internet and Email Wizard, or CEICW as it's commonly called, that is inside the Small Business Server network, it will reset these email rules to default.  So at the end of this process, I'll make sure that I backup the ISA configurations I've customized to ensure they are retained.

So we begin by editing the policy and providing the additional IP restrictions so that only the IP addresses from the ExchangeDefender servers can connect to the SMTP connection on my server.  In my example using SBS 2003's ISA server configuration, it has built for me a SMTP access rule that I will edit.  Double check on the Smtp Server Access Rule and browse to the "From" tab.  From here you can see that the current allowed connections are from the entire Internet.  This is what we will be editing.

Figure 3 - Editing the SMTP server access rule
 

We will first begin by adding the necessary Address ranges that we need to limit connections.  After clicking on "Add" we are presented with a Network Entities screen.  We now need to click on "New" to add a new category of addresses that we will limit inbound port 25 connections from.  As you can see, you are presented with various ways that you can add different rules sets for access.  Ranging from "Networks" to sets, to various computers, to address ranges and so on.  This makes it easy to add a rule with a specific need in mind.

Figure 4: Defining the Network Entities


We will build a series of Address ranges based on the information given to us by the Hosted Antivirus and AntiSpam provider that we will use to limit the connections.  While we can use several categories of network entities to build the rule, including Address ranges for each range, Subnets for each one, the easiest way is to use the Computer Set rule and include in one set the five ranges that we have been given by the vendor to limit the connections to.  This allows for the best organized rule as all of the vendors IP ranges that he has given us to limit connections to will be included in one spot.  Be sure to add enough descriptive information to the rule set to ensure that you will remember the intent and to document it in your Firewall change log or whatever process you use to document firewall changes.

Figure 5: Using New Computer  Rule Element


When everything is all done, the rules we have built will be included as one set.  We can now easily remove the existing rule of "External" which allows all connections from all locations, with the more restrictive rule that only allows the 5 address ranges that have been specified.  And like all other edits to Firewall rules in ISA, it's as easy as clicking on the "Apply" button to easily change the rule to our new edited one.
 
Figure 6:  Applying the new configuration



Last but not least, we need to remember that in the Small Business Server 2003 environment we need to remember that should we re-run the firewall wizard for any reason, any SBS wizard specific rule that we customized before will be reset back to the original once you rerun that wizard.  Therefore documentation of the changes you make, and ensuring that at the end of the process of customization you click on properties of the rule and you export the rule to allow for easy import will ensure that you can easily and quickly get the Firewall settings back as you need them to be.

Figure 7:  Exporting out the changed configuration


In reality for many of us that use the power of ISA 2004 to better protect and report on the Internet connectivity on our SBS 2003 networks, we typically only run the Connect to Email and Internet wizard once when initially setting up the ISA 2004 configuration.  After that first configuration, we tend to edit the rules as we need them and there is typically no need to rerun the setup wizard. 

You can now use or go to any number of port probing web sites and tools ranging from Steve Gibson's veritable Shields Up on his www.grc.com web site to Microsoft's portquery tool and see that no longer is your port 25 seen open to the Internet and ready for drive by port 25 password attempts. While you are still fully able to get all of your cleaned and de-spammed email, you are no longer the fully exposed connection you once were.

Before you limit the connections, a port query response comes back with the following:

Data returned from port:
220 domain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Mon, 25 Dec 2006 03:06:17 -0800
portqry.exe -n xx.xx.xx.xx -e 25 -p TCP exits with return code 0x00000000.

After you limit the connection, the response comes back as follows:

TCP port 25 (smtp service): FILTERED
portqry.exe -n xx.xx.xx.xx -e 25 -p TCP exits with return code 0x00000002.

Thus providing a bit more protection from drive by SMTP auth attackers.

While I would never say that a firewall should be a "set it up and then forget about it", typically the ISA 2004 configuration is straightforward enough that typically my only needs for adjusting are when my business needs change or a security stance changes have dictated a change in the firewall.  The rest of the time,  it just keeps doing what it does very well, being a great protection and reporting access tool for my business' network.

And now, it gave me just a little bit more help in the war against SPAM.

(Now blogged from this location on my blog site, was formerly blogged at another location)

P.S.  as I've joked with folks.. the worse thing about all these external hosted spam filtering services is that they make your email boring.

Okay so we're a little less bleeding edge.. blogging from a Vista Tablet PC running a Sierra Aircard 875.

The trick is this driver -- http://www.sierrawireless.com/resources/support/Software/3G_Watcher_Generic_1236.msi

Trick number 2 is to remove the Cingular connection manager and ONLY use the Sierra 3G watcher software.  That was the step I was missing.  I still had it on the machine.  Remove the Cingular connection and only use the Sierra software.

And there we go.... one Sierra Wireless 875 connected on a Vista laptop ...that's making this Internet connection to make this blog post as a matter of fact.... and a little less bleeding edge to boot...

...now ... to find antivirus I like.....

So per the Sierra Wireless folks... to get my Sierra 875 card working on my Vista (upgraded from XP sp2 to Vista RTM Acer tablet pc) all I need is just the Sierra software and this driver package:

http://www.sierrawireless.com/resources/support/Software/3G_Watcher_Generic_1236.msi

But so far it's not working.  So tonight I'll see if I can remove all Cingular software and see if that alone will fix the issue.

So far the SIM card works in the old card that I have - the Sony Ericsson, and when I put the new SIM in the new Sierra Aircard, that combo works in a XP sp2, but I can't get it to work in my Vista upgraded Tablet PC (personally bought mind you, and if I even see another blog post about who did or didn't get a free laptop I may scream .... the blogosphere community is acting ridiciously but Microsoft and the bloggers both (I think anyway) blew this one in their handling of this ... I agree with Scoble that I would have put in the documentation a required disclosure blurb, but I digress).

Someone was asking the other day why should they upgrade to Vista... if XP sp2 was good enough... and I said... (Disclosure - All Vista versions I am currently using are test versions on hardware I have bought personally using the version that I personally purchased from TechNet Plus -- there how's that for disclosure?) based on the issues that I've been going through we're still in the bleeding edge stage of deployment.  Case in point, I'm paying $60 a month for a card that should give me 3G speed but I'm having to use my older, slower card that doesn't do 3G to even connect.  Nearly all of my key line of business software is practically beating me over the head and saying to wait.  

Is XP sp2 good enough for business?  I'd argue if you have it set up and not running with Adminstrator rights, it's a very stable platform and right now, without administrative rights, good enough for a very stable and secure business operating system.  In fact, when I'm doing beta testing on 64bit stuff, I'm using XP 64bit and not Vista 64bit for my virtual host base.  What makes Vista more attractive is the home user aspect...there's some parental control stuff that is cool. 

As has been blogged before, you will need for the time being to manually add your Vista to your domain, as the SBS /connectcomputer fix up patch won't be out until around the real launch date. 

Quite frankly when is "my" real launch date for Vista?  Around June of 2007.  By then I hope that all my line of business stuff with have tweaks and patches for Vista, and my Trend antivirus will also support it. 

Until then..... welcome to the bleeding edge folks....

As a FYI a blog post I did on how to use ISA 2004 to better close your SMTP connection to the outside world ... especially when you are connnected to ExchangeDefender.com is up on the ISA server blog

http://blogs.technet.com/isablog/archive/2006/12/28/exchange-spam-filtering-and-isa-server.aspx

Exchangedefender.com is the service that I use that prefilters, cleans and despams my firm's email....

Bottom line it makes my email boring these days.  And I'm serious about that... it's quite dull these days.  Only business email.  :-)

P.S.  The post is off the blog site.. sorry if you are looking for it.  No, I really won't go into why it was removed (not for reasons some folks might be thinking of anyway). 

So exactly how does one get a support contract?  TechNet Plus includes 2 phone incidents but you need to call and set up a support contract. Okay so I surf on over to the TechNet plus page and get this info:

http://technet.microsoft.com/en-us/subscriptions/ms788698.aspx

And it acts like it should be 24/7.  So I called 1-800-Microsoft and then pressed 2.....then 3... then 2....the 1....

And then pressed 1 to get to the Technet/Professional

At that point in time I got informed that I needed to call the MSDN subscription line to set up the TechNet support contract (which ... I would argue...why don't they say that on the web site in the first place) and I need to call back tomorrow from 9 a.m. to 5 p.m. to set up the support contract at (us) 1-800-344-2121.

For the record, the 24/7 part is only about business critical support... otherwise the support hours are only 6 a.m to 6 p.m. pacific time. 

One interesting thing of note...for those of us with SA contracts, there's also a support incident there.  So if your client has SA, they can assign the rights to TechNet Plus and other benefits to you the Var/Vap to take advantage of.

One of the folks here at the office was saying that her OEM built computer was flagging it as non valid... "Non Geniuine?" I asked and sure enough it sounds like she has the same experience as Joe's Mom.....

I told her to run this tool first to see if my thoughts are confirmed..that she has crypto errors in her computer that are causing them to be seen as not valid.

http://forums.microsoft.com/Genuine/ShowForum.aspx?ForumID=442&SiteID=25 The tool on that site will confirm if she's got crypto errors and then she needs to reregister some DLLs.  And if it is...this is the KB she needs to follow to reregister the DLLs:

Detecting digital signing issues in Windows XP:
http://support.microsoft.com/Default.aspx?kbid=813442

Some of the things you may encounter during the install of R2 that I call "sunspot" (1) impact:

1.  If companyweb (and RWW and anything else) that worked before and now doesn't, make sure that the .net hasn't been accidentally flipped to .2 version of .net versus the .1 version.

2.  During the install ensure you are using the built in administrator account (we call it the 500 account).

3.  After the install on rare occasion you might get an issue where WSUS isn't working...check to see if you have an error message about "self update tree" not working and review this KB:
The Microsoft Windows Server Update Services (WSUS) SelfUpdate service does not send automatic updates:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;920659

(1) sunspot impact - flukes of nature that you just can't explain....

CCH (US tax prep company) just came out with their ETA for support of IE 7, Vista, 64 bit Windows, and Office 2007

http://www.sbslinks.com/cch.pdf

For those that service US CPA firm... I will let you know that I have IE 7 loaded with no issues on the tax prep program, so there's no issues with the base tax program.

Today we put "Employee compliance" posters on the board in the lunch room... and one of the posters had to do with Hipaa compliance...and the items listed on the poster was of interest for a couple of reasons to me and made me think about the concept of "compliance" ... it implies that my firm was going to be soon complying with some or all of those items... furthermore it very specifically implies that certain tasks will make me Hipaa compliant if I follow those items... and as I read over the list, while many (all) of the items are certainly valid and worth striving for, the concern I had was that the poster wording implied that "compliance" was specific to these items.  That if I didn't do them, I'd not be compliant.  And by merely posting the document on the wall, in front of employees, had I bound myself and my firm to standards that I questioned were specifically deemed appropriate for my firm since we don't administer medical plans on site and typically don't have EPHI stored locally?  And who decided that these items were the ones to strive for?

The reality is that the intent of Hipaa and in fact most of the Security regulations are to be silent to technology and specifics and be much more 'goal' minded.

If you read the Hipaa regulations you will find that it is silent in specifics..

(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information
the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the
security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such
information that are not permitted or required under subpart E of this part.
(4) Ensure compliance with this subpart by its workforce.

In fact if you search the document for the specific word of "firewall" it doesn't exist in the Hipaa final regulations at all:

And certain items are required (concrete goals) whereas the items I would call "lofty goals" are categorized as "addressable".  What is stressed is a review, and risk analysis and management.  But a definition of "Firewalls" as a required Hipaa compliant device?  The document is infact silent as you can see.  So that gets back to my arguement about who is making the interpretations of "compliance".  If the document itself is silent as to "firewall" how can you say that you are in compliance with regulations when the regulations themselves are silent as to specifics?

Granted, it's wise and a good thing to have network firewalls, and one could argue that in this day and age, if you don't have a network firewall as a bare minumum security measure... how about you use a Dixon Ticonderoga and stop using computer, technology and the Internet until you understand such basic fundamentals of barriers and protection...and in fact I'd strongly argue that if you only rely on the external firewall and consider that a host based operating system level firewall is too much and not needed that you possibly reconsider that as well, (i.e. the built in Windows XP SP2 firewall that is on by default inside a well run SBS 2003 network), but to merely imply that you are compliant because you did "that" and nothing else but that so that's all you need to be compliant and secure, right?  Just checkmark a box and that's all you need to do, right?

And does blindly sticking that poster on a wall mean that you've now agreed to that firm's interpretations of Hipaa regulations? Who defines compliance here?  When any consultant defines, brands, marks you as compliant, all they have done is make an interpretation about what they think being compliant means.  It doesn't necessarily mean you are compliant with the regulations themselves which ...by design... are vague and technology neutral.

In fact, I'd argue that instead that the current state of "compliance" is driven by one factor..the hurt factor.  The reality is that compliance is driven by what hurts us.  What gives us pain.  If something isn't painful or doesn't have 'teeth' in the law, we won't do it.  We don't voluntarily pay income taxes, there's a threat of jail time over our heads if we don't.  We don't voluntarily save money in savings plans because right now we don't see the pain.  We don't see that our retirement is coming faster than you think but for now we spend, and use credit cards and live paycheck to paycheck because right now it doesn't hurt us..and we don't see the pain.  So the only time we push for better security is when we have a threat of pain over our heads. 

What should be our goal in compliance is the "golden rule of data".  We should set up our systems to protect data how we want our own personal data to be protected.  What would we like to see protecting our most precious data?  We're not there yet.  We have ways to go.  We don't do this now.  In fact we don't make our XP sp2 systems as secure as they could be now by making them run without administrator rights.  We could do better.  Our vendors could do better.  But we don't make these decisions now because it doesn't hurt enough now not to do it. 

It's a vicious cycle, isn't it?  Vendors don't care because businesses don't care enough.  And we don't care because it doesn't hurt us enough to care.  We can get by with not caring enough right now.

I'd say that your goal in compliance is to make sure you do what you would feel comfortable stating that you did to protect data while standing in front of a Judge, in front of a Jury, in front of your business associates, and ......most importantly of all...... in front of your very own personal data.

U.S. Department of Labor -- OSBP -- Poster Page:
http://www.dol.gov/osbp/sbrefa/poster/matrix.htm

This morning we changed out all 2005/2006 posters to their 2007 versions...and my goodness all the different notifications that are now required for US employers to have in a place so that all of your employees can see them.

The poster kit we got was from this web site http://www.personnelconcepts.com/ as it provides a laminated employer poster.... so ... are you in compliance?  Do you have employee notification posters in a place at your office?  Do you know about all the notifications that may be needed?

P.S. Keep in mind that most of these notifications requirements have no penalties if you don't comply with the notification requirement... which ..isn't that a bit like the "tree in the forest" arguement?  If there is no teeth to the regulation...why should someone care about compliance with it if nothing bad happens to you if you don't?

The other day the idea of SBS as a "mother" strawberry plant came up in a conversation.... you go into a firm... you plant the base "mother" plant of SBS and suddenly these tendrils of baby plants (member servers, additional workstations in branch locations) start popping up.

Dexter did a pretty good job of describing the differences between SBS and Enterprise servers except for one thing... the strawberry plant impact.

He said "* When u r starting a new branch office...no way u can connect the two servers in the branches(as no domain trust).Eachserver must be connected individually to internet."

When in reality.. you can, just not quite like Dexter thinks.. you just can't have additional domains and the SBS box must be the PDC, but no one said that you couldn't connect those servers in the branches back over that Internet to the SBS domain .. and the member servers certainly can be additional domain controllers, or terminal servers or member server over a persistent VPN connection back to the mother strawberry plant (aka the SBS box).  Not having the ability to have two different domains and do a domain trust hasn't stopped our SBS servers from popping up additional servers. 

Where I see when SBS is wanted to be used and shouldn't be, is when branch offices of larger company want to run SBS and connect back to their headquarters...that's a setup that you cannot do.  SBS must be in the headquarters and be the "lead server" ..but where I see SBS used and it makes perfect sense is when SBS is the one in the main office and branch offices are connected back to it.  But certainly in the R2 era, you can have member servers with expanded cal rights to start your strawberry patch.

Now when they said the Queen had a podcast.. you probably thought of Susanne Dansey and Vlad (which btw they have a new podcast out..),...but no, they were talking about the REAL Queen Elizabeth...

http://www.royal.gov.uk/output/Page5323.asp

We should have Susanne give her lessons...don't you think?

A bit of low tech....
http://www.presto.com/what-is-presto.aspx

A bit of high tech...
http://msmvps.com/blogs/chrisl/archive/2006/12/25/450995.aspx

If you want to keep an eye on the Consumer Electronics show in Vegas coming up in January... the CES blog is where you want to keep an eye one.. http://ces.blogs.com/ and then there's the "other" CESblog site at http://cesblog.com/ and this one at http://www.cesbloggers.com/ but not to be confused with this one.. http://www.cesblogs.com/ 

Now that's a bit confusing.. I can figure out which one is the official CES blog.. but the other blogs sites are "coattail" sites.  CESblogs.com looks to be the more professional as their "bloggers" tend to be more professional journalists (which, personally, I wouldn't quite call Mary Jo Foley or Joe Wilcox a blogger... the "blog" format is their current medium, but they truly are journalists....and sometimes there is a difference. 

What's the difference?  I would argue in the manner in which the posts are done... my perception anyway ... is that they are less rumor and less buzz and more observant... but maybe that's a naive view left over from too many viewings of "All the Presidents' Men".

CES looks to be an interesting place and they will be doing live webcasts again.

http://www.cesweb.org/attendees/conferences/default.asp check it out..