DavidOverton.com
This site is my way to share my views and general business and IT information with you about Microsoft, IT solutions for ISVs, technologists and businesses, large and small.  
David Overton's Blog » All Tags » SBS 2003 » Security (RSS)

Browse by Tags

  • Internet Explorer security vulnerability fix now available – think of it as an early Christmas present… now about Firefox’s 3 issues this week…

    I think everyone knows that an urgent security issue has arisen in IE this week and Microsoft has taken the (wise) decision to publish a fix outside the normal 2nd Tuesday release cycle. Some have said switch browser because of this issue, but not only can that be complex, but most browsers suffer security issues so once again the only real protection is to wrap in cotton wool and hide. Or, use the built in features of Vista and IE7/8 which means protected mode and NOT running as admin. You might ask why a Christmas present? Well, if this continued un-patched then your information is seriously at risk and that would make for a very bad Christmas if your credit card information was stolen!! Either way, if you have IE on your systems then you will need to update your systems urgently. Of course, my Hyper-V server (or Windows Core for that matter) don’t have IE, so no updates for them!!! Just for completeness, here is the information from the Technet newsletter Internet Explorer Security Update I wanted to...

  • Important Microsoft security update – update your machines now!

    DavidOverton.com rebooted today due to an emergency security update – an “out of band” release from the normal “patch Tuesday” process.  It is worth considering updating and reboot your computers and servers asap.   More information on this can be found at http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx .  Impacted systems below:   Operating System Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update Microsoft Windows 2000 Service Pack 4 Remote Code Execution Critical MS06-040 Windows XP Service Pack 2 Remote Code Execution Critical MS06-040 Windows XP Service Pack 3 Remote Code Execution Critical None Windows XP Professional x64 Edition Remote Code Execution Critical MS06-040 Windows XP Professional x64 Edition Service Pack 2 Remote Code Execution Critical None Windows Server 2003 Service Pack 1 Remote Code Execution Critical MS06-040 Windows Server 2003 Service Pack 2 Remote Code Execution Critical None Windows Server 2003 x64 Edition Remote...

  • How to get DNS and DHCP working on a Windows Server from behind the Windows Firewall

    I have a Windows Home Server at home and I decided I wanted it to be responsible for handing out DHCP and DNS addresses in the house. All very good, but when I set up the services none of it worked because of the built in Windows Firewall. While I could have just turned off the Firewall I decided to learn how to put the holes into the firewall to make it work with the firewall, thus maintaining better security. A quick search of the web showed me many settings, but it did not seem to cover the whole picture – then I came across the MS site Windows Firewall Settings which has things broken down into these four handy sections that shall for ever more be my guides to ports and firewalls in the Microsoft world. What is more, as you will see later, the tips in here as to how to get things working, getting over common hurdles is quite stunning too: Windows Firewall Settings: Optional Components Windows Firewall Settings: Remote Administration Tools Windows Firewall Settings: Server Roles Windows Firewall Settings: Services...

  • Windows Small Business Server 2003 at risk from critical flaw

    Hopefully everyone has seen this, but if not: Windows Small Business Server at risk from critical flaw Microsoft initially omitted Small Business Server from its list of critically affected OSes, but is now offering patches via its automatic update services In an update to its MS08-001 security bulletin, Microsoft said that the latest release of Windows Small Business Server was also critically at risk from a bug in Windows' networking software. The flaw is also considered critical for Windows XP and Vista users. Microsoft did not say why it had initially omitted Small Business Server from its list of critically affected operating systems, but it said that the product's users were being offered patches via Microsoft's various automatic update services. "Customers with Windows Small Business Server 2003 Service Pack 2 should apply the update to remain secure," Microsoft said in its updated bulletin. The bug lies in the way Windows processes networking traffic that uses IGMP (Internet Group...

  • From the Official SBS Blog - SBS now has a Best Practices Analyzer!

    You have seen the Exchange, SQL, Security and Windows best practice scanners, well now we have all that SBS expertise wrapped up into an SBS scanner - enjoy!! SBS now has a Best Practices Analyzer! The Microsoft Windows Small Business Server 2003 Best Practices Analyzer examines a server that is running Windows Small Business Server 2003 (Windows SBS) and presents a list of information and errors that administrators should review. The Windows SBS Best Practices Analyzer examines the server and collects configuration information from many sources including: Active Directory Windows Management Instrumentation (WMI) Registry Metabase After collecting information about server configuration, the Windows SBS Best Practices Analyzer verifies that the information is correct and then presents administrators with a list of issues sorted by severity. The list describes each issue and provides a recommendation or possible solution. System Requirements Supported Operating Systems: Windows Small Business Server 2003 (Any version...

  • WSUS on SBS and helping clients that think they are up to date, but WSUS does not

    I saw this posted internally and thought I would share. If you have clients that think they are up to date, but WSUS does not, have a look at this KB and also try these commands: 940357 An update is available to enable automatic approval of definition updates and to fix two problems in the Update Services component of Windows Small Business Server 2003 R2 - http://support.microsoft.com/default.aspx?scid=kb;EN-US;940357 and Wuauclt /detectnow /resetauthorization or wuauclt /reportnow from a cmd prompt on the client box (elevated if running on Vista) ttfn David Technorati Tags: SBS 2003 R2 , WSUS , Security

  • SharePoint User Group Meetings in UK (Newcastle and Reading) in September

    I got this e-mail today from the UK SharePoint User Group. They have two meetings coming up, one in Reading and one in Newcastle. Since SBS includes WSS and you can easily load WSS v3 onto it too, here are the details: Newcastle - 10th September MOSS MVP and general all round nice guy Spencer Harbar will be presenting an evening of goodness for all that attend. Arrive 6:30 for a 7pm start 1st Presentation: MOSS Server Farm Architecture & Design. This session introduces the fundamentals of MOSS Farm design including server roles, topology constraints and design goals which are paramount for delivery of a secure, available and scalable MOSS hosting platform. Each server roles’ unique characteristics will be covered with their associated trade-offs. In addition, three common models will be presented with a discussion of their strengths and weaknesses. 20 minute food and drinks break 2nd Presentatoin: Top 10 Tips for your SharePoint Development Environment. This session will present 10 essential tips, tricks,...

  • Vlad Mazek - "What is service management" and "how to avoid being hit by a truck when it is most inconvenient"

    I love Vlad's straight talking. If you get a chance read the whole of the blog entry Vlad Mazek - Vladville Blog » Blog Archive » Windows Server 2003 SP2 EEULA & CYA because as far as I am concerned he is preaching to the converted. I will stand by my view that Service Packs are tested as much as possible, but you need to do your own validation (see Who should test software and service packs - I think vendors,customers and partners - others thi ) to ensure that your application vendor is also happy to support their products on that service pack. If you only have MS products, check the release notes AND SUPPORT.MICROSOFT.COM as both may well have important information. I've extracted part of Vlads process to avoid a bloody head - read his post for more as people like Susan Bradley wishes she had :-) However, a part of me wonders just how heavy the rock was. You know, the one that he was under since Microsoft started releasing service packs. As painful as the above is to read, and as painful as this...

  • May security updates for Server DNS and Office 2003/2007 and IE7. Also Quicktime needs an update

    I did a quick scan and it seems that this month Office is the main target of updates, along with one critical one for Windows Server (for DNS RPC attack) and one for IE7. Worth a quick download and install :-) I also got this in the mail today: Apple QuickTime 7.x must be upgraded to 7.1.5 or higher. On the security updates: Microsoft is releasing the following new security bulletins for newly discovered vulnerabilities: Bulletin Number Maximum Severity Affected Products Impact MS07-023 Critical Microsoft Excel (all currently supported versions) Remote Code Execution MS07-024 Critical Microsoft Word 2000, 2002, 2003, 2004 (Mac) Remote Code Execution MS07-025 Critical Microsoft Office (all currently supported versions) Remote Code Execution MS07-026 Critical Microsoft Exchange (all current versions) Remote Code Execution MS07-027 Critical Internet Explorer - all current versions on all currently supported versions of Microsoft Windows Remote Code Execution MS07-028 Critical CAPICOM, BizTalk Server Remote Code Execution...

  • From the The Official SBS Blog : Installing a Self-Signed Certificate as a Trusted Root CA in Windows Vista

    I've talked about this before, but thought it was worth pointing people to this Installing a Self-Signed Certificate as a Trusted Root CA in Windows Vista [Today's post comes to us courtesy of Wayne McIntyre] In order for RPC over Http to work you must have a Trusted CA Root Certificate installed and configured. In a situation where you are using a self-signed cert you will need to install the certificate into the Trusted Root Certification Authorities store. 1. Connect to your OWA site by going to https://host.domainname.com/exchange FOR THE REST OF THE INSTRUCTIONS PLEASE FOLLOW THE LINK TO THE SOURCE BELOW Source: The Official SBS Blog : Installing a Self-Signed Certificate as a Trusted Root CA in Windows Vista ttfn David Technorati Tags: Vista , Certificate , SBS

  • Installing WSUS 3.0 on SBS White Paper Released, including when you already got WSUS on there, or need to upgrade

    I thought you should be aware of this WSUS 3.0 on SBS White Paper Released [Today's post comes to us courtesy of Chris Puckett] WSUS 3.0 has released. You can download it here . For information on installing WSUS 3.0 on your SBS 2003 SP1 or R2 server, check out the Installing WSUS 3.0 on SBS 2003 whitepaper. The issue blogged in February 2007 regarding Vista updates not synching in SBS 2003 R2 has been fixed in WSUS 3.0. If you experienced performance issues like high cpu usage by svchost, a UI hang and long scan times, the new new WUA client included with WSUS 3.0 addresses these issues in combination with the MSI update in KB 927891 . It’s important to note that the new client is only a partial solution for the svchost/msi issue and clients must have both KB 927891 and the new 3.0 client installed for a full solution. Source: The Official SBS Blog : WSUS 3.0 on SBS White Paper Released Having looked at the whitepaper it seems it covers the following areas: Install WSUS v3 on 2003 SBS SP1 and R2 (when to...

  • Got SBS Premium (or an ISA firewall) and Vista customers - you will need the updated ISA Server Firewall Client

    Just a quick note to say that if you have a SBS customer who has some PCs with Vista then you will need the updated ISA firewall client. You will need to go to this page - ISA Server Firewall Client Firewall Client for ISA Server Brief Description Firewall Client for ISA Server installs the Firewall Client software on 32-bit and 64-bit computers running supported Windows operating systems. It is also worth noting that the install script will look something like this \\Servername\shared folder\SETUP.EXE /Q /P "SERVER_NAME_OR_IP=Servername ENABLE_AUTO_DETECT=0 REFRESH_WEB_PROXY=1" Note this will almost certainly force a reboot due to the changes in the Winsock stack. ttfn David Technorati Tags: ISA , ISA Firewall client , SBS , SBS Premium

  • Symantec "Microsoft Listed as Most Secure OS"

    Wow, you have to wonder whether this hurt them to say this :-) Now I am a believer that any security vulnerability is bad and that the longer it is out there then the more likely it is to exploit it. If "people" only have one way to crack into your system, then they can still get in and the longer it is out there then the more likely it is that it will be used, however always nice to see that MS is trying hard and while not perfect, is doing better than other people who throw stones at MS. Of course, Windows also has more in it, so being better with more features in the box is even nicer and this is across all versions of Windows, not just the latest (Vista) for example. I think it shows that the IT industry has more work to do in this area - as Ed the Fed said - "this is a journey." Surprise, Microsoft Listed as Most Secure OS By Andy Patrizio UPDATED: Microsoft is frequently dinged for having insecure products, with security holes and vulnerabilities. But Symantec ( Quote ), no friend of Microsoft, said in its...

  • The SBS Diva spots why your workstations (and sometimes your SBS servers) are spiking at 100% CPU this month after the patches (yes, it is the Update services)

    Updated 08:07am 12th January - the blog title used to suggest this was a server issue - Susan pointed out that this is a client / workstation issue much more I had to blog this one - if you are seeing CPU spiking when patches are being installed, go look at http://msmvps.com/blogs/bradley/archive/2007/01/10/on-patch-tuesday-if-you-are-seeing-a-spike-in-cpu.aspx ttfn David

  • ISA 2004, meet Vista, Vista, meet ISA 2004 client so that you can now work!!

    If you are using Vista and ISA, you will be used to getting a compatibility warning when the client loads. Well, this KB and download gives you a time when that is no longer the truth :-) From the joys of Susan B's blog View article... .. How to obtain the version of Firewall Client for ISA Server (December 2006) that includes Windows Vista support: http://support.microsoft.com/kb/929556 Finally the ISA firewall client that will support Vista is out today and there's a new WSUS category to boot! As always, be careful when playing with your systems ttfn David

  • Need a machine to practice or simulate Windows Server, Exchange 2007, SQL 2005 or ISA 2006? Download the pre-configured VHDs for these virtual machines

    I am sure you have seen these already, but if not, these are great tools to help when you quickly need a machine to test something on, or spend longer learning about a product. I know you can get the disks in the action pack, but then you have to load it up on a PC or VPC - this saves you all the trouble. Windows Server 2003 R2 Windows Server 2003 R2 helps to simplify branch server management, can improve identity and access management, helps to reduce storage management costs, provides a rich Web platform, and offers cost-effective server virtualization. In this VHD, you'll have the opportunity to road-test new and improved features and functionality of Windows Server 2003, including management and usability enhancements to Active Directory. Exchange Server 2007 Learn how to take advantage of key features of Exchange Server 2007. This VHD provides an exploration of Active Directory and the new features in Exchange Server 2007, new features in Outlook Web Access 2007, enforcing compliance and retention policies...

  • IE7 Installation and Anti-Malware Applications - why you should turn them off for the install!!

    I saw this and because IE is coming soon, thought you might like to read this! IE7 Installation and Anti-Malware Applications A few people have asked why we recommend temporarily disabling anti-virus or anti-spyware applications (which I’ll refer to together as anti-malware) prior to installing IE7, so here’s a little insight to the situation. Along with copying IE7 files to your system, IE7’s setup writes a large number of registry keys. A common way anti-malware applications protect your computer is by preventing writes to certain registry keys used by IE. Any registry key write that fails during setup will cause setup to fail and rollback changes. We work around the problem in most instances by checking permissions at the beginning of setup, but many anti-malware programs monitor the key rather than change permissions. Therefore, setup thinks it has access when it starts, but then fails when it later attempts to write the key. The majority of users likely haven’t seen any such problems even with anti-malware...

  • Vista and security - are Microsoft doing the right thing?

    This is something I have thought long and hard about and as such I have to caveat things by saying this is my opinion and that I am no more informed than any other member of the public or IT community. Having said that, I have done my time as a Windows Developer and even once worked on emulation systems such as Wine. These protections will be coming to all OSs - so Vista, Longhorn, SBS - all of them! I really think this is some of the worst mud slinging I have seen in a long time and much is wrong! So what have I seen in the Press. McAfee and Symantec have complained that they want the ability to ignore the APIs in Vista and bash at the Kernel directly for security services. However, Kernel code has to be signed for the integrity of the system. Microsoft will not stick to the rules above and will gain advantage by using unknown APIs That the security prompts and center can not be turned off That Microsoft is right to make these changes and want to increase the integrity of the system As someone who once worked...

  • KB for SBS and your customers - MS06-055: Vulnerability in Vector Markup Language could allow remote code execution

    I almost feel that I don't need to publish this, but even though the next round of patches is just a day away, you need to think about this one too. MS06-055: Vulnerability in Vector Markup Language could allow remote code execution View products that this article applies to. Article ID: 925486 Microsoft has released security bulletin MS06-055. The security bulletin contains all the relevant information about the security update. This information includes file manifest information and deployment options. To view the complete security bulletin, visit one of the following Microsoft Web sites: IT professionals: http://www.microsoft.com/technet/security/bulletin/ms06-055.mspx Source: MS06-055: Vulnerability in Vector Markup Language could allow remote code execution ttfn David

  • Installing the Windows SBS 2003 R2 Premium Technologies

    This simple guide covers what you need to know to install the Premium Technologies. Installing SQL Server 2005 Workgroup Edition You can install SQL Server 2005 Workgroup Edition as your database for a business application. Additionally, you can upgrade the instance of Microsoft SQL Server Desktop Engine (Windows) (MSDE) that is used by Microsoft Windows SharePoint Services if you want to be able to search document libraries in your company's internal Web site. For step-by-step instructions about how to install SQL Server 2005, download the file sqlinstallsteps.htm below. Installing ISA Server 2004 You can install ISA Server 2004 as the firewall for your local network. For step-by-step instructions about how to install ISA Server 2004 with Service Pack 1, download the file isainstallsteps.htm below. Installing FrontPage 2003 You can install FrontPage 2003 on one computer in your Windows SBS network and then use FrontPage to create or modify your Internet Web site. Note It is recommended that you do not install...

  • How patching should be done for all servers and clients - by Susan Bradley (super Jedi)

    I still fear Susan and what she would do if I ever made a serious security blunder. Luckily for me, I haven't yet. I also love the way she tells you the way it should be and makes it easy. I went through the process of evaluating my patches and then installing those I thought were needed (I do have some Office components on my test server, but I am hoping she will let me off for that). I was thinking on how to write this up when I say Susan's entry The risk evaluation of patching and saw she put it exactly how I would have done. What is my message - use her process and your customers will be as safe as can be expected. In fact, I applied the IMF patch immediately, which resulted in Exchange being offline for a few minutes, which when using Outlook 2003 or 2007 is no biggie at all. ttfn David

  • Small Business Security Guidance (via Group Policy)

    These are a little old, as in published on 21st July 2006, but still great step by step guides on how to ensure that servers and clients connected to them are secure. They do not just look at SBS 2003, but also Windows 2000 & Windows Server 2003 server environments too. How to Configure Windows Firewall in a Small Business Environment using Group Policy.doc How to Configure Windows XP SP2 Network Protection Technologies in a Small Business Environment.doc Securing Internet Information Services 6.0.doc Link to Download details: Small Business Security Guidance ttfn David

  • Microsoft acquired Win Internals (SysInternals.com)

    http://www.microsoft.com/presspass/press/2006/jul06/07-18WinternalsPR.mspx This is a bit of old news, but I have not reported it. There has always been a set of amazing tools that were usable to diagnose inside Windows, they were sold from a company called WinInternals, who then produced a set of free tools on the web site http://www.sysinternals.com . These tools I normally use are below. I use them for those questions like "what file is failing to load", or "where is it looking in the registry" or "what process is using all the CPU". Filemon This monitoring tool lets you see all file system activity in real-time. MoveFile Schedule file rename and delete commands for the next reboot. This can be useful for cleaning stubborn or in-use malware files. PageDefrag Defragment your paging files and Registry hives! PendMove See what files are scheduled for delete or rename the next time the system boots. Autoruns See what programs are configured to startup automatically when your system...

  • Do you use Business Critical Support - did you know you need to re-register each year now?

    This one was a bit of a surprise to me, but my Dad, who is an IT Consultant phoned me up to explain that when he range business critical support for a customer down situation he was told that his registration had lapsed. He then had to go through a process to re-register before his call could be processed - and this all took valuable time. I put this down to my Dad's unique way of finding problems with systems, however the very next day I got a mail from another partner who hit exactly the same thing, so think of this as a warning, go give yourself the ability to call MS Support without them charging you when your customers are "down". To get more information and registration information (it is not a long process honest), go to Register for free- Business Critical Telephone Support for registration and http://www.microsoft.com/uk/partner/tech_support/b... for information. Once you are set up, you MUST note your Support ID - this is the magic that will make it work when you need it. ttfn David

  • USATODAY.com - Cybercrooks constantly find new ways into PCs

    I was reading this article and it reminded me of a few things. Sometimes when sitting in the Microsoft camp we say how good / bad others are at security, but rarely reflect on what people need to do and why. When there is a known issue with a package, I suspect many don't go to a test environment and pull the patch apart, many just do a quick test on 1 pc and then deploy wider. Obviously SBS 2003 R2 makes this process easier as you can now control the deployment and retraction of patches via the console. It also reminds me that it a patch is needed, it is really a mute discussion on how many issues it fixes, reboots or any other aspect - if your systems are vulnerable, you need to patch of mitigate. To do neither is inviting huge issues - and I have seen plenty of customers with issues. What I did also see was a comparison table showing that systems often thought to not be at risk, such as those by Apple, can still be very susceptible. When a security issue exists on a system, it does not matter if 1 or a 100...
    Filed under: ,
1 2 Next >

(c)David Overton 2006-23