Browse by Tags

We had this question circulate around at work, so I wanted to share.  Window Intune needs access to the internet.  This means that the services need unhindered access to the internet.  While for most of us, once we are connected, we are connected, some firewall / proxy devices require extra information to be entered into a browser and this is something that Windows Intune cannot deal with. Luckily, Richard at Windows Intunepedia has written about this and quite some time ago .  The key elements are: Ports 80,443 will be needed for outgoing communications and the firewall / proxy must be as follows: If the client computers exist behind an authenticating proxy server, you must configure the proxy server as follows: 1. Confirm that the proxy server supports HTTP and HTTPS. 2. Enable either Non-auth or Negotiate (Kerberos) authentication methods on the proxy. If your proxy server is using the Negotiate (Kerberos) authentication method then you must configure it to allow authentication using computer...

Today's post covers what to do when SBS says it no longer can change the WSUS settings from the console.  The exact message is "Windows Small Business Server Update Service is not running because it automatically turns off if you customize Windows Server Update Services (WSUS)". One way round this problem is to manually change all the settings in the WSUS console (from Administrator Tools, select Microsoft Windows Update Services 3.0 SP1) and change the settings as per instructions found at http://blogs.technet.com/sbs/archive/2006/07/13/441594.aspx .  I'm a sort of "quick fix" kind of guy, so the easier way is to go to the same tool, but then run the wizard.  The steps are: Start the Wizard   Click through the first two screens and set the updates to come from Microsoft Update Configure the proxy if required and press next.  Then press Start Connecting.  When done, press Next again. Select the language(s) you want to download Make sure "All Products"...

My SBS 2008 installation is pretty good, but one area I’ve noticed some problems was with ForeFront. I either had errors or at best warnings all the time about the scan engines. I would go and hit a manual update, but the bar would be 30-90% across and suddenly stop. When I looked in the event log I could see errors like these below. Searching the internet delivered me the KB article http://support.microsoft.com/kb/939411/en-us which talks about timeout issues, however even with the recommended change things did not resolve themselves. Source: GetEngineFiles Event ID: 6014 Level: Error Description: Microsoft Forefront Server Security encountered an error while performing a scan engine update. Scan Engine: AhnLab Update Path: http://forefrontdl.microsoft.com/server/scanengineupdate/x86/AhnLab Proxy Settings: Disabled Error Code: 0xC0001F58 Description: The operation timed out. Source: Microsoft Forefront Security Event ID: 7003 Level: Warning Description: Not all of the selected engines enabled for updates...

This is another question I was recently asked. One particular user noticed that the certificate they saw when accessing their server from the internet did not match that when accessing from the LAN. The certificate looked something like this: This was a little strange as when the system was accessed from the intranet, all things appeared fine. The culprit for them was the SBS 2003 self signed certificate on the same machine. By removing the certificate and then installing the correct new one things got better. To remove the old certificate, start MMC.exe and accept the UAC prompt. Now press Ctrl+M to add a new snap-in and select Certificates and when asked, add for the user account . The do the same again, but select Certificates and Computer Account and hit OK to accept the current computer. Now expand out Personal Certificates and remove any SBS 2003 self signed certificates. To load the new certificates open a browser inside your SBS 2008 network and point to http://companyweb/Lists/Announcements/DispForm.aspx...

The Console setup process ( Once SBS is set up, how to do the basic configuration through the management console ) sets up SBS 2008 for use. OneCare for Servers provide anti-malware capabilities and is an important part of the system integrity. SBS 2008 comes with a trial of OneCare and so far I’ve found it very effective. Setup today requires two updates that it downloads and applies itself: Notice that the initial configuration immediately informs you that you need to update Start the process, tell OneCare which country you are in and and accept the EULA. The download starts, updates and finishes If you have an activation key, or wish to purchase one you carry on through the process, switching to a web site to complete the process Note, DO NOT try to activate your trial in the Technical Preview unless you have already been provided with a key If you have been going through the Console in order then this is it baring the enabling of Office Live. Finally, all the SBS 2008 entries can be found at http://davidoverton...

I have a Windows Home Server at home and I decided I wanted it to be responsible for handing out DHCP and DNS addresses in the house. All very good, but when I set up the services none of it worked because of the built in Windows Firewall. While I could have just turned off the Firewall I decided to learn how to put the holes into the firewall to make it work with the firewall, thus maintaining better security. A quick search of the web showed me many settings, but it did not seem to cover the whole picture – then I came across the MS site Windows Firewall Settings which has things broken down into these four handy sections that shall for ever more be my guides to ports and firewalls in the Microsoft world. What is more, as you will see later, the tips in here as to how to get things working, getting over common hurdles is quite stunning too: Windows Firewall Settings: Optional Components Windows Firewall Settings: Remote Administration Tools Windows Firewall Settings: Server Roles Windows Firewall Settings: Services...

Each month the TRM blog product this great summary of the Microsoft world in various product areas. The blog can be found here http://blogs.technet.com/trm/ News Help your customers securely deploy Windows Server 2008 with the Windows Server 2008 Security Guide! http://go.microsoft.com/fwlink/?LinkId=92550 Every day, adversaries attempt to invade your customers’ networks and access their servers—to bring them down, infect them with viruses, or steal information about customers or employees. Your customers are looking to Microsoft and Windows Server® 2008 to help them address these threats. To assist customers in taking full advantage of the rich security features in Windows Server 2008, Microsoft has developed the Windows Server 2008 Security Guide. The Windows Server 2008 Security Guide provides IT professionals with best practices, predefined security templates, and an automated deployment tool to help strengthen the security of servers running Windows Server 2008. Supporting Your Family, Friends, and Neighbours...

Today is the start of the Server 2008 PR ramp up. I can today tell you a bit more about Cougar, as was, or SBS 2008 as it will be, the new "family" that SBS is part of and a bit more on Windows Essential Business Server 2008 (aka Centro). Hopefully there will be a couple of surprises and also confirmation of some of the rumours around there. I've sliced the press release made today into 3 sections. This blog entry is based on the Essential Business Server 2008 section of which there is an extract below of some key points. The whole press release can be found at http://www.microsoft.com/presspass/press/2008/feb08/02-20EBFamilyPR.mspx . <snipped> Windows Essential Business Server 2008 for Midsize Companies Windows Essential Business Server 2008 is designed for the needs of midsize organizations with up to 250 desktops, helping IT professionals take control of their systems, reduce time spent “fighting fires” and focus more on strategic efforts to drive business growth. The solution includes built...

My background covers security and I've started reading this blog ( Security Vulnerability Research & Defense ) - it is excellent and definitely worth a read to understand how vulnerabilities work and how to mitigate them!! MS08-001 - The case of the Moderate, Important, and Critical network vulnerabilities Security bulletin MS08-001 addresses vulnerabilities described by two separate CVE numbers, as you can see in the bulletin. This post provides an overview of the two issues, the affected platforms and notes on the severity. We’ll be following this post up with two further entries that look at each issue in more detail. CVE-2007-0066 describes a vulnerability in parsing ICMP router advertisement packets. These packets are not processed by default on any supported version of Windows. If a computer is configured to process router discovery protocol packets and encounters this type of malformed packet, the Windows kernel will bugcheck (blue screen of death) and reboot. A separate blog post goes into more...

It is funny. As people get more used to patching operating systems they seem to think that makes them bullet proof on the whole system, yet this is simply not the case. With Microsoft products people are used to patching them as needed to reduce the security risks on their systems. Others will sight that their systems are already secure and therefore don't need patching. I remember a few years ago watching the outcome of a Hackathon and the losing team lost not because of the OS security, but because of the application on top of it being unpatched and insecure. If you have an application that uses Oracle, check it is being patched and secured as in a single month Oracle have been known to release 40+ patches. Now before you go and pat yourself on the back for being so good at not having any Oracle systems, you might need to check your Windows applications are also patched. Fro the Windows patch story, look at One-fifth of Windows apps go unpatched - down from 28% last May, but still need to be careful Survey...

Ahh, once again the joys of lessening the security on a device to enable modification or easier use shows its dark side. Once upon a time geeks could open and hack the software they bought and make their own world a better place. Now, more people do this without the knowledge of the risks they are taking or how to manage them. The result is that "other" things start to happen showing that the need for knowledge is even more important, especially with regard to security. First Trojan reported for the iPhone by Jim Dalrymple While not a huge risk, the first Trojan for the iPhone has been discovered. The first reports came from iPhone enthusiast site Modmyifone.com and were later confirmed by security research company F-Secure. <sniped> F-Secure reported that it was an 11-year-old kid playing with XML files who created the Trojan. “Next time it might be someone else with more skills and with specific target,” they said. Macworld | First Trojan reported for the iPhone ttfn David Technorati Tags: Security...

I saw this go around on a thread at work and I have seen it requested for those security conscious partners, so here is the answer (courtesy of Eric Ellis): 1) Via the Office Customisation Tool (OCT) and a custom MSP: — or — 2) Via Group Policy: The difference between the two is that using the OCT will preset the desired configuration during the initial installation (or in a maintenance mode change), but users can change the settings if they desire. Group policy enforces the desired configuration, and if a user makes a change to the setting, they will revert back to the settings defined in the policy during the next application session. ttfn David Technorati Tags: Office 2007 , Security , Internet , Group Policy , Office Customisation Tool , OCT

I'm sure you have heard that the Office 2007 Service Pack is here. Darren Strange has documented what is in it and how to get it at Office 2007 sp1 ready for download today and OfficeRocker! : More detail about sp1 . In answer to Susanne's post at here , hopefully this post has some more info in it One of the little things he puts that I like is: Some other factoids about sp1 There are roughly 2500 fixes in SP1. This an average size for a service pack, but the issues fixed are very important to our customers. Almost 20% of those fixes are direct result of customer requests. Over 500 of those fixes focused on security. There are a total of 24 different releases in 38 languages. There are 683 distinct packages. All have released simultaneously today. If you get the whitepaper then you would be keen to see the information below. Notice that SharePoint amongst other things a developer update to support Ajax and that other server products (Groove and Project Server) are also updated. Stability Microsoft continues...