Wednesday, November 09, 2005

Windows Desktop Search tool doesn't play nice with network drives

Here's one that deserves a post.

A client was having a sporadic problem with files becoming locked or marked read when they tried to save them on their Small Business Server. The problem seemed to be much more prevalent with extremely large files. Thinking it was something with the server we move all the data to another server and remapped everyone's drives to the new server. The problem continued to exists. Okay it's either a network problem or a desktop issue. Even with a brand new fresh XP build with all service packs the problem existed. Alright! It must be a network problem. Lets just replace the switch and we will be done with it. Nope..... The problem still existed. Now we are scratching our heads. After numerous testing scenarios we realize that when a workstation first boots up it was going out and grabbing random files on the network share. What could be causing this? It turns out that Windows Desktop Search tool was configured to scan the mapped network drives. This inherently is not a bad thing, unless you have ten workstations doing this. What was causing files to get locked so people couldn't save them was when most applications save an open file they create a temp file to write all the changes to and then merge the temp file with the original file. The problem turned out to be when a user clicked save and the temp file was created there were nine other workstation just ready and waiting to index that new file. If any workstation was indexing the temp file when the application wanted to merge the data into the original file the app would throw and error that the file was locked by another user and could not be saved. The reason it was more frequent in large files is because they take longer to save; there for the temp file sits there longer and has a better chance of being indexed. We disabled the indexing of the network share and file saves are working great now.

Wednesday, October 19, 2005

Mail Black Lists

Clients are always asking my why an email bounced. One of the first thing I do is check to see if their mail server is on a black list. The best site I've found to do this is http://rbls.org/.

Sunday, September 25, 2005

Tivo Security

What to hear something funny? Tivo doesn’t support RADIUS…… Can you imagine that? My home DVR doesn’t support a Remote Authentication Dial-In User Service. I’m just trying to secure my home network, but noooooooo! At least Tivo supports WEP.

Friday, September 16, 2005

Saturday, September 10, 2005

DHCP & SBS SP1

Susan pointed me to Raymond’s blog about a DHCP error after applying SBS SP1. One other problem that I’ve seen is when you apply SP1 it resets the default gateway the DHCP server issues to the server IP address. **NEWS FLASH** Not everyone uses the SBS server as their default gateway. It was a quick fix to set it back to the router, but something to note when you do a SBS SP1 install.

SMB Nation - What's your Niche

I’m sitting here at lunch listening to Kevin Weilbacher talk about the Auto Dealer niche. Man what a vertical to work with. I've bought enough cars to know that I don't like it. I just don't know if I could get over that to go in and ask them if they want a SBS server. I've got this preconceived notion that they will just try to haggle over ever detail. I mean this is what they do for a living. I just don't think auto dealers are for me.

Tuesday, August 30, 2005

Marketing the Microsoft Way

Anne Stanton posted a summary of the Microsoft Marketing web seminar today on her blog. She summarizes several good points that were made during the presentation. The presenter, Lori Stutsman, had lots of good tips to help you market better. Here a couple of things that stuck with me.

  1. Mix up your approach, but keep the same message. Different people respond to different mediums. Post cards, email, letters, etc.

  2. Stats say prospects have to be contacted three times to recognize your name and nine times to feel comfortable buying something from you. I like the Gentle Rain approach. Keep on them, but do it gently.

  3. The best time to send out an email campaign is Tuesday and Wednesday. The best time of day is high noon. Mondays and Fridays are out because of the weekend. Thursday isn’t good because people are trying to clear things off for the weekend. Does this mean we only really work two days a week???

  4. Microsoft is offering $600 dollar match for any campaign you launch though their web site. I took advantage of it a couple weeks ago. Now I just have to sit back and wait for the clients to bust down my door. Right?

There were many more tips, so I encourage you to review the web seminar when it’s made available. http://www.msreadiness.com/

One comment that I wanted to make at the web seminar, but held my tongue, was that SonicWALL has been helping partners run campaigns for years and they are a hell of a lot cheaper that MS. I have to give MS points for trying.

Thursday, August 25, 2005

SonicWALL TZ170 and WSUS.... You two play nice now!

Here's and interesting problem that I encountered this week. I installed Windows Server Update Service (WSUS) a couple of weeks ago on my server. I put the computers into groups and approved all of the updated. I figured I was good to go, but after a week I noticed that I wasn't getting updates at the desktops. Further investigation showed that after I approved the updates the download of the updates failed. After a bit of troubleshooting I determined that the cause was the Gateway Anti-Virus (GAV) and Anti-Spyware (AS) on my SonicWALL TZ170. If I turned the GAV and AS off the updates would download. The troubling part was that the SonicWALL was not logging the failure. I opened a case with SonicWALL and level 1 & 2 support had me try all kinds of things; none of which worked. I finally got to 3rd level support and they had do the following.

Go to http://yoursonicwallip/diag.html Then click on internal settings and check the box for Enable HTTP Byte-Range requests with Gateway AV and apply the change.

This corrected the issue, but I still am waiting on an answer as to why the failure was not being logged. To make things it even more complicated it only seems to be a problem on the Standard OS. I have a client with a TZ170 running the Enhanced OS and WSUS. They have no problems getting the updates to download.

Such is life.

Tuesday, August 16, 2005

SonicWALL's secret... shhh

Here's an undocumented 'best practice' from SonicWALL. If you have multiple VPN tunnels on one box you should have a different shared secret for each tunnel. Currently this is not documented, but hours on the phone with SonicWALL has proven the 'feature' to be true.

Service Packs, Patches, and Upgrades Oh My!

For the last week I've been eating, breathing, and sleeping one of the above. I performed three SBS 2003 SP1 installs. Don't let anyone kid you these take a looooong time to install. The actual install is not that overly complicated. The work comes pre and post install. It also doesn't help that the service packs are huge and take a long time to install. If you're preparing to install SP1 you have to read this (note it's five pages). It's hands down the best guide out there. Holla to the MVP's on this one. They did a great job.

The other upgrade I've been blessed with this week is Symantec AntiVirus Corporate Edition 10.0. Symantec was nice enough to publish a migration document. I had one moving from 8.0 to 10.0.... NIGHTMARE. I'm also performing a 9.0 to 10.0 upgrade today. I'm hoping it will go well. What made the first a nightmare was the legacy stuff that was on the workstations. Someone had done a partial install of Norton System Works on every workstation. This caused the 10.0 client install to barf. It was complaining that Symantec A/V 2003 was installed on the workstation. Please remove yada yada yada... Well it certainly didn't appear to be installed on the workstations. Hmm must be something in the registry. Symantec has a procedure for manual removal of their products here. After the manual removal I rebooted as instructed. When the workstation came back up it wouldn't pull and IP address from the DHCP server. Nice!!! Off I go hunting. After a little looking I find that the manual removal had me delete the Symtdi service. Well wouldn't you know it the DHCP Client service has a dependency on that service. I delete the dependency in the registry and I'm now pulling an address again, I still couldn't install the 10.0 client. GRRRR Okay now I'm getting mad. Reaching into my bag-o-tricks I pull out Process Explorer from SysInternals. What a great little tool. I manage to determine that the 10.0 client is writing an install log to C:\Documents and Settings\UserName\Local Settings\Temp. Having a look at the log file I could see that the install process was searching and finding a registry entry for SAV 2003. This registry key was not listed in the manual removal procedure. A quick search and destroy for the offending key and boom I'm now installing the 10.0 client.

Tuesday, August 09, 2005

Bad Symantec! No Updates For You!

There are been some reports of the new Symantec AntiVirus Corporate Edition 10.0 causing blue screens on severs. Here is Symantec's list of fixes. Hope this save someone a little trouble.

Monday, August 08, 2005

Root partition full? I can help!

Many of the install you Small business Server 2003 you come across has everything installed on the root partition (C: drive). The other problem in the root partition was created too small. Since many service packs, patches, and application's require a minimum amount of free space you many need to move some things off of the c: drive. Almost anything that is installed on the c: drive can be moved. For a comprehensive document on moving data folders off the root partition follow this link. For detailed procedures for moving the ClientApp folder follow this link. Since the ClientApp folder can take up over 1Gb of space it's the first thing I move when I need space.

Sunday, June 26, 2005

SBS 2003 & Security... Things you need to do to a new install

Top 10 Security Recommendations
To expedite installation and configuration, setup doesn't enable several obvious security controls. Here's a list of 10 adjustments you can implement to make the server more secure and to monitor events that might warn of malicious activity. The fastest way to implement these controls on workstations and servers that aren't domain controllers (DCs) is to modify the Domain Security Policy settings under Administrative Tools. The price you pay for using the fastest method is that, after you alter the default policies, you can't revert to a previously working Group Policy. If you prefer to work with a guaranteed fallback position, you should create separate Group Policy Objects (GPOs) that implement these settings on the server and SBS clients.

1. Administrator account: To eliminate a well-known target, rename the administrator account on the server. Perform this task manually in the Server Management Users key (right-click Administrator and select Rename User from the drop-down menu). The online Help gives step-by-step instructions for using a GPO to automatically rename the Administrator account on the server and all Windows XP and Win2K workstations.


2. Passwords: Setup prompts you several times to enable a password policy that enforces length, complexity, and password-history rules. If you don't enable the password policy during the initial setup, you can enable the default password policy later by expanding the Users link in the Server Management console and clicking Configure Password Policies. You can also enable a password policy by modifying the Domain Security Policy under Administrative Tools. The Server Management Users link displays only accounts that you add after the server is up and running; to view the built-in accounts and groups, open the Active Directory Users and Computers link under Advanced Management.


3. Interactive and network account lockout: Setup doesn't enable account lockout for failed local or network logon attempts. To enable account lockout for failed interactive and network logons, go to Start Menu, Administrative Tools and open the Default Domain Security Policy. Expand the Account Policies key and define all three account-lockout controls. I routinely set the lockout threshold to 3 and the duration and reset values to 47.


4. Remote access account lockout: If you offer VPN access to the server, you should also enable remote access account lockout. Remote account lockout has no GUI interface, so to implement this feature you must modify the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\RemoteAccess
\Parameters\AccountLockout registry subkey as follows:

* The value entry MaxDenials:REG_DWORD enables or disables remote access account lockout. This feature is disabled by default, so MaxDenials is initially set to 0. To enable lockout, set MaxDenials to the desired number of failed logon attempts that will lock out the account.


* The value entry ResetTime:REG_DWORD defines the number of minutes the account will remain locked out. By default, this value is 2880 minutes. I recommend you change the ResetTime to a more reasonable value between 30 and 47 minutes.
When RRAS locks out an account, the service creates a temporary registry key below AccountLockout by using the format \. You can manually reset a remote account lockout by deleting this key, which is a handy tip when emergencies arise.

5. Security auditing: Setup enables success auditing for six of the eight security audit categories on SBS DCs. Although success auditing helps you track user activity, failure auditing is the only way you can track potential intrusion attempts. At a minimum, enable failure auditing for account logon events, account management, logon events, policy change, and system events. On SBS workstations, enable failure audits for account management, logon events, policy change, and system events. Workstation Security event logs can expedite the process of diagnosing and isolating an infected system.


6. NetBIOS and WINS: SBS supports legacy Windows 9x clients that rely on NetBIOS name resolution. When you consider how unreliable these old systems are and the long history of successful NetBIOS exploits, the decision to support legacy clients is difficult to understand. If you can mandate that all SBS customers use XP and Win2K workstations, you can tighten security by stopping the WINS service (this closes two open TCP ports and two open UDP ports) and setting the startup type to disabled. If you can live without NetBIOS, you should also disable LMHOSTS lookup and NetBIOS over TCP/IP (NetBT) on all network adapters. Setup enables both these features by default on the adapter for the internal network.


7. Remote access connections: If your site has more stringent security requirements, for example, a law office or drug-testing facility, I recommend you modify the default Remote Access Policy to negotiate Layer Two Tunneling Protocol (L2TP) instead of PPTP connections. When you enable any type of incoming VPN connections, the remote access wizard automatically creates an IP spoofing filter on the external interface to prevent users on the Internet from masquerading as an internal system to gain access to network resources.


8. Server monitoring and reporting: Configure and activate the Monitoring and Reporting tool. This utility uses a SQL Server MSDE 2000 database engine to store and report data that affects system performance, preconfigured and site-specific alerts, services that should be running but are stopped (e.g., the spooler service or WINS), warning and error messages in the six event logs, and system shutdown and restart activity. Review the logs frequently to monitor server usage and critical security events.


9. Client administrator group: The SBS client setup utility automatically adds local user accounts to the workstation's Administrator group. To limit potential damage from malicious software (malware) that runs in the context of the locally logged-on user, you might want to move local accounts out of the Administrators group and into the Users group.


10. Test your firewall: Regardless of whether you have a separate firewall or you enable the SBS basic firewall, run Nmapwin (see "Tools for Your Security Arsenal") to probe the Internet connection and the internal network connection. After you identify the firewall's attack surface, run Active Ports to identify which process or service is listening on which port (and which TCP/IP address). Using information from both tools, you can further reduce the network's exposure by adding firewall rules or stopping services that aren't required.

Friday, June 10, 2005

How to make SBS and Antivirus play nice together

Most new clients I visit don't have the proper (or any for that matter) exclusions setup in their Antivirus programs. Microsoft recommends that you exclude the following directories and files on your Small business Server to prevent corruption and slow response from your Exchange server.

Note: These are the default installation directories. Your server install path may be different.

C:\Inetpub\mailroot
C:\WINDOWS\system32\inetsrv
C:\Program Files\Exchsrvr\SERVER_NAME.log
C:\Program Files\Exchsrvr\Mailroot
C:\Program Files\Exchsrvr\Mailroot\vsi 1\Pickup
C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue
C:\Program Files\Exchsrvr\MDBDATA
C:\Program Files\Exchsrvr\mtadata
C:\Program Files\Exchsrvr\srsdata
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Incoming Mail

If you're running Trend Micro CSM you will also want to exclude the following directories.

C:\Program Files\Trend Micro\OfficeScan\PCCSRV\Virus
C:\Program Files\Trend\SMCF\tempdir
C:\Program Files\Trend\Smex\Alert
C:\Program Files\Trend\Smex\bkup
C:\Program Files\Trend\Smex\Temp
C:\Program Files\Trend\Smex\Virus

Sunday, May 15, 2005

Is your Peachtree running slow?

I had a client just start complaining that when they were working in and closing Peachtree it would 'hang' their computer. After a couple hours of digging in Google and Peachtree support I came across a good post talking about how a large database could slow down Peachtree performance. I checked and they had a 60Mb database. Doesn't sound that large, but Peachtree claims you can see degraded performance with a 10Mb database. I tested my theory by opening the sample company that comes with Peachtree which was 400Kb in size. It opened and closed like a champ.

What can you do to fix it? Not much. You can close out fiscal years, but you loose all the years details. My client decided to just live with it for right now.

Friday, April 29, 2005

SBS 2003 port assignments

Always searching the internet for the ports used for SBS 2003 I decided to post them in a place I can always find them. You would think I could memorize this short list, but I'm horrible remembering numbers.


































































































Ports that Enable Remote Access to SBS Services

TCP Port

Service

Description

21

FTP

Enables external
and internal file transfer



25

Exchange Server

Enables incoming
and outgoing SMTP mail



80 (http://)

IIS

Enables all
nonsecure browser access, including: internal access to IIS Webs including
the company Web, Windows SharePoint Web, Windows SharePoint administration
Web, and server monitoring and usage reports Enables internal access to
Exchange by OWA and OMA clients



110

POP3

Enables Exchange
to accept incoming POP3 mail



123 (UDP port)

NTP

Enables the
system to synchronize time with an external Network Time Protocol (NTP)
server



143

IMAP4

Enables Exchange
to accept incoming IMAP4-compliant messages



220

IMAP3

Enables Exchange
to accept incoming IMAP3-compliant messages



443 (https://)

Outlook

Enables all
secure browser access, including external access to Exchange for Outlook
2003, OWA, and OMA clients; required for external access to server
monitoring and usage reports





444

Windows Share
Point Services

Enables internal
and external access to the SharePoint Web







500

IPSec

Enables external
VPN connections by using IPSec



1701

L2TP clients

Enables external
L2TP VPN connections



1723

PPTP clients

Enables external
PPTP VPN connections

3389

Terminal
Services

Enables internal
and external Terminal Services client connections



4125 (Note: you
can change this port in RRAS)

Remote Web
Workplace

Enables external
OWA access to Exchange, plus internal and external HTTPS access to the
client Web site

4500

IPSec

Internet Key
Exchange (IKE) Network Address Translation (NAT) traversal

Tuesday, April 26, 2005

Reinstall Your Default Web Site Version 2

So after I regrouped from the nightmare of recovering the default web site in SBS 2003 I started looking a little deeper into how it all worked. During my research I came across KB 887305 that gave instructions on how to reinstall IIS on SBS 2003. It never occurred to me to reinstall IIS since there was nothing wrong with it. Well the reinstall procedure blows away the existing default site and recreates it. I followed the procedures and it worked like a champ. Man I could have used this info a couple of days ago...

Friday, April 22, 2005

SBS 2003 default web site... Guard it with your life

I had a rough couple of days at a new client. I was called in because the original consultant who installed SBS 2003 server was unable to get all the features working correctly. There was a laundry list of problems, but mainly he couldn't get the clients iPAQ's connected to their server when they were in the field. After several months of trying to get things working he stopped returning the clients phone calls. The client then had a "friend" look at the server to see if he could get it to work. Being the security minded person that he was he deleted the default web site in IIS on the server. This opened up a huge can of worms. Suddenly the client had a ten sales people that could not even access their email from OWA. That's when they called me. I came in to find a server that was so messed up it wasn't even funny.

* AV not running on the server
* AV updates not being pulled down to the clients
* All website deleted from the server
* N0 full backups (at least they were backing up their user data)

And the list goes on....

All these things need to be addresses, but I need to get OWA working again. You would think that something as important as the default web site would be easy to reinstall. I searched high and low for a solution to reinstall the default web site. I did find a kb article on how to get company web and Sharepoint admin back. Things would have been so much easier if a proper backups were being done.

As I thought through the issue my partner came up with the idea of building a parallel server with the same config and then just copy the sites over. Hey that's just crazy enough to work! Six hours later I had built up another server and migrated the IIS sites over to the client's server. Holding my breath I entered in the OWA address in IE.... No dice. I spent the next five hours plowing though every setting on the default web site. If you've never looked there are about 10,000 of them. I finally go it to work for the most part. If you ever have to do this you will need to do a couple of things.

* A migration tool (I used IIS Export Utility)
* Check the NTFS permissions on the files
* Check the Directory Security of all site and virtual directories in IIS
* Reinstall any SSL certificates

After all this RWW works as designed and OWA works, but you are challenged with a password popup rather than the OWA login page. Oh well. It works and the server will need to be rebuilt because of all the cooks that have been in the kitchen. The client was happy that his sales staff can get their email and that's all that matters.