SBS2003 standard and VPN issues

We were recently trying to get VPN access to an SBS 2003 standard install. Everything we tried just didn’t work. We ran and re-ran the wizards, checked that the right ports on the hardware firewall were forwarded but still no luck. Typically, we would get the message that the VPN was connecting but during authentication it would simply timeout and we would receive a message that the VPN had been disconnected.

Turns out that the problem lay with the hardware firewall. What finally ended up resolving the problem was a simple upgrade of the firewall firmware. Once completed the VPN worked a treat. Initially you just never stop and consider that the hardware firewall ( external to SBS2003 ) could be the issue. It works and has always worked so why should it be a problem? Well, in this case it certainly was the problem.

Another handy tip we’d give is you is to always backup the configuration of the hardware firewall before you upgrade the firmware. Over time a lot of changes can be made to a hardware firewall that are note always documentated.

Book review – Spies Among us

Spies Amoung Us: How to stop spies, terrorists, hackers and criminals you don’t even know you encounter every day by Ira Winkler was a little disappointing we thought. Well, probably the most likely reason is that we’ve heard it all before. Security isn’t as destination it is a process as all good security professionals know. Ira’s book covers a wide range of topics but the answers are always very simple and usually just require common sense. We suppose that in this day and age that is what is missing from most people. Why would someone from Nigeria ask you to allow them to transfer money through your account for a significant handling fee? C’mon, now really, but you’d be amazed at how many people just that scam alone fools. From memory we think email scams are Nigeria largest earning export.

This book is probably a good read for someone who really hasn’t had to think too much about security. It does provide plenty of real world examples of how professionals perform penetration tests of businesses and generally how they walk away with the information they require with a few days. It is probably a good book to get your boss to read to convince them to spend more on security but as we all know this is highly unlikley. Why? Simply because security is all about maintaining the status quo in managements eyes. They think that it doesn’t contribute to profits and it doesn’t reduce expenditure so what good is it? In the face of this sort of attitude we like to ask – “What do you have to do to be 100% certain that a break in will not re-occur once your computer systems have been compromised?“ – Answer “The only way to be 100% certain is to wipe EVERYTHING (servers, workstations, the lot) and reload“. How expensive is that going to prove boss?

The cost of proactive security is always far cheaper than reactive security but not many businesses understand that until it is too late. If you don’t see the benefit of security then read Spies Amoung Us before your business becomes a victim.

High processor utilization after SBS2003 Service Pack 1 installed

Recently we upgraded an SBS 2003 Standard system to Service Pack and everything went well until the following day when we received all these processor idle time warnings. When we logged in we found that indeed the processor usage was averaging above 50%. Hmmm.. we looked at the task manager and found that the process “System” was consuming an abnormal amount of processors time.

We then loaded processor monitor from sysinternals, which showed all the processes that form part of system, to help us determine where the problem lay. We didn’t install the Microsoft debugging tools like you are supposed to so we couldn’t really identify where the issue lay. Hmmm..most likely some sort of system drive needed updating.

We had updated the system BIOS before performing the Service Pack upgrade so it couldn’t be that. Our thoughts turned to the hard disk drivers being the next most likely option. When we looked at the HP drivers site for the server we were confused as to exactly what disk drivers the server had. We became hesitant about applying these sort of driver updates remotely. Hmmm…

After a little more contemplation we got the feeling that this issue was remarkably like another we had seen previously. A while back we saw issues where an SBS2003 server would slow to a crawl when it had Etrust 7.X installed. That little bug took us over 6 months to solve. The problem turned out to be an update of the Etrust realtime drivers. These updates can be found here.

We then checked the dates on the realtime CA files, INO_FLTR.SYS and INO_FLPY.SYS files located in the WINNT\SYSTEM32\DRIVERS directory and they were pretty old. Thinking that updating these was a good first step we downloaded the realtime updates from the CA web site and applied them to the SBS 2003 server. Of course applying the updates required the server to be reboot ( what doesn’t these days?).

After the reboot, guess what? The processor activity returned to normal. Who ever thought that such small files can cause problems but we suppose when you consider that any realtime antivirus works at a pretty low level most of the time on a server, it makes sense that old realtime files can cause problems.

So in summary, if you are seeing high processor activity on a SBS 2003 server with Etrust V7.X antivirus installed, our advice is to try applying the realtime updates first (you’ll need to reboot your server for them to take effect).

SharePoint workflows

We have spent the week converting our old SharePoint 2003 site into a new SharePoint 2007 site. We loved the old SharePoint but the new 2007 version is even better if that is possible. One of our favourite features so far has gotta be wikis and search. We have entered all our in-house knowledge base as a wiki and now we can do a search on the content. This is great when you are out on a customers site and need to remember something you’ve got documented. Simply dial up SharePoint remotely, do a search and bingo there’s the info you need. Make you look like a hero in the eyes of the client.

However, we feel that the greatest asset of SharePoint 2007 will be its ability to handle workflow. Simply put, this means that you can systemize a business process. For example you can create a document library that contains an expense spreadsheet template. To lodge a new expense claim you create a new file from the template and save it back to the document library. Once saved the workflow kicks in prompting other SharePoint users to approve the expenses. Once they have approved it the information can be forwarded to someone else for payment. How many businesses processes do comapnies have that would benefit from workflow? We know we have heaps and are sure most other people do as well.

Well, after coming to grips with most of what the new version of Sharepoint has to offer we decided that it was time to conquer workflows. We were disappointed to find that out of the box Windows Sharepoint Server only comes with one workflow. Office Sharepoint Server has more but surely there must be others available for Windows Sharepoint. Next stop Google. Unfortunately, not much luck here we could find any pre-built add on workflows we could simply import into Sharepoint. What now?

After a bit more research we discovered that you can create your own workflows usin Microsoft Sharepoint designer 2007. Now we’ve used Microsoft Frontpage extensively to create all sorts of web sites but Sharepoint Designer certainly appears to be a step closer to a designer tool like Visual Studio. Not to be intimidated we started looking at the inbuilt help for the product and was surprised at helpful it really was.

We a short time later we had created and integrated our very first workflow into our Sharepoint 2007 site. It really was snap. Sure it is only a test workflow at this stage and it doesn’t do anything flash but we can really see the power of Sharepoint designer now in just helping create workflows alone, never mind all the other cool stuff it can do with Sharepoint. Just imagine being able to walk into a business with Sharepoint designer and automate a business process then and there. Then imagine being able to create “standard” workflows that you can install on other Sharepoint sites. Just imagine.

If you thought Sharepoint 2007 was a revolution, try combining with Sharepoint designer, then you’ll really see what can be done. There is not doubt in our mind, Sharepoint 2007 is going to be a HUGE product for Microsoft.

Wanna know why Vista took so long and will cost so much?

If you do then you should read this article about the Cost analysis of Windows Vista Copy protection. You’ll find the article at :

http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html

Here’s the Executive summary :

Windows Vista includes an extensive reworking of core OS elements in order to provide content protection for so-called “premium content”, typically HD data from Blu-Ray and HD-DVD sources. Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost. These issues affect not only users of Vista but the entire PC industry, since the effects of the protection measures extend to cover all hardware and software that will ever come into contact with Vista, even if it’s not used directly with Vista (for example hardware in a Macintosh computer or on a Linux server). This document analyses the cost involved in Vista’s content protection, and the collateral damage that this incurs throughout the computer industry.”

It would seem that Microsoft has spent a hell of a lot of time and effort basically trying to appease Hollywood, who fear their “content” being stolen. The article details how the Vista will be slower and less stable for all users with “features” designed to prevent copying by a small minority. Such “features” also appear to have wide ranging effects on the whole PC industry with providers of accessories, such as graphics cards, will need to comply with these “murky” standards to get their equipment working in Vista PC’s.

The scarey part appears to be the fact that Vista will disable or degregate an interface (say video output) if it senses premium output. So let’s say that you are working on a spreadsheet while trying to watch a HD movie. If Vista doesn’t like the HD movie then guess what the whole screen may go blank as the interface is shutdown. The other interesting “feature” is the inclusion of “tilt bits”. “Tilt bits” monitor the bus for “abnormal activity” and if detected shut down the bus. This is supposed to prevent people inserting equipment in PC to by pass software protection.

We highly recommend you read the article (which has much better explanations and details) and decide for yourself. The more you start to look at what is presented here the more you see how running Vista could be a problem. What we want to know is why the hell didn’t Microsoft put all this time and effort into adding the features they initially said they would or improving security. Instead we potentially have an operating system with inclusions for a very small minority of the population but with ramifications that could affect the whole industry.

Managing SQL 2005 memory in SBS 2003 R2

When we install SBS 2003 Premium with SQL 2000 we normally go into the SQL Manager and manually limit the total amount of memory that SQL can use. This generally gives better performance for the whole SBS box. We certainly wish we could do this with Exchange, but alas no.

Now we have been trying to do the same on SBS 2003 Premium R2 which includes SQL 2005. No where could we find anywhere to manually limit the memory. After some research it urns out that tools to do this aren’t even installed on the server by default. What you need to do is go back into Control Panel | Add and Remove Programs, select SQL 2005 and Change. When the application launch you need to modify the installation to install the Management tools. You will be asked for the Premium Technology CD 2 to install the software. After what seems like a long time the tools will be installed and you can then run the Management tool to limit the maximum amount of memory SQL 2005 uses.

We’ll detail specific steps to limiting the memory in our next post but the first step is to install the SQL Management tools on SBS 2003 R2 Premium, which they aren’t installed by default.

Using Windows Vista and Outlook 2007 in a Windows Small Business Server 2003 Network

Document from Microsoft :

Brief Description
Use this document to join computers that are running Windows Vista to your Windows Small Business Server 2003 network using the “Update for Windows Small Business Server 2003: Windows Vista and Outlook 2007 compatibility (KB 926505).

Overview
The “Update for Windows Small Business Server 2003: Vista and Outlook 2007 compatibility (KB 926505)” adds support for the Client Deployment tools in Windows Small Business Server (Windows SBS), and it resolves compatibility issues for running Windows Vista and Microsoft Office 2007 in a Windows SBS network. Use this document to join computers running Windows Vista and Outlook 2007 in your Windows SBS network.

An guess what ???? You can only install this update on your SBS 2003 server if you have already install Service Pack 1.

Update for SBS 2003 to support Vista and Outlook 2007

You can now download a fix from Microsoft (KB 926505).

Brief Description

This update adds support for the Windows SBS Client Deployment tools along with other compatibility issues for Windows Vista and Office 2007 in a Windows SBS network. For the full list of updates necessary for Windows Vista and Outlook 2007 compatibility see the Instructions section.

Overview

You can use the Client Deployment tools in Windows SBS to easily connect a client computer to your Windows SBS network. You can also use the tools to configure the correct settings to support solutions that are specific to Windows SBS (like remote access to your office computer).

This update, together with the additional updates and service packs listed later in this section, addresses compatibility issues with Windows Vista and Office 2007 in a Windows SBS network, including the following:

  • Support for the Business, Ultimate, and Enterprise editions of Windows Vista (including both 32-bit and 64-bit). This update does not apply to Windows Vista Home.
  • Updated Client Deployment tools, so you can configure the newer versions of components in Windows Vista.
  • Changes that make a user who is assigned to a computer that is running Windows Vista an administrator in Admin Approval Mode.
  • Changes to Group Policy to support configuration of the new Windows Firewall in Windows Vista.
  • Configuration of Microsoft Office Outlook 2007 (MAPI profile, not Outlook deployment) for client computers that are running Windows XP or Windows Vista.
  • A small change to the user experience when joining Windows Vista to the Windows SBS domain using http://server/ConnectComputer to address Internet Explorer 7 in Protected Mode.
  • Changes to Remote Desktop settings that support Windows XP and Windows Vista.
  • Changes to the Power Management settings to support Remote Desktop.