this is inside a component that is on nearly every Microsoft machine worldwide. this includes all versions of xp, vista, 7 and the server versions. There is no Windows Update yet. Please use the fixit for me link for a hotfix. This is a patch for this issue but it may cause issues since it’s not been fully validated. However this problem allows remote system takeover via IE AND Office.
The link to the fixit is here.
Update your machines now. If you are running a server with rdp exposed first firewall it off the internet then use another actual secure vpn to get to that server and update. I would then never allow rdp direct access to the net again.
Microsoft has plugged a critical hole in all supported versions of Windows that allows attackers to hit high-value computers with self-replicating attacks that install malicious code with no user interaction required.The vulnerability in the Remote Desktop Protocol is of particular concern to system administrators in government and corporate settings because they often use the feature to remotely trouble-shoot e-mail servers, point-of-sale terminals and other machines when they experience problems. RDP is also the default way to manage Windows machines that connect to Amazons EC2 and other cloud services. That means potentially millions of endpoints are at risk of being hit by a powerful computer worm that spreads exponentially, similarly to the way exploits known as Nimda and Code Red did in 2001.”This type of vulnerability is where no user intervention or user action is required and an attacker can just send some specially crafted packets or requests, and because of which he or she can take complete control of the target machine,” Amol Sarwate, director of Qualys vulnerability research lab, said in an interview. While RPD is not enabled by default, he said the number of machines that have it turned on is a “big concern” because it is so widely used in large organizations and business settings.The bug affects Windows XP and all versions of Windows released since, including the developer preview of Windows 8. It was privately reported by Luigi Auriemma, an Italian security researcher who frequently focuses on vulnerabilities in industrial control systems and SCADA, or supervisory control and data acquisition, systems used to control dams, gasoline refineries, and power plants. Microsoft said theres no indication the vulnerability is being used in the public to attack Windows users at the moment, but the company predicts that could change.”Due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days,” Suha Can and Jonathan Ness, of Microsoft Security Response Center Engineering, wrote in an advisory published Tuesday.
via Critical Windows bug could make worm meat of millions of high-value machines.
I got Hyper-v working finally here at my office. I now have one box hosting 3 virtual mahcines. VM 1 is my Astaro firewall. VM 2 is my main AD file/print/authentication server. VM 3 is my Astaro Command Center which aggregates status and updates from my astaro and my other client installs to me. This allows me to monitor all of my Astaro easily in one spot without having to constantly individually touch each machine. My power usage used to idle at nearly 130 watts. My idle power now hovers around 60 watts. I now average less than 90 watts which means nearly half of my power budget is now gone. The host machine is running server 2008 R2 enterprise with Hyper-v. It has three physical nics. It also mirrors all functions of the main server except for file serving.
As for resource allocation here is the breakdown:
VM1: 4 vcpus, 2 gigs of ram(static), 3 virtual nics, 80 gigs of dynamic storage on RAID 1, 25% total system cpu ghz reserved with the ability to burst to 50% usage with medium priority.
VM2: 2 vcpus, 2 gigs ram(static), 1 virtual nic, 500 gigs of dynamic storage assigned on it’s own raid 1 array, 0% cpu reservation with burst to 25% cpu with medium priority.
VM3: 4 vcpus, 1 gig ram(static), 1 virtual nic, 120 gigs of dynamic RAID 1 storage, 0% cpu reservation with burst to 25%.
Right now the host machine spends most of it’s time at idle. Considering how little power this draws it will pay for itself in under 1 year.
I currently have two virtualization projects going. One is to convert 3 physical server to hyper-v and one is to convert 3 physical servers to KVM. Unfortunately p2v on a domain controller is not only not recommended, it doesn’t work well. Also there is no supported upgrade path from server foundation to anything but standard. I have foundation and enterprise. So I am firing up a new enterprise vm and then will manually mount the vhd from foundation backup to grab the files. It’ll be a permissions nightmare for a bit but i’m used to that..:) Once i get my AD domain migrated then it is time for Astaro. Then i decom two boxes saving myself 200 watts of continuous draw. The draw goes down to about 60 watts. Keep watching for the KVM conversion. That one is going to be easier.
Short Answer: No.
Why do I say this? If you are already running SBS2008 there is no compelling reason to upgrade. SBS2011 is based upon Server 2008R2. This version of Windows server goes out of primary support in 2014. This means the newest SBS server software is based upon what is soon to be an outdated server platform. Why do I say this? Server 2008R2 goes out of primary support in June of 2013. I’m not keen on spending large amounts of money on what is soon to be outdated software. Sure it has Exchange 2010 and SharePoint 2010..but that’s really it. All of that doesn’t matter since the base foundation software goes outside of primary support in 2013. Sure there’s “extended support” but that’s security updates only. No bugfixes, no non-security updates..etc etc. I can’t recommend this package in any of it’s flavors right now especially with server 8 on it way for a likely release in 2012.
What does ECC recommend? A server running ESXI with one vm running server 2008(or server 8 when it comes out) and in anther vm Zimbra. Zimbra handles many of the functions of SharePoint/Exchange for an unbeatable price. Zero.
Are unreal. minimum is 8 gigs and they say they really want 10. I can say that if you want to deploy the system and have room for usage without having to upgrade the ram very quickly start with 16 gigs of ram. Hard disk space is very large. I can tell you right now in term of storage. SBS 2k8 barely runs well on 7200 RPM SATA in RAID1. Do not deploy this software on anything less than 10K RPM SATA/SAS in real hardware RAID 1. CPU is Minimum 2.0 ghz quad. I’m going to say you really want 3.0 ghz quad to leave room for other things that will get installed on that box to support business operations.
As the software landscape changes and so does technology so does my recommendations for clients. The biggest one right now is do you buy windows 7/server 2008 now or wait? ECC is saying to wait unless you absolutely MUST upgrade now. Why? 2012-2013 Windows 8, Server 2012, and Office 2012/2013 are going to be coming out. I would not buy anything srver 2008 related right now(that includes the latest versions of SBS as they are based on 2008 R2). We are three years into the primary support cycles of 2k8 vintage product that means you have two years of primary support for most things 2k8 based. If you are going to go through the expense of a major upgrade then I would wait. If you only are using 2k8 for simple AD and file resource sharing 2k8 is most likely going to be a great bet if you have to upgrade now. If you have further questions feel free to use the contact form at eccmd.com/http://www.emmanuelcomputerconsulting.com/contact-us or call me.
I just figured out SBS2008 does NOT automatically setup roaming profiles. This explains why i’m having issues with the desktops not matching when the users roam because the profiles are all local. Unfortunately one of the users has his hdd die and this spewed corruption into the network portion of his “local” profile. Now i can get rid of these corrupted profiles. These are the steps to creating a baseline roaming profile…
1. Prepare the roaming user profile
- Log on to a Windows Server 2008 with the domain user account to produce a user profile. Log off the computer.
- Log on to the Windows Server 2008 with a domain administrator account.
- Click Start—>right-click Computer—>Properties—>Advanced System Settings—>Advanced—>User Profiles Settings…—>Settings—>Copy To. Copy the profile to the file server, such as ‘\\filesrv\profiles\username.v2′
Note: A “.v2″ suffix to the name of the user profile folder on the file server must be added to distinguish between version 1 and version 2 profiles.
- In Permitted to use, click Change. Type the proper users or groups and then click OK.
2. Prepare the user Profile path setting
- In the Active Directory Users and Computers, type the profile location such as ‘\\filesrv\profiles\username’ in the user’s Profile path attributes.
Note: Do NOT add “.v2″ to the Profile path of the user object. This indicates that for Windows Server 2008 it will load the profile from ‘username.v2′ folder and for former Windows operating systems they will load from ‘username’ folder if it exists.
If you manually create user profile folder, please check the NTFS and share permission on the roaming profile share folder.
- Locate the roaming profile share folder, and check the NTFS permission to make sure that the user, SYSTEM, and administrators have Full Controller permission on their folders and all sub-folder under the roaming profile folder has inherited proper permission.
- Check the share permission to ensure that Everyone has Full Control permission.
Please pay attention to the Event logs in Windows Logs—>Application. User Profile Service will log events to show the reason why the roaming profile is not applied.
via SBS 2008 Profile.
There are increasing reports of issues with this service pack. Despite it not supposedly making any major changes to either OS it seems that may not be the case. if you are an ECC client or just a user watching the ECC feeds i advise NOT installing this update right now.
I tire of the MS lockin. What I’ve done is begun to build another deployment option for my clients( all of which are under 10 users. For now i’ll user server 2008 for authentication and file/print sharing…in a vm. Another vm holds a vmware appliance running zimbra collaboration suite. I get 90% of the SBS functions for nothing. All i have to do is then backup two vmware images which easily compress by a factor of 2-5. Done..and it’s highly portable to new hardware if something bad happens to the host box. Once Samba 4 gets done I won’t need MS for the main server either..then i can run everything under one Linux VM and only have one vm to backup. I’m hoping to procure a fast host server to test this on both on my network and my “guinea pig” network..:) I already have a non-virtual version of this running at my church(one physical box running server 2003..another physical server running centos 5.5 with Zimbra Collaboration Suite). My goal is to get these two virtualized on one box..:) The ultimate goal is for the whole thing to be Linux based.
