Category: SBS 2008


SBS 2008 Roaming Profile Setup

Filed Under: Microsoft, SBS 2008, Server 2008, Windows by William — Leave a comment
March 13, 2011

I just figured out SBS2008 does NOT automatically setup roaming profiles.  This explains why i’m having issues with the desktops not matching when the users roam because the profiles are all local.  Unfortunately one of the users has his hdd die and this spewed corruption into the network portion of his “local” profile.  Now i can get rid of these corrupted profiles.  These are the steps to creating a baseline roaming profile…

 

1. Prepare the roaming user profile

 

-      Log on to a Windows Server 2008 with the domain user account to produce a user profile. Log off the computer.

 

-      Log on to the Windows Server 2008 with a domain administrator account.

 

-      Click Start—>right-click Computer—>Properties—>Advanced System Settings—>Advanced—>User Profiles Settings…—>Settings—>Copy To. Copy the profile to the file server, such as ‘\\filesrv\profiles\username.v2′

 

Note: A “.v2″ suffix to the name of the user profile folder on the file server must be added to distinguish between version 1 and version 2 profiles.

 

-      In Permitted to use, click Change. Type the proper users or groups and then click OK.

 

 

2. Prepare the user Profile path setting

 

-      In the Active Directory Users and Computers, type the profile location such as ‘\\filesrv\profiles\username’ in the user’s Profile path attributes.

 

Note: Do NOT add “.v2″ to the Profile path of the user object. This indicates that for Windows Server 2008 it will load the profile from ‘username.v2′ folder and for former Windows operating systems they will load from ‘username’ folder if it exists.

 

 

 

If you manually create user profile folder, please check the NTFS and share permission on the roaming profile share folder.

 

-      Locate the roaming profile share folder, and check the NTFS permission to make sure that the user, SYSTEM, and administrators have Full Controller permission on their folders and all sub-folder under the roaming profile folder has inherited proper permission.

 

-      Check the share permission to ensure that Everyone has Full Control permission.

 

Please pay attention to the Event logs in Windows Logs—>Application. User Profile Service will log events to show the reason why the roaming profile is not applied.

via SBS 2008 Profile.

Comment

My latest project

Filed Under: Cloud Computing, Linux, Microsoft, Open Source, SBS 2008, Server 2008, Windows by William — Leave a comment
February 12, 2011

I tire of the MS lockin.  What I’ve done is begun to build another deployment option for my clients( all of which are under 10 users.  For now i’ll user server 2008 for authentication and file/print sharing…in a vm.  Another vm holds a vmware appliance running zimbra collaboration suite.  I get 90% of the SBS functions for nothing.  All i have to do is then backup two vmware images which easily compress by a factor of 2-5.  Done..and it’s highly portable to new hardware if something bad happens to the host box.  Once Samba 4 gets done I won’t need MS for the main server either..then i can run everything under one Linux VM and only have one vm to backup.  I’m hoping to procure a fast host server to test this on both on my network and my “guinea pig” network..:)  I already have a non-virtual version of this running at my church(one physical box running server 2003..another physical server running centos 5.5 with Zimbra Collaboration Suite).  My goal is to get these two virtualized on one box..:)  The ultimate goal is for the whole thing to be Linux based.

Comment

Patch now!

Filed Under: Microsoft, Office, SBS 2008, Security, Security Alerts, Server 2008, Vista, Windows, Windows 7 by William — Leave a comment
August 7, 2010

Microsoft has released the fix for the LNK issue. this coming Tuesday is going to be a monster patch day with a total of 37 issues fixed in 14 patches.

Comment

Fix for LNK Hole Coming on Monday

Filed Under: Microsoft, SBS 2008, Security, Security Alerts, Server 2008, Vista, Windows, Windows 7 by William — Leave a comment
July 31, 2010

Normally I advocate caution in major patches.  This hole however is so important that i am going to immediately patch and then workaround any issues this is going to cause.  Again on mOnday htis patch gets released.  PATCH IMMEDIATLY!!!  Read the previous advisories I posted about this here.

Comment

Third LNK Vulnerability Update

Filed Under: Microsoft, SBS 2008, Security, Security Alerts, Server 2008, Vista, Windows, Windows 7 by William — Leave a comment
July 22, 2010

Steve Gibson talks about this issue in a very understandable manner.  Look at my previous post at the bottom..aka update 3.

Comment

Second LNK Vulnerability Update

Filed Under: Microsoft, SBS 2008, Security, Security Alerts, Server 2008, Vista, Windows, Windows 7 by William — Leave a comment
July 22, 2010
Well the vulnerabilities threat profile has expanded:
http://www.f-secure.com/weblog/archives/00001994.html
If the .lnk is inside a document windows will execute the code.  Again..i hope this fizzles..if it doesn’t I want folks to be aware.

Well the vulnerabilities threat profile has expanded:http://www.f-secure.com/weblog/archives/00001994.htmlIf the .lnk is inside a document windows will execute the code.  Again..i hope this fizzles..if it doesn’t I want folks to be aware.

Comment

.LNK Zero Day Update

Filed Under: Microsoft, SBS 2008, Security, Security Alerts, Server 2008, Vista, Windows, Windows 7 by William — Leave a comment
July 21, 2010

http://www.emmanuelcomputerconsulting.com/archives/2421

The podcast software crashed so I was able to make a written update to the post with the help of Arstechnica.com.  Go checkout the updated post.

Comment

New Zero Day problem with all versions of windows(High Potential for Mass Infections..Stay Alert)*UPDATED*

Filed Under: Microsoft, SBS 2008, Security, Security Alerts, Server 2008, Vista, Windows, Windows 7 by William — 4 Comments
July 20, 2010

I am going to provide you with the summary from Ars Technica as it’s the clearest explanation of the problem I have seen:

The attack uses specially crafted shortcut (.lnk) files, which trick Windows into running code of an attacker’s choosing. Any Windows application that tries to display the shortcut’s icon—including Explorer—will cause exploitation, so even the mere act of browsing a directory with the malicious shortcuts is sufficient for a system to be exploited. Analysis suggests that the shortcuts are not improperly formed; rather they depend on a flaw in the way that Windows handles shortcuts to Control Panel icons.

The first reports of the problem came last month from Belorussian security company VirusBlokAda. The company found systems infected with the flaw through infected USB keys. The keys use the flaw to install a rootkit to hide the shortcuts, dubbed Stuxnet, including kernel-mode drivers, and a malicious payload. The rootkit is itself noteworthy: the drivers it installs are signed. The certificate used to sign them belongs to Realtek, suggesting that somehow the attackers have access to Realtek’s private key. The certificate used to sign the rootkit has now been revoked by Verisign.

The current in-the-wild attacks are using USB keys to distribute the shortcuts, but the attack could equally use network shares or local disks. The malware payload appears to be designed to specifically compromise the databases used by Siemens’ SIMATIC WinCC software. WinCC is SCADA software, used to control and monitor industrial systems, found in manufacturing plants, power generation facilities, oil and gas refineries, and so on. Siemens’ software uses hardcoded passwords, making attack particularly simple.

The best option for mitigating the flaw is to disable Windows’ ability to show shortcuts’ icons; details on how to do this are provided in Microsoft’s security bulletin. However, this mitigation comes at some cost; it removes all the icons from the Start menu, for example, which is sure to be detrimental to usability. Disabling Autorun provides slight protection, as it prevents Explorer windows from opening automatically when a USB key or CD is inserted.

This one has the potential to be very very bad.   What I am going to do is put some of the links below.  I am going to record a podcast tonight about this and have it posted in the next 24 hours.  While the threat right now is low the potential for this one to explode is very very high.  I do not get concerned about Windows exploits very often..this one has the very real potential to be on the scale of sasser, code red, or conficker.  ECC is gearing up for this to be a widespread event and I am hoping it fizzles(which is dependent on a timely patch from Microsoft.)  As of right now there is no anti-anything that will stop the .LNK vulnerability itself and any malware that appears WILL be able to leverage this before the a/v vendors can react as of right now.  I am sure the security companies will be able to catch up..however we really need a patch from Microsoft on this one.  The big problem for Microsoft is this is endemic to their ENTIRE codebase from Windows 95 on up.  They have to now re-engineer every version of Windows to protect against this flaw.  This is one time that if it takes Microsoft more than a week to come up with a fix there’s a very good reason. The following operating systems will NOT get a patch from Microsoft:

Windows 95

Windows 98

Windows ME

Windows NT

windows 2000(all versions)

Windows XP below SP3(this includes XP 64-bit which is now end of life..no support)

Windows VistaRTM (all versions).  Vista SP1 is still supported until July 12 2011.  You really should upgrade to SP2 of Vista.

I have some of the links below I have been following for this:

1

2

3

4

5

6

7

8

*UPDATE* Microsoft has posted their workaround.  This nukes ALL shortcuts on the system though.  If you want to guarentee your protection use this patch..but you won’t be able to easily launch anything.

*UPDATE 2*

Well the vulnerabilities threat profile has expanded:
http://www.f-secure.com/weblog/archives/00001994.html
If the .lnk is inside a document windows will execute the code.  Again..i hope this fizzles..if it doesn’t I want folks to be aware.
*UPDATE3*  List to this videocast from Steve Gibson..it’s well explained.

http://www.twit.tv/sn258

There are several attack vectors.  It can be triggered via a webpage.  it may even be able to be done from within any browser…not just IE.  I just just got done informing a client that this could have many more attack vectors due to this being a problem with the core of windows.

*UPDATE 4* Normally I advocate caution in major patches.  This hole however is so important that i am going to immediately patch and then workaround any issues this is going to cause.  Again on mOnday htis patch gets released.  PATCH IMMEDIATLY!!!  Read the previous advisories I posted about this here.

Comment

The Basics on NOT Getting Infected

Filed Under: Microsoft, Office, SBS 2008, Security, Server 2008, Vista, Windows, Windows 7 by William — Leave a comment
July 16, 2010

Windows has design issues…I have talked about it many many times.  However it IS possible to have a malware free system.  It’s really not that hard.  You do need to change your behavior on how you operate your windows systems.

1.  Have a security audit done if you’ve never had one done.

2.  Don’t use IE.  Unless you are technically savy just don’t.  It’s the number one attack vector(via Activex).

3.  Run Firefox or Google Chrome.

4.  Don’t goto porn, warez, gambling..etc etc type sites.  If it’s a red-light disctrict on land it’s the same in cyber-land.  If you go to these places in cyber-land none of the above or below matter..you’ll be infected either immediately or very quickly.  NO anti-anything will save you either.

5.  Don’t buy into the anti-whatever $$$ trap.  I haven’t run a/v on my systems in nearly a decade.  We’ve had ONE system infection and it was my wife’s fault(by her own admission).  If you are REQUIRED to run anti stuff get the  cheapest you can find.

6.  Never click a link in an e-mail until you check it.  This can be a tricky subject.  Hover your mouse(Don’t click any links) over the links and see if the address presented in the bottom bar matches the text of  the link.  If it doesn’t it’s a fake.  Contact ECC for full details.

7.  Remove admin rights from users.  Self-explanatory.

8.  Remove the ability for users to install ANYTHING.  This can easily be done via group policy. (This and #7 are the 2 things you can do on a network to stop at least 90% of all malware infections)

9.  Disable autorun.  This nukes most infections from usb keys(flash drives, thumb drives..etc etc etc.  Works great in conjunction with #8 and #7)

10.  Ensure all systems are up to date with all security updates.  Not just Windows and Office but every third party program on your systems.  (This includes Acrobat, Flash, Java).

Comment

Windows Server vs. Linux…which is better?

Filed Under: Linux, Microsoft, Open Source, SBS 2008, Windows by William — Leave a comment
June 9, 2010

Windows Server vs. Linux.

There are some serious errors in this..i’ll address them inline.

Text below:

Windows Server vs. Linux

by Ellen Messmer

June 8, 2010 —

Which is better? Microsoft Windows Server or open-source Linux?

This debate arouses vehement opinions, but according to one IT consultant who spends a lot of time with both Windows and Linux, it’s a matter of arguing which server OS is the most appropriate in the context of the job that needs to be done, based on factors such as cost, performance, security and application usage.

7 Open Source innovations

“With Linux, the operating system is effectively free,” says Phil Cox, principal consultant with SystemExperts. “With Microsoft, there are licensing fees for any version, so cost is a factor.” And relative to any physical hardware platform, Linux performance appears to be about 25% faster, Cox says.

That’s at a minimum.  It’s often much higher.  Windows server core is an attempt to regain some of that base speed by jettisoning the gui.

Combine that with the flexibility you have to make kernel modifications, something you can’t do with proprietary Windows, and there’s a lot to say about the benefits of open-source Linux. But that’s not the whole story, Cox points out, noting there are some strong arguments to be made on behalf of Windows, particularly for the enterprise.

For instance, because you can make kernel modifications to Linux, the downside of that is “you need a higher level of expertise to keep a production environment going,” Cox says, noting a lot of people build their own packages and since there are variations of Linux, such as SuSE or Debian, special expertise may be needed.

Windows offers appeal in that “it’s a stable platform, though not as flexible,” Cox says. When it comes to application integration, “Windows is easier,” he says.

Windows most assuredly is NOT easier.  by the time you get to managing patches, default configuration tweaking, the layers of security you have to pile on to have a prayer of a chance to NOT get compromised…Linux is MUCH easier.  I can turn up a Linux server from ground zero to the base install in under an hour WITHOUT USING AN IMAGE.  Updates?  One run and one reboot..Windows?  It’ll be multiples of each…it goes on and on and on.

Windows access control “blows Linux out of the water,” he claims. “In a Windows box, you can set access-control mechanisms without a software add-on.”

He apparently hasn’t heard of chmod and chown.  You can do everything you want right from the cli.  I tend to use a package called Webmin which is installed from the command line and run from a web browser…i don’t have to pay the Windows gui performance tax.

Patching is inevitable with either Windows or Linux, and in this arena, Cox says that it’s easier to patch Windows. Microsoft is the only source to issue Windows patches. With Linux, you have to decide whether to go to an open-source entity for patches, for instance the one for OpenSSH, or wait until a commercial Linux provider, such as Red Hat, provides a patch.

OR you can use a community variant called Centos(to reference Redhat) which is non-commercial…OR you can use the granddaddy of Linux distros, Debian, who has the basis of many many other distributions.  You don’t have to go to openssl because the distros are hooked right into the package vendors.  Here’s one point the author missed…speed of patches.  Microsoft WON’T patch until there’s an active exploit outside of it’s monthly cycle.  Most Linux distros patch within 24 hours of release..24 HOURS..not DAYS or MONTHS…HOURS.  Let’s see Microsoft do that…and do it reliably with hosing it’s users systems that have gotten infested due to their continued bad design choices.

Microsoft presents a monolithic single point of contact for business customers, whereas “In Linux, you need to know where to go for what,” which makes it more complicated, Cox says. “There’s no such thing as a TechNet for Linux,” he says. Linux users need to be enthusiastic participants in the sometimes clannish open-source community to get the optimum results.

Oh and Microsofties aren’t clannish?  LOL!  Let me tell you something..if you don’t drink the Microsoft Kool-aid totally you won’t be in the MS forums and MS evangelists sites..trust me I know about this.

These kind of arguments may indicate why Windows Server continues to have huge appeal in the enterprise setting, though some vertical industries, such as financial firms, have become big-time Linux users.

The only reason Windows keeps hanging around like a fungus is because the third party app vendors have not yet started coding for Linux in large numbers yet…that’s coming.  Once folks can see the advantages to Linux MS will have to tighten up their code or die.

Linux and open-source applications are popular in the Internet-facing extranet of the enterprise, Cox notes. And Linux has become a kind of industrial technology for vendors which use it in a wide range of products and services — for instance Amazon’s EC2 computing environment data centers rely on Xen-based Linux servers.

Know why?  Security is one, reliability is another, patching is stupid easy(run updates on live system. if no kernel updates no reboot needed..at all).  Windows hangs around right now because third party vendors aren’t coding…yet. MS right now does have it’s place and i will recommend windows on the back only when it’s truly necessary. The comments on this article do a far better job of eviscerating the author than I do..:)

Comment