Server Operating Systems:

At this time, I see little reason to upgrade to Windows 2008. For what most servers do, Windows 2003 does the job just fine, and is still being supported (with hot-fixes, but not Service Packs) by Microsoft. The software you run on it likes 2003 just fine. Before long, new hardware will be built with Windows 2008 in mind, and Windows 2003 drivers for your hardware might get harder to find. However, I recommend moving to virtual servers at that time, and it will then not be necessary to have Windows drivers for your new server. The virtualization layer (hypervisor) will handle that, and the “virtual hardware” assigned to your server will work fine with Windows 2003 for many years to come.

Exchange 2007? Let’s just not talk about that right now. This is an OS discussion, and I will just say that I intend to resist that one as long as possible too, until Microsoft remembers that if we wanted to manage everything with command lines and scripts, we’d be using Linux with Sendmail or some open-source, command-line driven equivalent.

Terminal Servers, however, could benefit from a Windows 2008 upgrade. Terminal Services (now called Remote Desktop Services) functions have been greatly improved in 2008, specifically in the area of publishing applications seamlessly without giving the users access to the entire desktop – and in the area of remote printing. Remote printing has been a major thorn in your side, and Windows 2008 can help you with that. I believe the new Terminal Services is web-accessible, making it very easy to set up new workstations to use it.

Here is another, more detailed discussion of those improvements.

Is it worth the cost to upgrade? Your customer will have to decide.
Workstation Operating Systems:

I am happy to say that most of my customers have managed to skip right over Windows Vista.

I have not had much experience yet with Windows 7, but my limited experience suggests that Microsoft learned a lot from their Vista flop, and worked to smooth out the rough edges that made people despise Vista. My limited experience also suggests that Windows 7 is still too new for widespread adoption, with pitfalls lurking due to software applications and drivers not being fully compatible with Windows 7 yet.

That being said, we are entering a more sophisticated age of malware and viruses, and it may be time to leave behind the less intrusive security measures we have been enjoying with Windows XP, which is now allowing more and more PCs to become infected – just as it happened with Windows 2000. It will be a rocky time, when we try to balance having appropriate access to our own computers against making them wide open to attacks. Some software will work OK when installed with an administrative account and then used by someone else. Some will not. We’ll have to work out which software requires which installation method, and perhaps sometimes temporarily give a user administrative access to their machine to get something installed and configured, then take it away to help protect them. We can do this with Windows XP for now, and then later with Windows 7.

For the time being, I will recommend that my customers continue to purchase workstations that come with Windows 7 licenses, but have a downgrade to XP installed on them. This will continue for as long as possible, until we start seeing the rate of virus infection become too high, or other factors necessitate a change. The age-old cycle of viruses and antivirus software one-upping each other continues, and maybe we’ll see a comeback of the antivirus software.

For now, Dell is offering workstations with Windows 7 licenses, with Windows XP installed – but only in the Business section.

So, am I just being resistant to change? There is some of that, but I do not embrace change for its own sake. there has to be some benefit, other than the many hours of billable work I could get from pushing customers into unfamilair operating systems just because Microsoft wants to keep their money machine rolling. Let me just say that I was determined to be open-minded abot Vista. I gave it a solid try. When asked whether I wanted Vista or XP on my company-supplied laptop, I chose Vista. I suffered it for 6 months, before finally deciding that enough was enough. I had passed the learning curve and the pain continued. I went back to XP. So no, it is not just resistance to change. There are good reasons for me to hold back. They are related to deficiencies of the new OSes, financial reasons, and the general difficulty of being among the first to move to new technology.

Unless there are specific, compelling benefits to be gained in each scenario, then you won’t see me jumping first to new versions of the OS. Not me, not this time.

Tags: remote Desktop Services, Terminal Services, Virtualization, Windows 2003, Windows 2008, Windows 7, Windows Vista, Windows XP

When I go to http://icanhascheezburger.com, which is a WordPress Blog showing cute cat pictures with (sometimes) funny captions, the page loads OK, but then I get this pop-up error a few seconds later.

However, I did some research on js-kit.com, and found that it is a site that makes plug-ins for people to rate things in blog pages. There’s nothing sinister about it. I googled the heck out of it looking for anyone who was saying it was a malicious thing. I found none.
I went directly to the URL listed as being dangerous, and I got the following warning, again from Trend Micro:

So I went to www.js-kit.com, without the “ratings.js” on the end, and I learned that it is a site written by people who create plug-ins for blog sites, so people can rate how cool they thought particular items were. Again, nothing sinister.

However, I also noticed that when the page loaded, the Internet Explorer icon next to the Address Bar showed an icon that looks a little bit like the Trend Micro icon. It’s blue, it’s circular, and it has some squiggles in it – but it’s NOT the same icon, and they are not pretending to be Trend. They’re not spoofing, but I can see why a moron might think so. Here is the comparison between the two:

Trend icon:

JS-Kit icon:

Maybe an idiot might think those were the same icon, but I don’t.

Further information about JS-Kit:
They build plug-ins for blogs. Their site tells how to embed the plug-ins. It’s really pretty straightforward. Here are the instructions:

…and here is a URL to their FAQ, telling all about what they do.
http://wiki.js-kit.com/FAQ+-+Navigator

I called Trend Micro support and asked about it. The tech did not have any idea why it was blocked, and when I showed him the JS-Kit icon, he actually made noises like he thought it was fishy, that it was a good reason for them to be blocked. I had to educate him about how the icons may be SIMILAR, but they are NOT the same.

I’ve submitted this information to Trend Micro. Hopefully they will see how dumb they are being and it will be removed from their block list.

In the meantime, I guess I’ll add it to my exclusion list.

Update: I just got this from Trend Micro Support (potentially sensitive info blocked out):

From: Trend Micro Technical Support
Sent: Wednesday, October 21, 2009 11:03 AM
To: Paul Sterley
Subject: [SR#-#-##########] [WFBS 6.0] Website Blocked

Hi Mr. Sterley,

Good Day!

The URL that you submitted has now been untagged on our detection list.

Please confirm.

It is beneficial for our records to be up to date, by simply REPLYING Back to this email. Please let me know if I was able to resolve your Concern(s) so I may formally close this case for you. A simple “Close this case” note would do.

Again, thank you for your time.

Sincerely yours,

Xxxxxxx Xxxxxxxx

Systems Engineer

NABU SMB Support, Trend Micro Inc.

Tags: JS-Kit, Trend Micro

I dont know yet whether this is a problem that all SBS2008 machines will have with Trend Micro Worry-Free Business Security, or whether it’s just a weird problem that mine had.

I kept getting e-mails from the Trend Micro Security Server with the following message:
Trend Micro Security Server - At least one Exchange server is outdated.

LiveStatus showed At least one Exchange server is outdated.
Expanded the Updates row and clicked the Deploy Now button as directed. No results.

In the Security Settings tab, selected the Exchange agent, and saw that the patterns are out of date.

In Reports -> Log Query, I ran the following report:
Time range: Today
Type: Exchange server
Content: Update logs

I saw this message, repeated: Web server authentication was unsuccessful. An invalid username or password was entered. Please check your settings and make any necessary changes, and then try again.

Tech Support told me to manually copy the updated pattern files (lpt$vpn###) in place, just in case the files were corrupt. This updated them once, but they refused to update automatically afterward.

Tech Support told me to create a new application pool in IIS which uses the LocalSystem built-in account, and switch the SMEX Website to use this new app pool. This was very promising, given the error message in the log, but it didn’t work.

Tech support told me to uninstall and reinstall the messaging security agent.

Tech support told me to reboot the server (the “Hail Mary” approach).

Finally, what solved the problem was an intuitive leap. I figured “Well, I’ve given the website all of the permissions it could want, and I’m still getting a web authentication error. Wait, what’s this other website here called OfficeScan?”

I assigned the custom application pool (the one that uses LocalSystem) to the OfficeScan website, and I have not had a problem updating since.

Tags: Trend Micro, WFBS

You can configure a setting called “SCL” (Spam Confidence Level) in the SMSMSE console. This corresponds to a setting in the Intelligent Message Filter in MS Exchange System Manager. Using these two settings, you can more finely control which messages get sent to the Junk E-mail folder based on Symantec’s rating of the message.

Changing the Store Action Threshold in Symantec Mail Security for Microsoft Exchange:
Grabbed from here.

Question/Issue:
This page describes how to control the Store Action Threshold (SAT) in Microsoft Exchange 2003. The SAT works with the Spam Confidence Level (SCL) that you specify in Symantec Mail Security for Microsoft Exchange to determine which messages are sent to the users’ Junk E-mail folders. By default, the SAT value is null. The null SAT forces all messages with an SCL value of 1 or greater to the user’s Junk E-Mail folder. You installed one of the following versions: -Symantec Mail Security 4.6 for Microsoft Exchange -Symantec Mail Security 4.5 for Microsoft Exchange -Symantec Mail Security 5.0 for Microsoft Exchange
Solution:
To change the Store Action Threshold

In the Exchange System Manager window, in the left pane, under Global Settings, right-click Message Delivery -> Properties.
In the Properties dialog box, on the Intelligent Message Filtering tab, on the Store Junk E-mail Configuration drop-down list, click the appropriate level.
Click OK.
Close the Exchange System Manager window.
——————————————————————————–
Note: You cannot set the store threshold higher than the gateway threshold.

After you have configured the global settings in the Message Delivery area, you need to enable Intelligent Message Filtering on the Default SMTP Virtual Server properties. Intelligent Message Filtering is installed by default as part of Exchange SP2, but it is not enabled. To enable it:

In the Default SMTP Virtual Server properties, on the General tab, click Advanced.
Select the IP address (or “All Unassigned” and click the Edit button.
Check the box for “Apply Intelligent Message Filter” and click OK.

If you want to verify the SCL rating on a message in Outlook, here is how to do it. This article was written for Outlook 2003. It will probably work in 2007, but the menus will probably be different.

Tags: Exchange, Intelligent Message Filter, Junk E-mail, SCL, Spam, Symantec Mail Security

I am rolling out Symantec Endpoint Protection, and have noticed a strange situation. It is possible that my experiences are abnormal, and not reproducable, but I thought I would make myself a note about it anyway, and maybe it will help someone else having similar results.

I installed the SEP Management Console, and created two deployment packages - one for servers, and one for workstations. Then I went into the MC and set up policies, exceptions, assigned things, disabled things I didn’t want, etc.

When it was time for rollout, I logged into the first server (using mstsc /admin), browsed to the deployment package (single EXE), and ran it. It installed successfully, but the green dot never appeared on the yellow shield, indicating that it did not check in with the management console. I rebooted a couple of times, and then let it sit for 30 minutes. Nothing. Right-clicking on the shield did not reveal the “Update Policy” option that should be there on a managed client installation. 

The second server I did this on was the same OS and SP level, but it was set up for Terminal Services. This one installed, got the green dot, etc. All was good. The third one was very similar to the first, and had the same result - no green dot. I used the Deployment Wizard to push the installation to the remaining two servers, and that worked fine - the green dot appeared.

Going back to the first two servers, I uninstalled SEP, rebooted, and then pushed the client with the Deployment Wizard. Both servers installed successfully, green dot appeared.

I have not had these results on workstations. Workstations consistently seem to work properly, even when the setup is run manually.

I don’t know if this is a normal thing, or if Terminal Services had any impact on it regarding the server that did work with a manual install.

What I DO know is that there are a LOT of Google results for issues concerning servers not checking in with the console, and if there are answers out there, they are not easy to find. This worked for me. Maybe it will work for you.

Tags: Deployment Wizard, Green Dot, Symantec Endpoint Protection