Critical Security Vulnerability Discovered in Internet Explorer...

On November 11th 2008 Microsoft released an advisory (MS08-068) detailing a vulnerability present in all currently supported versions of Internet Explorer - including beta versions of IE8. The exploitation technique is referred to as "SMB Reflection". There have been widespread reports of active exploitation of this vulnerability via Internet Explorer - including reports that the UK Postal Service's website had been compromised, thusly compromising all of its visitors.

Sadly, the technique was first demonstrated in 2001 at @tlantacon, a hacker convention. Microsoft was aware of the vulnerability but there were so many mitigating factors and patching it would have broken backwards compatibility with specific applications, they decided to leave it unpatched. This recently released patch essentially further mitigates the vulnerability without truly "fixing" it. As this article is not meant as a technical dissertation on the vulnerability, if you want more technical information about this vulnerability and the recent patch, I suggest this article.

At Teklogic, we developed scripts to deploy this patch to our client base the day it was released. If you have an unpatched home PC, or know someone that does, you should get on over to Windows Update and ensure your system is up-to-date with the latest patches and Service Packs.

This is just more fodder for all of the Mozilla Firefox zealots. Although the now, very mature, browsing software has not been without its own issues lately - just proving that the only absolutely "secure" system is one that is unplugged and not in use.

What is Web 2.0???

You may have heard the term "Web 2.0" in the media recently. The term seems to suggest a new or updated version of the World Wide Web, however the term does not refer to any technical specifications at all.

As Tim O'Reiley suggests, it refers to changes in the ways people use the World Wide Web for information sharing and collaboration. To me, it means -specifically Community driven content like Blogs, Podcasts, Wiki's like Wikipedia, Social Networking sites, like MySpace & Facebook, and Content Sharing Sites like Youtube & Delicious.  There is even a "micro-blogging" service that is becoming a more and more popular way to remain excessively "plugged in" called Twitter. Twitter allows users to display short, informative blurbs - typically used to keep people informed. People can subscribe to these updated blurbs on their Cell Phone or Computer. The American Red Cross uses Twitter to exchange minute-to-minute information about local disasters.

All of these technologies center around ease of information exchange using the World Wide Web with an emphasis on user-driven content creation. This creates the proverbial "new ball game" for advertisers, designers, and business owners when it comes to getting your product or service noticed on the web. It also means an upgrade in the overall user experience of the World Wide Web as this content gets more and more real-time and self-evolving.

With people more plugged in than ever before - I mean, even you phone has a broadband Internet connection these days, we will have better information, faster, and be able to collaborate in near real-time with people and companies across the globe. A VERY good thing indeed.

Out of Office when you are out of the office.

As you may be aware, Outlook has an "Out of Office" feature that can be configured when you are away from your PC to respond automatically to incoming messages with a predefined message letting the sender know you are unavailable. This works great if you remember to do it when you are in front of your machine -but what if you are out of the office unexpectedly and didn't have time to configure your Out of Office message???

If you are using a Cell Phone based on Windows Mobile and your administrator has configured message synchronization for you (and I hope he has), its as easy as Opening Outlook on your phone (where you view your e-mail), choosing Menu and then Tools and select Out of Office. You can then customize your message with an alternate contact number or a time that you will be back in the office. This is a nifty little trick that I try to show to as many Windows Mobile users as I can. I hope you can use it too...

Cheers,

-Justin Carter-

Leaving fewer pieces behind...

Most people are at-least vaguely aware that when files are deleted from a computer, they still remain around for an indeterminate amount of time. Essentially what is happening is that when the file is deleted, a bit is marked on the disk telling the file system that the next piece of data that needs to occupy this "spot" on the disk, can do so - thusly overwriting the remnants of the deleted file.

When you are ready to donate or dispose of your computer, it is prudent to remove its information by way of  securely wiping your hard disk. I have seen some reports lately of discarded data coming back to haunt people. This is surely one way to fall victim to identity theft or be in violation of privacy laws when customer data is at stake.

Securely wiping your machine is a relatively simple operation. My favorite utility to accomplish this is Darik's Boot and Nuke. This utility allows you to make a bootable CD or Floppy disk that can be used to boot your computer and subsequently wipe all information from the disk using security standards that range from very secure to KGB-proof. You should expect this wiping process to take some time, especially if this is the old IBM XT 5160 sitting in your closet.

Do yourself a favor and make sure to wipe (or have wiped) your hard drive clean before donating or discarding your old PCs or hard drives.

Halloween scares - Disaster Recovery

I love Halloween, I always have.  Something about being scared - it could just be an excuse to watch startling teenage slasher-flicks late at night, but I digress...

Disaster Recovery is a topic that there are as many opinions on as there are ghouls on Halloween. There are so many products out there and so many different ways to backup - Tape, Disk, NAS, SAN, fibre-channel,  offsite, incremental, Differential, Full, transactional, Image, file level, and brick level. I wont single-out any vendors but I do see allot of these big name backup service providers playing to the business-owners lack of understanding on what it actually takes to get humpty-dumpty back together again in the event something actually blows-up.

These vendors send in their $5,000 suit sales-guys and follow it up with a smooth WebEx session talking about how their solution can sing and dance. Once the "solution" is sold, the client is handed the software and given the instructions to get it going. Sort of like, "Call us if you need us, read this..."

There is just something about buying a backup solution from the actual person who will be setting it up and maintaining it -someone local, someone available, and someone reliable - namely Teklogic.

I am a big believer in Image Backups - that is - a backup that contains a literal in-time "snapshot" of the device being backed up. This way we have a file that represents a true byte-level image of the machine being backed up. We wont have to mess around with Windows Disks, reboots, updates, drivers and then cataloging the backup file - and god help you if you are using Tape... (Tape is a 4 letter word as far as I'm concerned). With an image backup you prepare a recovery CD ahead of time and if there is ever a need for recovery, you boot with it and restore the image from NAS or external hard disk - that's it, pass go and collect $200... You can even restore this image to a "Virtual Server" hosted by your provider to further reduce downtime while your location is being repaired or server replacement parts are being procured.

Something else notable is that moving forward, Windows Server operating systems will not natively backup to tape - this includes Windows Server 2008. Companies insistent on using tape will have to install 3rd party applications to make this possible. Programs like, BackupExec, Yosemite, or ARCServe. 

Being on top of all the available backup methods and technologies has always been one of my priorities. At Teklogic we perform regular test disaster recovery scenarios with SQL, Exchange and Active Directory to ensure we will be ready in the event we need to use these skills. There is just so much out there, you need to make sure your technology provider is well-versed in the topic of disaster recovery and is familiar with all the different techniques and methodologies.

Staying in sync on a budget...

There is an old Unix utility I used to use all the time called 'rsync'. This very useful utility would essentially mirror a directory on you hard drive to a directory elsewhere of your choosing. Several NAS (Network Attached Storage) vendors utilize rsync today to perform backups to and from NAS devices and brand their device as having backup capability. There are two Windows-compatible ports of this software, one is called DeltaCopy and the other is cwRsync. Both of these ports use Cygwin which is essentially an emulator that allows Linux\Un*x applications to run under Windows. It is sort of an ugly hack in my opinion, but without it, Windows does not offer any native solutions - and no, XCopy doesn't count.

There are some other free solutions that work very well. The first one I will mention is Robocopy. This is a free tool written by Microsoft and has been included in the Windows Resource Kits since the NT4 days. Recently this tool has found its way into Windows Vista and Server 2008 right out of the box! This tool allows an administrator to write a simple batch file to mirror directories along with a host of other file copy operations that go beyond the scope of this posting. While Robocopy does NOT use Volume Shadow Copy Services - which can limit its usefulness as a backup utility where volumes may be in-use. I have seen creative admins utilize VSHADOW and DISKSHADOW to create a Shadow Copy of a volume and subsequently use Robocopy to copy it elsewhere.

The second utility I will mention is a bit more for the non-technical people. Microsoft has recently invested a lot of money in its "Live" services and some of them are particularly interesting.  In 2005 Microsoft acquired a company called Byte Taxi and assimilated their directory synchronization software into, what is currently called Windows Live FolderShare. This software is very unique in that first, it is free and second, it requires no firewall configuration. It is basically a client-side application that allows you to sync directories among computers connected to the Internet. All of its configuration is done through a point-and-click interface, making it easy for even novice computer users to configure. You basically visit the FolderShare website, sign-in with your Windows Live account, download the software onto at least two machines and configure a directory that you wish to remain synced among the machines. You could be in Bangladesh, but as long as you are connected to the Internet, your files will be sync-ing with all Internet-connected clients. There are some limitations to this software however - the first which is a biggie for me is that you are limited to 10,000 files per "library". There goes my ability to sync my MP3 collection ;) Also, you cannot have more than 10 libraries.  All-in-all this is a great solution for the home user looking to sync files between their desktop and laptop without having to mess with Windows FIleSharing. Eventually this service will be re-branded as Windows Live Sync once it is out of beta stage. This technology will also be used in Windows Live Mesh,  Windows Live Skydrive and even Windows Live Messenger Sharing Folders.

There are some other great utilities which I will not get into much detail on such as Power Folder, the Microsoft SyncToy, DropBox, and Allway Sync...

Anyway, happy sync-ing!

Viruses, Spyware, Trojans... Oh My!

Several years back the industry went through what I can only call a "Spyware Explosion". All of the Spyware companies were exploiting the weak security present in the Internet browsing software of the time, resulting in massively compounded and ubiquitous Spyware infections. I felt like every other PC I worked on, I was removing Spyware. As Microsoft and Security Software companies wised-up to this onslaught and improved their software, I began to notice such problems less and less. Any tech that has spent 4 - 5 hours removing Spyware will tell you that is not a fun task, so this evolution (so-to-speak) was a welcome one.

Nowadays I certainly don't spend nearly as much time on Spyware-related issues -but when I do, it seems like we have made a trade-off of sorts. What I mean is -sure we see less Spyware, but when we do see it, they seem to be much more sophisticated.  I can honestly say I enjoy the challenge of removing some of the trickier ones because this can truly test the skills of any experienced technician.

Case in point, I thought I'd share a recent experience:

I received a call from a remote office of one of my customers complaining that when they started their computer, all they would get is a blank blue-screen. They would get no icons, no start menu, nothing.  Luckily I was able to remote into this system using the Teklogic management software and I was then able to start Task Manager and attempted to launch 'Explorer.exe' which is the "Shell" in Windows that gives you your desktop and Start menu (among other things). I found that Explorer.exe would not start complaining that "Windows Could not find the file". I then proceeded to open a Command Prompt and drill down to where the actual Executable lives ('C:\windows\Explorer.exe") and I noted that it was there and it had the appropriate permissions to launch... I checked that the environment path was correct and that the Shell key (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell) did indeed contain the appropriate text for launching Explorer upon startup. At this point I went ahead and extracted another copy of the Explorer.exe executable from the original installation media, finding that this did not solve the problem either. I was quite perplexed.

After some digging around, I found some references to a "feature" of the NT family of Windows Operating systems that was meant for developers to use when debugging applications. This feature is called "Image File Execution options" and lives at 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options'. If you want to know more about this feature read here. One of the things you can do with this is to essentially tell Windows that every time XYZ process is attempting to launch, to launch ABC process instead. This is a perfect example of how a very useful feature can be turned against us (as the computer users) by ill-intentioned Spyware. The Spyware had used this feature of Windows to configure the machine so that every time the process, Explorer.exe was launched, it instead launched something else altogether. This, I thought, was a very clever way to utilize a relatively unknown feature and turn it against the user. Once I removed the entry for Explorer.exe, we were then able to get to the Windows Shell and proceed removing the Spyware entirely.  A fun one indeed!!

Computer Real Estate....

It amazes me that the $399.00 computer is more prevalent than ever and as the PC price wars continue, large PC manufacturer's take any means available to lower the cost of their PCs. One of the ways that manufacturers are lowering this cost is to sell what I can only refer to as "PC real estate" on new computers. What I mean by this is, have you ever noticed when you get a new computer it already has, in most cases, loads and loads of "Bonus" software pre-installed? Things like Google Desktop, Google Search bar, Search Assistant, Adobe Reader, Norton 360, AOL, Wild Tangent , McAfee and a seemingly limitless combination of others? Make no mistake, the manufacturer is getting paid to pre-install this software on the machine -which benefits the software manufacturer because it increases the likelihood that the user will utilize their software, when often times, the functionality is provided in Windows natively.

This is a frustrating phenomenon for IT people because it just adds to the time that it takes us to configure a new system. We end up taking a brand-new system and having to essentially clean it up when we are configuring it for a client. Most of our clients will never use any of this software and therefore it just sits there junking up the PC. Worse even, most of these softwares' are trial versions and after 30, 60 or 90 days, it starts bugging you to register and purchase the full version -as well as the fact that many of these applications are resident, meaning that they are running all the time taking up PC resources, slowing your machine. If you have more than about 6 icons in the system tray (bottom-right by the time), you have resident applications running. This is the price we end up paying for a lower cost machine.

Some manufacturers are now offering the option to forgo this trial-ware at the time of purchase. I know that Dell is now doing this. When you buy a new machine either over the phone or on the web, be sure to check to see if the vendor allows you the option to not have any "bonus" software installed -you will be better off in the long run.

Geeking out...

I have always been a fan of network appliances; that is, a purpose-built computer made to be a device of some sort on your network. While most of the home-brew appliances are not very well advised to be used in production, I still enjoy building something I may be able to use in my lab. I dont know if it is the form-factor that is appealing or the fact that they are typically built on some flavor of  Linux; I guess its a geek thing either way.

I have had a PIA Micro-ATX case that I picked up some time ago (6+ years) when I was going to do a mini-watercooled PC back when I was more into hardware. I think I got this case for something like $40 off of Pricewatch. Once I actually laid eyes on the case, I thought it would be a great little Smoothwall, so I proceeded to scrounge up some parts. What I ended up using was an old Asus P2B Motherboard with a blazing fast Celeron 266 and 64MB of RAM. This thing ran the Smoothwall platform and was my home gateway firewall for about 4 years. I had it sitting on my desk with a cash-register monitor and it Tailed /var/log/messages and then piped it through ColorLogs which gave me a nice looking techie display of realtime logging information. I thought that was the coolest thing for years but then the motherboard died and it sat on my shelf for 2 years. I always knew I was going to resurrect it and give it new life doing something cool!

Recently I had some time to sit down and rebuild this computer. The hardware is still lack-luster running an Athalon XP 1800+ w/ 512MB. This should be just fine for an Untangle Appliance. I went ahead and took some photographs of the build in case anyone was interested: Check out my WebAlbums: http://picasaweb.google.com/Teklogic757/PIAMicroATXUntangleAppliance

Onwards and upwards...

After nearly 5 years of server-awesomeness, Small Business Server 2003 is being superseded by its predecessor, Microsoft Windows Server codename "Cougar"; better known to the public as Small Business Server 2008. Microsoft released an official launch date of November 12th 2008. This is an exciting day for those of us who have been enthusiastically supporting SBS 2003 for these last 5 years. I have been playing with Release Candidate versions of Cougar now for the last few months and I must say, I cannot wait to start deploying this in the field to my customers. It truly is the cleanest-designed and most integrated server product I have seen to-date -although surely a long time coming to us lifetime SBSers.

There is a lot of discussions across the forums and newsgroups about Software Assurance, what's in and what's out. At least now we have a date that can help us better decide if certain customers are better off pulling the trigger now and upgrading hardware or limping along until launch time.

The Long Kiss Goodnight...

Despite considerable begging and pleading from Microsoft customers, Bill Veghte, senior vice president of Microsoft's Online Services and Windows Business Group, issued an open letter to customers, holding steadfast to the June 30th end-of-life for Windows XP. He went on to reiterate that security and other critical updates for the now, 6 year old Operating System, will be developed until April of 2014.

Now, you might be thinking "Holy Crap, what about my legacy application(s) that are not Vista Compatible?!?". Well, Mr. Veghte also reminded us that we will still be able to get XP pre-installed from OEM System Builders (Dell, HP, Acer etc..) until January 31, 2009 by exercising Downgrade Rights; after that, we are effectively cut-off.

My thoughts on this situation are mixed. On one hand, developers have had plenty of time to engineer fixes and/or updates to their applications to ensure compatibility with current platforms. You can't really blame Microsoft; they made information regarding Vista's "features" available to developers and programmers alike, many years before its public release. Keep in mind Windows XP is 6+ years old! On the other hand, re-engineering software is expensive and some of the, how shall I say, "less-affluent" vendors will have a hard time swallowing the costs involved.

Having spent considerable time in the Small Business Market, I have come to see all kinds of "strange" software that, in some cases, may be 8+ years old but, in most cases, the respective companies still use it in some aspect of their business. It is generally "atypical" applications like this that have a hard time running under Vista's new security "features". In most cases, if the vendor just spent a few development hours working out why it doesn't work instead of telling the customer that it simply doesn't, the Vista transition wouldn't be so painful!

What usually happens is that I end up in a situation where a customer buys Vista only to find out their software isn't compatible and I end up spending time with Process Monitor trying to figure out why and it ends up being something simple like permissions to files in the "Program Files" directory; something you would think the vendor should know seeing how Vista has been release to the public for 1 1/2 years now (and in pre-release stages for 4).

Either way you look at it, the change is coming, resistance is futile, you will be assimilated! ;)

Ninjas Can't catch you if you're on Fire...

It never ceases to amaze me what some people will come up with when you ask them to change their password. I see people naturally wanting to use their name, their cats name or their 4 digit bank account PIN number (and I'm certain this isn't you). It is equally disturbing when I see service providers (which I will leave unnamed, <coughing>, Digital Max) give out a common password and not require that you change it on first logon. I can surely understand this phenomenon as It seems like everything requires a password with the complexity requirements, frustratingly different between applications. People's inclination naturally is to come up with something easily remembered. This is any security-conscious admin's nightmare as you can have the sweetest "statefull" firewall, the best IDS/IPS, and the most current anti-mailware software but if someone can guess your password, its all pretty-well worthless.

You might ask "who would want to attack me?", but the reality is that there are programs built to simply guess passwords billions of times over and they are scanning any "Internet facing" system for login prompts. Hundreds of times a week your systems are being poked and prodded for different services and applications. You can be sure that if your password is dictionary based, it wont take long for an account to become compromised.

I challenge you to check your password: www.PasswordMeter.com. This site essentially grades you on components of your password.  A good password should contain both upper and lower case letters, numbers and some kind of symbol(s) (e.g. %&#@!./)

Another tool that I find useful is KeePass. This totally free application will store all of your passwords in one location. I find this especially useful for passwords I don't use that often. I have used this program for years and maintain a list that would rival most. It keeps a database containing your passwords and when you are not using the application, your passwords are safely encrypted and only decrypted when you need them based on a Pass Phrase.

As the world turns...

2008 is going to be one of the biggest years for change that technology professionals have yet faced; changes that are certainly going to rival in magnitude, the forced-shift that technology providers had to make to stay alive several years back when retailers and lower-tech providers died out. The Hampton Roads area has seen so many technology providers “die”.

Comp-u-Zoo
Micro-Max
Galaxy-Computers
Memory Bank
Lynnhaven Custom Computers
East Coast Computers
III

The list goes on…It’s going to get harder and harder to “fake it” as the advancements in technology are growing so fast, a fundamental understanding of how everything is “put together” is requisite. A shift to the Microsoft Live services that will be bundled with SBS 08 and Windows Essential Server move people closer to truly “working from the cloud”.

Why am I saying this? Well, I met some MCTs this afternoon (Microsoft Trainers) and they were telling me about the “Next Gen” certifications that Microsoft is offering. One of the problems that the Microsoft certs have had in the past are that they don’t address the reality that there is a HUGE difference in administering a network of 1,000+ users and a network of 10 – 700 users or being an Exchange Administrator vs. an infrastructure or “routing guy”. Check-out the following website; I think this training could seriously benefit any technician or technical organization. You will notice that the new “top tier” certification is MCSA or Microsoft Certified Systems Architect. They also retain specific job-role targeted certifications.

I think this is a step in the right direction for Microsoft Certifications and an indicator of the obvious, coming changes.

Windows Server 2008, Vista SP1, Visual Studio 2008, SQL Server 2008 RTM'd!!!

The moment we've all been waiting for (well, not really). As of 5:45am February 4th Windows Server 2008 Officially RTM'd. This means that Windows Vista SP1 is also RTM. (RTM == Release to Manufacturers). For all of you who want to go ahead and jump on it keep in mind that you need to consult the Windows Server Catalog and remember, it is Microsoft's Best Practice not to do in-place upgrades unless its simply a Windows Server 2003 machines doing DNS, AD or DHCP ONLY! Instead, if you need to migrate, you need to stick with the "Clean" method which is, of course, a slick-n-reload scenario. Read Microsoft's official best practice / RTM press release for Server 2008 and this one for Vista SP1. Good luck to us all; experience tells me we will need it...

Its all about the tools! Meet AutoRuns

Most of us have used StartupList and Hijack This; this tool takes it a step further. Written by Mark Russinovich and Bryce Cogswell previously of Sysinternals, this tool examines every place in your machine that applications can be started automagically. I have already used this tool a half dozen times to resolve things from virus infection to troubleshooting application "linking" issues. I recommend you check it out and keep it in the proverbial "toolbox". Read more here.

-JC-

Everyone likes something shiny and new!

Last week I attended the Windows 2008 Partner Preparation course. I learned of quite a few new and useful features included in Server 2008. I wanted to outline a choice few here:

--> Byte Level DFS(r) - Well this is a very cool feature to be included in the Standard and Enhanced versions of Server 2008. Your SYSVOL share now utilizes byte-level DFS-R. Also, you can create Read-Only members of a DFSR topology. They have also extended the previous recommendation that the DFS namespace not contain more 5,000 folders.  In my opinion DFS is one of the most underutilized technologies included in Windows Server Operating Systems since 2000. I think this is due, in part, to its shortcomings. Windows Server 2008 is going to take a stab at making this wonderful technology more useful (and functional) for everyone.

--> Manipulation of AD databases can be done INSIDE the OS, without having to boot into Directory Services Restore Mode. That's not to say they are getting rid of DSRM but it wont be necessary in order to perform certain functions. The service name has also been changed and is now called "Domain Controller Service". There are several caveats here such as the fact that, of course, no one will be able to authenticate to the DC while the AD related services are stopped. This wont be a problem in organizations that employ a secondary domain controller. I am very interested in how this will effect the Swing Migration technique.

--> Server Core - This is essentially a stripped down version of the Server operating system for use on systems that you either want reduced attack surface or want to run on lesser hardware. You'd better get used to the command line here because that's all this puppy has; no explorer shell nothing, nada. Once you have your IP information (netsh), Time Zone, Activation, Computer Name, Domain Membership (netdom) and, Server Roles configured, you can manage it from another computer simply by using the MMC Snap-in that manages that respective service or as they refer to it now, role.

--> The Read-Only Domain Controller - This is a new operation mode for Active Directory. This is meant for remote office configurations where a DC resides in a physically insecure environment or where a DC may need to sit in a less secure network segment for LDAP lookups (for RADIUS etc). The RODC contains a copy of the AD database that is not writable; it redirects all write attempts to the main DC. This RODC also does not cache credentials providing greater security. In order to implement this only one DC that contains the PDC Emulator role needs to be at Server 2008, the rest can be 2003.

--> Network Access Protection - This is essentially a replacement for IAS, which was essentially Microsoft's RADIUS.  This allows an administrator to specify a Policy Server that will define what the requirements are for a PC to be able to "talk" on the trusted network. This could be an up-to-date set of Windows Updates, Anti-Virus or Firewall Software. This system works with Certificates of Health that are presented to the NAP server and accepted or rejected depending on the client. Upon rejection, the client can be redirected to a set of remediation servers that will subsequently get the computer where it needs to be in terms of its compliance with the parameters set on the policy server.

--> No Native support for TAPE - "And the crowd goes wild" For many years I have been a believer in the "Tape is a four letter word" adage and I couldn't be more happy that Microsoft has taken a step towards getting people off of that old technology. This also means there is no more NTBackup; at least not as most of us know it. On a scheduled backup, the destination media is ALWAYS formatted before a backup is made. Now when the instructor said this we all thought he was crazy, but apparently this is true.

--> "Hot Patching" - We will notice that Security Patches require less frequent restarts under the 2008 platform. This is true for most non-kernel patches.

--> Terminal Services - Oh where to begin? The new TS features are some of the coolest changes that have been made.  Terminal Services under 2008 now fully supports RDP 6.0 as opposed to 2003's 5.2. One of the most notable, and debatably the most useful new features is called TSRemoteApps. Essentially what this does is allow a user to run a program from their desktop seamlessly but be running it on the Terminal Server. This is something Citrix has been doing for years. Another thing Citrix has been doing for years that will be available is Terminal Services Web Access. This allows you to browse to a site and run an application from the terminal server from a program link on a web site. They go so far as to include a Sharepoint Webpart to accomplish this so that you could neatly integrate this with your Sharepoint deployment. Then there is Terminal Services Gateway; this allows you to securely implement Terminal Services over HTTPS. By wrapping your TS session in SSL it provides end to end encryption instead of the default two channel encryption. This also serves to provide greater compatibility for roaming users as seldom does anyone block port 443. Ok, now any TS admins dream, Terminal Services Easy Print. This is a technology that will install the client's print drivers into the Terminal Server without having to do this manually; I know this will save me lots of headache.

--> PowerShell - Blah Blah Blah, new command-line and scripting interface.

--> Self-Healing NTFS - As it stands now if the OS detects corruption in the file system the volume is marked "dirty" and a chkdsk on the concurrent reboot is necessary to clear this. Under 2008 this can be done inside the OS while it is running. This happens fairly autonomously and is transparent to the user except for some notable event logging.

--> Hyper-V - This can be thought of as the ability to partition a single physical server into multiple  computational partitions. This is an additional "Layer" if you will, that sits between your HAL (no, not 9000) and the O/S (with another layer called the VMBus) illustrated here. What this does is provide better "separation" between the physical machine and the virtual machine while being able to more efficiently utilize the physical hardware under the virtual OS. Windows Server 2008 essentially integrates Virtual Server into the OS natively.

--> Windows System Resource Manager - This allows you to prioritize tasks on a server based on executable name. This takes it a step further than raising a processes priority or setting a processes affinity to a particular CPU.

Now I know I am not doing all of these features justice as there is simply a lot more to say but hopefully this gives you a good idea of some of the features coming down the pipe. Thanks for reading!

Technically,

-JC-

Method for recovering mailbox from OST.

You are trying to open an OST that has been orphaned and are getting "ost file was configured for another mailbox".

Just Googling this turns up all kinds of people looking for a solution here. There is a (relatively) simple way of recovering when 2 things are true.

1.) You haven't removed the user's local profile that contained an "association" with the Exchange mailbox from which the OST was created. (Usually in c:\Documents and Settings\<username>)
2.) You are utilizing Outlook 2003 or better.

*You will want to create a local user account with which to do this.

So the first thing to understand is that the registry contains a "mapping" (if you will) of local profiles to user accounts. Second thing is that all user accounts, local and otherwise (the latter of which are beyond the scope of this conversation), have a Security Identifier or SID.

Login as 'Administrator' Open regedit and navigate to 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList". You will note several SIDs; these represent the accounts on your computer. You will note that the service accounts also have a SID. You want to select each of these subkeys and examine the 'ProfileImagePath' value. This will "point" to the local copy of each respective user profile. Identify the one that belongs to the account you created above *. Identify the one belonging to the old account with which you had the mailbox previously working (and thusly the OST). Change the value of the account you created to point to the previously working one.

Log off the administrator and login as the user you created. Make sure your OST is properly in place (usually c:\Documents and Settings\<username>\Local Settings \Application Data \Microsoft \Outlook).

You should now be able to open the OST and then export to PST and easily access your data to do with what you will.

If this seems like a bit much to you maybe you ought to consider hiring a professional (namely me) to do it for you.

=)

Cheers,
-JC-

SBS Backup User, Interactively run backup

If you support SBS and are like most IT Pros, you have probably logged into a server in the evening and been working on one thing or another and up pops the scheduled SBS backup. That is, if you always use the console session as it  is a best practice (mstsc /console).

As an aside, I always encourage technicians' to log off of sessions when done; console or otherwise. This not only frees up memory by unloading tasks such as explorer.exe or any other thing that happens to interactively run based on a user logon, it also allows someone else to logon "behind" you thereby avoiding them the hassle of "the terminal server has exceeded the maximum number of allowed connections" error. I have also heard reports of problems being caused when snap-ins utilizing MMC are left open in remote sessions.

Getting back to the point, if you see the native backup launch under SBS while doing maintenance, you can safely log-off when done as the SBS integrated backup, while it does display interactively, runs under the context of the 'SBS Backup User' and therefore logging off of your session will not effect the backup in any way.

Just thought that would be good to throw out there.