James Moody: Geek in Paradise

I recently had a client that needed to block access for a specific user that was browsing the internet instead of working. The catch being that they were only using the built-in firewall of SBS2003 Standard and the offending user had to still have access to the internal network that was housing some business apps via IIS.

After digging through numerous Live Search results, I stumbled across a link to this tip on JSI in one of the results.

Knowing how Google is now weighting recent posts/page updates to move to the top of the results, I’m re-posting the procedure to make it easier to find for anyone searching for a working solution. I hope this saves at least one person a large chunk of time.

1. Create a new policy in GPMC by right-clicking your domain and pressing New. Name the policy No Internet.

2. Right-click No Internet and press Enforced to check it.

3. Select No Internet in the left-hand pane, select Authenticated Users under Security Filtering and press Remove, and OK to prevent the policy from applying.

4. Using Group Policy to implement Internet Explorer settings, navigate to User Configuration / Windows Settings / Internet Explorer Maintenance in the No Internet policy.

2. Right-click Internet Explorer Maintenance and press Preference Mode.

NOTE: If a policy is already defined, you must press Reset Browser Settings, which will reset any Internet Explorer Maintenance Group Policy, before you press Preference Mode.

3. Navigate through Connections and double-click Proxy Settings (Preference Mode).

4. Check Enable proxy Settings, Use the same proxy server for all addresses, and Do not use proxy server for local (intranet) addresses. (The box above this checkbox is where you set exceptions for your internal network)

5. Type 127.0.0.1 into Address of proxy and 80 into Port.

6. Press OK.

7. Close the No Internet group Policy.

NOTE: To prevent a user from changing their proxy settings, implement Disable changing proxy settings or Disable the Connections page in the No Internet policy.

To prevent a user from accessing the internet:

1. Select the No Internet group Policy under your domain and press Add under Security Filtering.

2. Use the Advanced dialog to locate and select the user, pressing OK.

3. Press OK.

4. If the user is logged on, force the policy to update.

Of course, the optimal solution would have been a firewall at the point of entry, but solutions within the client’s limitations are sometimes part of what we do.

Tags: Microsoft SBS 2003 Internet Group Policy

As I posted earlier, Honolulu happened to be graced with a TS2 seminar 2 days ago. It’s about time!

Woody Walton was the presenter for the topics that included Managed Services, System Center Essentials, Exchange 2007/Communicator/etc. and Forefront line of products. He did an excellent job of getting the pertinent information out to the attendees.

He demo’d System Center Essential 2007 for us, and although I have it in my Action Pack, I haven’t had the chance to install it and play with it yet. The demo got me drooling however, so that may be on the list to do once I finish an office move for one of my clients.

The majority of the Forefront presentation was on the Client Security offering. Since I’ve been using it in the home office, I had a good working knowledge of it already, and managed to net me a SBS 2003 neoprene CD holder for answering the only question presented to us. I r smart. He did let us know that the next line of Forefront products being developed are under the code name "Stirling", for those fascinated by code names.

He also gave us a live demo of the automated voice attendant used to access his e-mail, calendar, voicemail, etc. back in Redmond. I had only read about the feature so seeing it in action was pretty impressive. He did run into some problems with it recognizing his voice input since he was using speaker phone, but I got the gist of the usefulness of the offering. He also ran a video of a "Devil wears Prada" spoof demonstrating the power of the complete offering. Great display of the possible uses of the technology, and funny to boot. The Roundtable hardware looked very cool for those that teleconference with multiple people present in 1 room. Availability is very limited for the Roundtable device though.

Also covered were various VOIP phones, including the Catalina USB Phone and a phone with Communicator embedded, which traverses firewalls. He stated he has a co-worker that’s taken the phone overseas, plugged it into the hotel internet, and was then able to access his information back at the office. Very cool technology.

During our 1 break, I made it down to introduce myself and see if he recognized the Blue Monster, which I use on my business card. He hadn’t, so I explained to him the basics and gave him the info to find more on it. He was very intrigued, to say the least and said he’d definitely get more info on the little guy. I also made him aware that "Centro" had been given a name that morning, which he wasn’t aware of at the time. He probably wished I hadn’t told him, as he referred to it by the full name the rest of the seminar instead of "Centro" (luckily, he had covered what he needed of "Centro" before the break, so it wasn’t much). Sorry!

All in all, a great experience start to finish. Some of the attendees (Microsoft Partners) were making snide remarks and chuckles as he covered some of the material, so I can see now where Vlad gets his "riff-raff" from. A minor annoyance, but nothing that detracted from the entire experience.

On the way out, I talked with one of the guys that sat at the table (didn’t get the name as they were packing it up) and he said TS2 had plans to make it out at least twice a year now. Good news considering they hadn’t been out since I became a Partner over a year ago.

Here’s to seeing more events in Hawaii!

I have another post coming soon covering something I found very interesting in the IT market here in Hawaii. Surprised the hell out of me, for sure.

Tags: Microsoft TS2 Exchange 2007 Communications Server Communicator Forefront Managed Services Action Pack Stirling SBS 2003 VOIP RoundTable Catalina Centro Business Essentials Server Blue Monster Honolulu Hawaii System Center Essential

Remember the SBS 2003 Server I was taking over from another consultant that hadn’t been updated in 2+ years?

Yeah, flawless updating through all 5 SBS 2003 SP1 updates, Server 2003 SP2, Exchange SP2 and WSS SP2, as well as the accompanying 39+ patches after all the SP’s were in. Side effect of all the patching? Server now runs way snappier and I look kingly to the business.

The previous consultants departing gift was an update to their Linux firewall that hadn’t been updated in a year. End result was a firewall that ate itself during the upgrade and a forced reinstall of the entire box. The worst part of the botched upgrade was it happened at the beginning of business hours on Friday so the business was without internet until I could get in and pop a router into place until the other consultant could get onsite and reload the Linux box. The previous consultant is a friend of mine, so of course, I had a field day giving him a hard time.

The SBS 2003 update process took ~13 hours start to finish. 7 hours of that was a full backup of the server before I started the process, so ~6 hours for all the service packs and patches to go in. Part of that time was also dedicated to clearing out the Exchange queues of all the spam that had resided there for over a year after they got hit while using Exchange as their mail server. Once I get the chance to show them the beauty of Direct Push, I believe I can get them to swap back over and get them subbed to ExchangeDefender run by the (in)famous Vlad Mazek.

I did have the foresight of knowing that the Server 2003 SP2 caused issues if the NIC drivers were old, so that was the very first thing updated once the Server was taken down for a good cleaning out and put back online. I’m sure you’d like to hear about having to work around quirks that popped up during the updates, but there were absolutely none. Completely flawless start to finish. The previous consultant, being mostly Linux based, was highly impressed with the speed of the machine after updating. Security isn’t the only reason you should patch.

All in all, a win for the Windows Server product and a black-eye for the Linux product in the eyes of the business. Can’t say I’m unhappy about that.

Tags: Microsoft SBS 2003 SP1 SP2 Exchange ExchangeDefender Linux Firewall Patch

I finally decided to load up Server 2008 this morning in Virtual PC to spend some time playing with the new Server OS of choice (not counting Cougar) in the next 6 months. Installation was painless, although I was disappointed I couldn’t load up the x64 version in Virtual PC. I had wanted to see how Server 2008 and Exchange 2007 interacted, but alas, not to be for now.

I do love the interface changes for adding the various roles and features associated in Server 2008. It just looks and feels better overall.

As I was flipping through the roles, I got the crazy idea to see how it would integrate into my existing SBS2003 environment. Surely it would break things and give me something to wrap my brain around on a lazy Sunday. I hadn’t had anything break in awhile, this could be fun.

The join to the Domain was flawless as expected and I was greeted shortly thereafter with an update being pushed down by WSUS for Forefront Client Security, which I have running on the SBS2003 box. I had bigger fish to fry however and ignored it for the time being.

I checked off Active Directory Domain Services in the Add Roles wizard and after some thinking on it’s end, was prompted to run the various adprep’s on the SBS box. I flipped the 2008 CD over to the SBS box and ran forestprep, domainprep, gpprep and rodcprep. The schema was updated to v44 fyi.

I popped back over to the 2008 VPC and the wizard continued onwards, adding the 2008 Server as a domain controller into my existing domain. Nifty. No griping or moaning, it just did it’s thing and let me know when it was done. Replication of AD was painless as well, taking maybe a minute or 2 to replicate from the SBS box.

I also set up DNS on the 2008 VPC and delegated/transferred the zone over without any hitches. Very painless process from start to finish.

Once I was happy that AD and DNS were doing their thing, I returned to the WSUS update. Forefront Client Security installed with no problems. A quick trip over to the SBS box and approving the manual agent install in MOM 2005, had the 2008 VPC showing up in the FCS management window with an outdated policy. No problemo, a quick deploy of the policy and all was as it should be.

Event logs were extremely noisy during the process, but haven’t popped up anything of note in the last few hours. 1 recurring error for PerfNet (which I need to look into), and a warning on security related events for anonymous logins in AD.

Way easier than I had expected to be honest and very happy with the results.

Tags: Microsoft Server 2008 Forefront AD DNS Virtual PC WSUS MOM 2005 SBS 2003