Microsoft Hyper-V Introduction

RTA Information Technology, Tempe, Arizona http://rtait.com/index.htm


I'm back. I haven't posted for a while. I just got Microsoft-certified in Microsoft's new Windows Small Business Server 2008 after having been a beta tester for the past year. As near as I can tell I was the second person in Arizona to get SBS 2008-certified. There's only 200 of us in the world so far.

While the new SBS 2008 is big news, my personal hot topic of the year 2008 was Microsoft's Hyper-V. This is very low-level virtualization software to allow multiple operating systems to run in separate "virtual machines" on a single PC or server.

For the past year, I've been running Windows Small Business Server 2008 inside of Hyper-V. Doing so allows me to easily restore the operating system if needed. And it allows me to build companionn virtual machines (like XP and Vista clients) that can talk to my server and interact with it.

I've been using virtualization for several years now. Hyper-V is a big improvement over past Microsoft virtual server software because it's faster, can run 64-bit software (like SBS 2008), and can accomodate much more memory.

And the best news of all: Hyper-V software is essentially free.

I'll have more to say about Hyper-V and SBS 2008 in future posts. Right now, I'm concentrating on backups and restores for SBS in Hyper-V. Because of the complexity of SBS (Exchange Server 2007 and, often, SQL Server are running), SBS 2008 requires special backup techniques and solutions that are, right now, a work in progress.

Later. Myuron

P.S. Catch me at the AnandTech forums

http://forums.anandtech.com

where I'm been Moderator for Networking and General Hardware for several years. Feel free to ask technical questions there. My screen name is "RebateMonger", for my proclivity for finding good deals on computer hardware.

I Think I Like It - My new Sprint PPC6700 SmartPhone and SBS 2003

RTA Information Technology, Tempe, Arizona http://rtait.com/index.htm

I resisted the temptation for a long time, but I finally acquired a pair of Sprint PPC6700 SmartPhones. If you are in the IT business, you probably already know all about them. Just about every IT consultant I run into seems to have one. But they haven't hit the average businessperson. Yet.

The Sprint PPC6700, and its Verizon, T-Mobile, and other twins, is a Windows Mobile 5 SmartPhone/PDA. Besides being a decent phone, it features full WM5 functionality -

* Instant synchronization of email, contacts, and calendar with your SBS 2003 Server
* Mobile versions of Word, Excel, and PowerPoint
* Always-on medium-speed Internet connection
* Built-in Windows Media Player
* A Windows-centric operating system that Windows users find familiar

If you spend time away from your office, and if you have an SBS Server or an Exchange Server, you owe yourself a hard look at these phones.

I put a $60 2GB MiniSD storage card into mine, for holding music, videos, and whatever. I also downloaded a WONDERFUL program, SiriuCE, that lets me listen to my Sirius Satellite Radio channels.
http://www.emulamer.com/SiriuCE.html

And I just ordered a SlingBox, to let me watch my Dish Network Satellite TV channels from anywhere in the world, via an Internet connection. http://slingbox.com

I bought a pair of PPC6700s. I figured that was cheap insurance. Plus, I got two of everything, including cases, chargers, and sync cables. I found some vendors on eBay that claim to be selling original (OEM) Audiovox car chargers and other accessories. One nice thing about the PPC6700 is that the hardware between phone vendors (Sprint, Verizon, Audiovox, etc.) seems to be identical, so you can get accessories from multiple sources.

I'm also taking a look at extended batteries. The factory 1350 mAH battery is good for a day's use and no more. Lion Battery http://www.lionbattery.com/description.php?noproduit=321
offers a new 2800 mAH battery that is getting great reviews and can, apparently, be squeezed into the (Sprint) factory leather case and charging base.

Does this all sound like a commercial? Maybe. But it's more a commercial for SBS 2003 and how it works with this great new hardware. Without that, the PPC6700 would just be another phone with some fun multimedia stuff.

But add an SBS/Exchange Server, and it becomes a fun toy that also gets real work done. I think I like it.

Virtual Goodness - Virtual PC 2004 Now Free from Microsoft

RTA Information Technology, Tempe, Arizona http://rtait.com/index.htm

Following the lead of Microsoft's Virtual Server 2005, Virtual PC 2004 is now available for free download:

http://www.microsoft.com/windows/virtualpc/default.mspx

Virtual PC, purchased from Connectix a few years ago, is an amazing and easy-to-use program that has dozens of uses. Some prime uses:

1) Running older programs that won't work under XP or Server 2000 or Server 2003
2) Running Trial Versions of Microsoft Server software or applications like Exchange or ISA
3) Experimenting with "risky" changes to your Server or Desktop operating system
4) Learning about networking

When I was working on my MCSE certification, I spent countless hours running networks of multiple Windows Servers inside of multiple Virtual PC workspaces. If you make a mistake and trash a Server, you can close the window and restart the Server. No harm done.

Another common use is if you have an old program that only works under Windows 95, 98, or NT. You can load that OS into a Virtual PC window and then load your program into the new, virtual, OS. Now you can use your old program, safely, on a modern XP workstation.

About the only things you can't do in Virtual PC are emulate SCSI drive arrays or Fibre arrays for Clustering. As long as you have enough memory in your desktop PC, you can pretty much run as many Virtual PCs (or Servers) as you care to. Each Virtual PC requires REAL memory to run, though. It can't take advantage of virtual memory. So if want to run four Servers and each needs 384MB of memory, you'll need around 1.5GB of RAM in your desktop PC.

So, download Virtual PC 2004 and download a trial copy that OS you want to play with (most Microsoft Server 2003 trials are good for six months). And play to your heart's content for six months for free!

Clean Up Your SBS 2003 Server

RTA Information Technology http://rtait.com/index.htm

Many people have space crunches on their SBS 2003 servers. It's common to see 12GB (Dell OEM) or even 8GB C: partitions on SBS 2003 Servers. It can be a challenge keeping that C: system drive from overflowing, with drastic consequences. I HATE getting an Alert email from my SBS Server telling me there's only 200MB of free space left on C:!

The biggest space grabbers on an SBS Server include:
a) The Exchange Stores
b) The Exchange Log Files
c) The System Page File
d) The Volume Shadow Copy Files
e) User Shared Folders
f) Old "Uninstall" files for Windows Updates

And the Exchange Stores, Exchange Logs, User Shared Folders, and Uninstall Files keep growing! Ask somebody what happens to the c:\Program Files\Exchsrvr\MDBData\ folder if you don't make frequent backups of your Server! It'll grow ever larger until there's zero free space on your partition!

It's not all that difficult to make more space on C:, without the need for complex re-partitioning of your drives. Microsoft even provides a complete "how-to" here:

http://tinyurl.com/9k7ve

Here's what I did in a couple of hours of work for one client. He went from around 400MB of free space on C: to 3.8GB of free space. This was on a standard Dell OEM SBS 2003 installation. And, since I moved his User Shared Folders and his Exchange Stores and Log Files, he'll STILL have (around) 3.8GB free six months from now.

1) Moved the Exchange Server Log Files, Public Store, and Private Store to:
d:\program files\exchsrvr\mbdata
Email mailbox sizes and incoming email will have no effect on your C: drive anymore.

2) Moved the Volume Shadow Copy of C: (which is done twice a day and allows recovery of accidentally deleted and overwritten data files by users) to D:
Volume Shadow Copies, by default, use 10% of your drive space and makes copies twice a day by default.

3) Enabled Volume Shadow Copy of D:
Many don't have this feature turned on. By default, this uses 10% of your D: drive and makes copies twice a day by default. This can probably be safely set much smaller. Shadow copies will allow instant recovery of accidentally deleted or overwritten shared files on your D: drive.

4) Moved the User folders (their redirected "My Documents" folders) to d:\Users Shared Folders.
This will allow User folders to grow without using space on C:

Note that this is a pretty complex operation. Be sure to follow Microsoft's directions EXACTLY. And DO NOT rename the "share name" of your new Users Shared Folders! Renaming it will make a mess!

ALL NEW FILES SAVED BY USERS IN THEIR "MY DOCUMENTS" FOLDER SHOULD BE AUTOMATICALLY REDIRECTED TO D:\USERS SHARED FOLDERS\xxxxx", WHERE XXXXX IS THEIR USERNAME.

===>>> This should be checked to be sure it's working properly! When somebody saves a file in their "My Documents" folder, the files should be redirected to his "d:\Users Shared Folders" directory. PLEASE VERIFY THIS IS WORKING!

I kept the original versions of all the redirected files are in c:\Users Shared Folders for a while, just in case.... I also checked the copy operation for errors and verified that the c:\Users Shared Folders and the d:\Users Shared Folders contained identical numbers of files and directories.

5) Modified the Disk Space Quotas for some users. By default, any new users will be allowed 1GB of space on D: or C:
You may want to modify these values.

If necessary, you can easily move the "c:\Client Apps" folder, too. This is an easy operation. I'm not sure that moving the Pagefile.sys file is a good idea. Do this only as a last, desperate, measure.

The Windows Update Uninstall Files (in c:\Windows), are not huge, but you can safely delete all by the very latest files. You can CERTAINLY delete anything previous to the last Service Pack.

So, stop fighting the space crunch. Clean up that SBS Server and stop having to worry about overflowing your C: drive.

Microsoft's Business Contact Manager 2.0 - CRM on a Shoestring

RTA Information Technology, Tempe, Arizona

Everybody needs CRM. If you have a business and don't have a way to manage contacts and correspondence, you are handicapping yourself.

What's CRM?

Customer Relationship Manager (CRM) is software to manage your business contacts, leads, mailings, proposals, and billings. Microsoft's new CRM 3.0 is a leading example, and can be quickly installed on your Windows Small Business Server 2003 (Premium Edition). But CRM 3.0 may be a bit pricey for many small businesses. If your livelihood is sales, then you SHOULD take a hard look at CRM 3.0. But if you can't justify the cost right now, you should look for SOME kind of CRM software.

Enter Outlook 2003 with Business Contact Manager Update (BCM Version 2)

BCM 1.0, which came out two years ago, was a major disappointment to me. I installed it and immediately removed it. It wasn't designed to work with Outlook Exchange Profiles (although there was a patch for SBS 2003 users). And you couldn't share your contacts with anybody else. That was a major problem for most people.

But BCM Version 2.0 is different. You can share your contact data among five users. You can even put the data on your SBS 2003 Server, in an MSDE database, to make for easy sharing and backups. And BCM integrates nicely with MS's Small Business Accounting (SBA) 2006, which can't even be done with full-blown CRM 3.0 without add-in connection software. You can enter a billing in Outlook 2003 and have it pop out of SBA 2006 as an Invoice.

Did I mention Free?

Yes, BCM 2.0 is a free update to Outlook 2003 if you own MS Office Small Business Edition 2003 or MS Office Professional Edition 2003. You can get more information and download it here:
http://tinyurl.com/jzft9

Want more details?

Here's the lowdown on Business Contact Manager from Microsoft:
http://tinyurl.com/jnve3

What do I think of BCM?

I can't tell you. Yet.

I've just reinstalled it. I'm going to see how well it works for me, and how well it works with SBA 2006. I'd report back here soon.

In the meantime, you might want to join a new Yahoo Group that's been formed to discuss BCM: http://finance.groups.yahoo.com/group/msbcm

Remote Access Techniques for Business - How to Choose

RTA Information Technology - Tempe, Arizona

The Wonderful World of Remote Access keeps expanding. Small businesses now have remote access options that were unthinkable ten years ago. In fact, with Windows Small Business Server 2003, a small office has MUCH better remote capability than many large corporations.

There are four main techniques used for working remotely:
1) Remote Desktop
2) VPN (Virtual Private Network)
3) SBS Remote Web Workplace
4) Terminal Services

Each has its pros and cons. Each has appropriate and inappropriate uses.

1) Remote Desktop
Remote Desktop (using Microsoft's Remote Desktop or the open-software VNC) lets you work directly on your Office PC. Your remote PC is nothing more than a video terminal with a mouse and keyboard attached. Anything you do on the desktop is actually happening on your Office PC. This is a surprising low-bandwidth solution. You can work remotely with only a telephone modem connection.

Remote Desktop is recommended where you are accessing data-intensive applications, like databases. Since all the processing and data handling are done on your Office PC, Remote Desktop is much faster than VPN for viewing databases or working with large data files.

Remote Desktop is also quite safe for your Office network. Because your remote PC is only used as a video terminal, there's no direct connection between your Office's network and your remote PC. Worms, for instance, can't travel to your Office and infect the rest of your network.

Remote Desktop is my recommended access method when you can't be sure that the remote computer is secure and safe from viruses, worms, and other contamination. If employees are logging in from a home computer that others may use, it's by far the safest remote access method.

2) VPN (Virtual Private Network)
A VPN establishes a direct link between your remote PC and your Office network. It's pretty bandwidth intensive. Working with large files or databases is quite slow. On the other hand, you have direct access to the network, can perform drive mapping to resources, and data transfers (such as file transfers and directory listings) are much faster than with Remote Desktop.

As mentioned earlier, VPNs are a bit of a security risk. If a contaminated remote PC enters your network, your other Office PCs are exposed to worm propagation. This risk can be managed in various ways, but it never goes away completely.

VPN Flavors
VPNs come in two flavors: Client-to-Site and Site-to-Site. A Client-to-Site VPN connects single remtoe computers to the Office. A Site-to-Site VPN connects an entire Office to an entire Office. It doesn't require that each individual PC create a VPN connection.

Hardware versus Software VPNs
You can either use a hardware VPN server (like a SonicWall or Netgear VPN box) or a software VPN server (like Windows Server 2003 or SBS 2003, Standard or Premium Edition). There are advocates for both methods.

Personally, I use a lot of SBS 2003 servers (with or without ISA 2004), and I find that the built-in VPN server works fine. There's no need to maintain separate Windows and VPN accounts/passwords, since the VPN uses the same accounts as your Windows Server. Microsoft claims that an ISA 2004 Server can handle hundreds to thousands of simultaneous VPN connections, so, even if they are exaggerating, Microsoft's software VPN should be able to handle most small business offices just fine. Note that some hardware VPNs can also use LDAP to make use of your Windows accounts for authentication.

Alternative VPNs
There are some recent alternative VPN methods. A very recent one is Hamachi http://hamachi.cc Hamachi requires a special client to be installed on the Remote PC and at the Office. Once installed, Hamachi uses a 3rd-party public server to help create the secure link between the systems. Hamachi is quick and easy to configure.

Another interesting VPN method uses web browser technology. SonicWall's SSL-VPN http://www.sonicwall.com/products/ssl-vpn200.html uses the web browser on the remote PC to establish a secure connection to the SonicWall device. It still requires the use of Active-X or Java on the client PC, as well as SSL, cookies, and JavaScript.

3) SBS Remote Web Workplace
Although it looks pretty much like Windows Remote Desktop, and uses the same technology, SBS Remote Web Workplace offers foolproof remote access to your entire Office. No configuration is needed on the Office PCs. You just select which PC you want to access, click the mouse, and log in.

4) Terminal Services
This is similar to Windows Remote Desktop. The main difference is that Terminal Services, as run on a Windows Terminal Server, is intended for normal users and Terminal Services can handle many users at once. Remote Desktop on XP is limited to a single user (except for Remote Assistance, which allows two simultaneous logons, but only one active keyboard/mouse).

A Terminal Server gives multiple virtual desktops on a single Server. You install Terminal Services on a Windows Server, create a Terminal Services Licensing Server, and install TS licenses for your users. As each user logs in, he/she gets a unique desktop and program settings. You install programs, such as MS Office and other applications, in a special way that allows multiple users to simultaneously use the programs.

Terminal Services is a good way to ensure that all users have identical desktops. But it has its own set of Server management challenges. Many antivirus applications, for instance, aren't really designed for Terminal Server use.

Notes About Remote Printing and Drive Sharing
Both Remote Desktop and Remote Web Workplace offer you the chance to print on your remote PC's printer. The only problem is: It ususually doesn't work!

The solution is install the DRIVERS for your remote printer on your Office PC. If Remote Desktop can't find IDENTICAL printer drivers on both the remote PC and the Office PC, it'll refuse to print remotely.

Drive Sharing between your remote PC and your Office PC is easier. Jut click the appropriate checkbox when you open up your Remote Desktop or Remote Web Workplace connection. You'll get a warning about the potential hazards of drive sharing, which you can accept if you trust both PCs.

Notes about Terminal Server Remote Printing
Just like Remote Desktop, Terminal Server has known remote printing problems. Solving them is tougher, because you have more users and they may have a wide variety of remote printers installed on their remote PCs. You can't possibly install all those printer drivers on your Terminal Server. Besides, installing 3rd-party printer drivers on a Terminal Server is asking for an unstable Server.

If you only want to support common printers, like HP Laser and Injet printers, you can set up Terminal Server to translate printers to those common drivers. This can work if the remote printers recognize the HP drivers.

But if you have Samsung or other printers that don't recognize HP drivers, you should take a look at 3rd-party "Universal Printer Drivers". ScrewDrivers and UniPrint are two well-known drivers. Licensing is pricey (ScrewDrivers is about $1500 per server and Uniprint around $1000), but these special drivers can make remote printing a breeze.

If you aren't currently taking advantage of remote access, you should give it a whirl!

The "Right Way" to Install SBS 2003

Myron Johnson - RTA Information Technology

SBS is an excellent choice for the vast majority of small businesses. It gives the owner and the employees the tools they need to actually run a small business.

In my opinion, any company with less than fifty employees that is not using SBS 2003 as its main business server should think SERIOUSLY if it's being properly served by its IT staff. There. I said it.

SBS's features:
* Full remote access via computer, laptop, PDA or SmartPhone
* "Get your email and appointments anywhere" Exchange Server
* That wonderful, pre-configured SharePoint site
* Its automated backups and monitoring
make SBS 2003 a no-brainer. If your IT staff or your IT consultant haven't told you about SBS, then they aren't doing their job.

Although I call this the "Right Way" to install Microsoft Windows Small Business Server 2003, there are obviously other ways to do it. And not all of them are "Wrong". But unless you ALREADY have hands-on experience installing and maintaining SBS 2003, please consider these suggestions. This is how I, and many other, Microsoft Small Business Specialists install SBS. It works, and it's supported by Microsoft.

[Opinion Mode On] First, although SBS 2003 has wizards for setup and installation, there are some "gotchas" that can cause problems. If you aren't an IT professional who specializes in SBS, you should consider hiring an outside SBS Specialist for the initial setup. You'll save lots of time, money, and frustration by doing so. You'll minimize any disruption to your business. And a consultant will show you how to take full advantage of what you've purchased. There are dozens of hidden features that could be valuable to your office that you may miss, otherwise.

If you are intent on doing your own installation, a common recommendation is to do TWO (or more) SBS installs:
1) Do a practice install and make the mistakes that you will surely make. Add a client PC that you don't care about. Doing the Client PC join to the Domain is the hardest part of installing SBS.
2) Wipe the box and do a second, REAL install.

Frankly, having played computer games and having built a couple of home PCs is NOT enough experience to install and manage an Active Directory Domain Controller and Email Server. Yes, SBS 2003 IS simple to install. Yes, it has great Wizards. Yes, it is reliable and trouble-free. But if you start messing with it and don't know what you are doing, you can easily end up with a mess that somebody else is going to have to come in and fix for you. [Opinon Mode Off]

The "Standard" SBS 2003 Setup:

1) Install the Server in a secured area. One of the points of a Server is to have security. Leaving your Server and your Company's data in an open area is not a good idea.

2) Use two NICs on the SBS Server. That way, SBS can serve as a Firewall for all the internal computers. Use a Static IP address on the "External (Internet)" NIC and hook it to your Router. Hook the second NIC to your switch. Hook the client computers to the switch.

3) Have the Router forward ports 25, 80, 443, 444, 3389, and 4125 to the SBS Server's IP address. The your email, web, secure email, remote access, and Remote Web Workplace servers. Forward 1723 if you want to VPN into your network. Be sure to turn on Protocol 47 (GRE) forwarding if you are using the PPTP VPN protocol.

4) Be sure to name your Domain with a NON-INTERNET name, like the suggested "XXXX.LOCAL". Naming your domain with the same name as your Internet Domain Name will cause problems. I recommend using a ".LAN" extension, to avoid an issue with older Macintosh clients.

Also, keep your internal Domain name and server name SHORT AND SIMPLE! "AAA.LAN" works great as a Domain name, as does "Server1" for the server name. A simple, non-specific Domain name will avoid a very-expensive Domain name change if your business grows and changes names or merges with another business.

5) After running through the Setup and the "To Do" checklist, you should have a working server, with email, internal Sharepoint site, and full Remote Access.

6) Add User Accounts and Computer Accounts to the SBS Server.

7) Join all your (Windows XP Professional and 2000 computers only!) clients to the Domain using the "ConnectComputer" Wizard. Make sure you understand how to do this properly or you will lose User's profiles on their PCs and will have to search for their old data and desktop files. You want to migrate their profiles over to their new Domain Profile on their PC.

8) SBS will automatically install Outlook 2003 on each computer and automatically create new Domain Email profiles for each user. You'll have to migrate old emails from their old email program to their new Exchange mailbox (using .PST migration if they already use Outlook).

9) Set up desired Security Groups to easily set up who can access what on the Server.

10) Set up required shared folders (for secure sharing of files) on the Server and set the desired sharing and security permissions, using the Security Groups you've created.

11) Implement and TEST your backup system. Hard drives fail all the time and people make mistakes. SBS makes it REALLY EASY to have reliable, automated backups of your Server and all your Office's important data. Don't ignore this capability. And be sure to make offsite storage of backups part of your backup process.

I STRONGLY recommend that you host your own email. This requires a business-level Internet connection, which doesn't block the required Server ports. Continuing to use the common POP-3 email accounts that many people use is a constant source of complication to email flow. You'll need to register a Domain Name ($10 per year) and set the public DNS settings to point to your new Server.

Each user will now have his/her own mailbox on the Exchange Server, and can read that mailbox from virtually anywhere, using Outlook, OWA, SmartPhone, PDA, etc. This includes personal mailboxes and contacts, as well as shared contacts. To create a shared contact list, you can create it in a Public Folder in Exchange. After giving each User Account access to the Public Folder, they'll all be able to see and modify (if you allow it) the common office contact list.

You can also use Microsoft's Business Contact Manager (Version 2) to create shared contacts. BCM is a free add-in to Outlook 2003. Sending email, both inside and outside of the Office, to each person will be automatically handled by Exchange and Outlook.

There are a couple of books on how to configure SBS. Harry Brelsford's two SBS 2003 books are popular. Microsoft has one, too. There's also a three-day Microsoft course and certification on SBS installation and management.

Security-related recommendations:

1) Install SBS SP1. Install Exchange SP2 and configure the IMF (Spam Filter).

2) Allow SBS to update all XP Professional clients to SP2.

3) Use third-party IP-based Spam Server block lists for Exchange.

4) Insist (and enforce through SBS) LONG passphrases.

5) Insist that everyone use their own account/password for logons. Medical practices have HIPAA compliance to worry about. Financial groups have SOX.

6) Perform monthly patching of the Server and all clients.

7) Don't allow Windows 95, 98, or ME clients on your network. They are NOT secure.

8) Install both Server-based and client-based Antivirus products. Get an email-server-aware antivirus for the Server, that will catch viruses BEFORE they enter your email system.

9)Do monthly tests of your backup integrity. Do monthly security and patch scanning, using MBSA.

To SSID or Not to SSID - WiFi Security Recommendations

RTA Information Technology, Tempe, AZ

WiFi security is a big deal. It's a source of lots of confusion and service calls by consumers and businesses. And lack of WiFi security is probably the biggest security hole in your home or office network.

Let's start with the BAD NEWS:
If you don't have encryption turned on, ANYBODY within range can read everything sent across your Wireless network. That includes:
* UserNames, Account Numbers, and Passwords (unless the site you log into uses SSL or other encryption)
* Your WiFi-sent email
* What you are browsing on the Internet

Without encryption, it's definitely possible for your next-door neighbor (or a hacker sitting in his car down the block) to monitor your broadcasts. Or join your network and use your Internet connection for evil purposes. Or to attack your internal computers.

Have I convinced you to use Encryption yet?

Common Security Settings

There are three common security parameters available on WiFi networks: SSID broadcast, MAC address filtering, and Encryption.

SSID Broadcast: Your WiFi router or access point can broadcast a name (SSID) that identifies it. Some folks say you should turn this broadcast off.

MAC Address Filterning: Your router or access point can limit its clients to a specific list of MAC addresses. MAC addresses are 12-character codes (supposedly unique) that are assigned to networking devices. By filtering, you can, in theory, limit which devices can connect to your WiFi network.

Encryption: Common forms include WEP, WPA, and WPA2. Data is encrypted so that, even if intercepted, it can't be decoded.

My Suggested Settings:

1) Use an innocuous SSID name.
Don't use the Default SSID name. That'll tell a hacker what kind of router you have. Don't use your name or your Company's name. Use something innocuous, like "Red" or "Blue".

2) Leave SSID Broadcast ON.
Yes, this flies in the face of common security advice. But ANYBODY who wants to find your WiFi network can locate it with a WiFi detector. And can easily monitor it with NetStumbler, or other freely-available WiFi cracking software.

By turning off SSID Broadcast, you make your own life considerably more complicated. If you forget the SSID name, you'll have to access the router to re-discover the name. Or you'll have to reset the router and re-configure it from factory defaults. It's too much work for too little Security gain.

3) Use MAC filtering at your own risk.
I think it's too much trouble. Every time you bring a new WiFi device into your home or office, you'll have to add it to the allowed-MAC-address list. And a determined cracker will, again, find a way around the MAC filter, using a spoofed MAC address. Again, I think you're making a lot of complication for yourself, and not that much complication for a hacker.

The Big One:

4) Use (WPA) Encryption!
WPA encryption is tough to break. As long as you use a good, long, random passphrase. A hacker would have to REALLY want to break into your network to bother with breaking WPA. Encryption is the single, necessary key to WiFi security. Until a hacker breaks your encryption scheme, he's not going to join your network, he's not going to attack your computers, and he isn't going to read your transmissions.

Even WEP encryption (although definitely breakable with enough network traffic) is much better than no encryption at all. But WiFi equipment is pretty cheap. Get WPA-capable equipment. Your entire network has to use the same encryption method, so replace any old WiFi cards with recent, WPA-capable, cards.

PART 2 - Dangerous Spyware - Why you shouldn't assume you got it all removed.

RTA Information Technology, Tempe, AZ

Two more examples of why attempting to remove malware isn't a great idea, and how you can re-install Windows XP, fully patched, in less than an hour of your personal time.

I provide online help on a popular Internet technology forum. It's fun to help people in need, and I learn a lot in the process.

I recently participated in two malware-related problems that point out some flaws in the "Just Remove the Spyware" philosophy.

Problem One:

A homeowner has a network with six computers. He runs AVG Antivirus and Microsoft Antispyware on all of them. He noted that, two weeks earlier, AVG had caught and cleaned a virus.

Shortly after, Comcast turned off his Port 25 (direct email) traffic, saying that his home was the source of SPAM. At Comcast's request, he downloaded and ran Mcafee's free suite that included Mcafee Antivirus, Privacy, My Security Service, and Personal Firewall. All of the PCs checked out fine, with no infections. He asked Comcast to re-open his Port 25 access. Comcast complied, and then shut him down again two days later.

Concerned, he examined the McAfee Personal Firewall on all his PCs. On his daughter's computer, he found 800 inbound access attempts, while the other PCs were showing none. Looking deeper, he discovered there was a Windows NT Logon process running, with 25 IPs attached to it. The IP addresses were from all over the blobe: India, China, Russia, etc. Running McAfee's Personal Firewall for three days, he found she'd sent 2.7GB of outbound traffic!

He was aghast that all of these tools hadn't caught the perpetrator. So he looked for more tools. He installed F-Secure's Black Light (a rootkit detector). It found nothing. Then he installed Kapersky AntiVirus. It found the following programs, that both McAfee and AVG had missed:

Trojan.WIN32.CRYPT.O
Exploit.HTML.MHT

He still hasn't figured out how to get rid of these. They're resisting the combined efforts of all his malware-removal software.

Effort Expended:
THREE Antivirus programs downloaded, installed, and scanned.
TWO Antispyware programs downloaded, installed, and scanned.
ONE Rootkit detection program downloaded, installed, and scanned.
Phone calls to ISP about the problem.

End Result:
Problem still exists.


Problem Two:

A college student has a severe adware popup problem on his laptop. It makes using the computer a pain. He reports that he goes to school all day, and then works for a legal firm in the evenings. He has almost no free time to spend on fixing his computer. He already had FOUR antivirus programs and three spyware-removal programs installed.

He reported that he only uses the laptop for notes and email.

I advised him to backup his notes and email and re-install Windows XP. If he takes his laptop to his law firm, or if he logs onto the company's email server or onto their VPN, he risks contaminating the entire company or divulging his passwords through a keyboard logging trojan.

His response was that he didn't have four hours to waste reinstalling Windows. But he continued to spend time posting on the help board, asking others to help him remove his malware. Other posters continued to give him the standard malware-removal advice. These included:
a) Run more Spyware Scans.
b) Run a rootkit detector.
c) Run HijackThis and post the results in a spyware-removal forum.

My Advice:

Instead of spending time becoming a malware removal expert, spend the time on making a (necessary) backup and learning how to use your computer safely.

The most effective course of action (and least-time-consuming over the long run):
1) Back up your important data. You SHOULD have backups anyway. Hard drives fail ALL THE TIME.
2) Reinstall your OS and your applications.
3) Install Antivirus and a single active Antispyware application. I recommend MS Antispyware, since it's free and works fairly well. Keep your AV and A-Spyware definitions current.
4) If you are using XP, be SURE to update to SP2 and keep the firewall ON.
5) Create a Limited-Privileges account (Limited User in Windows XP) and USE IT. Do NOT use your computer with an account that has Administrator rights. It's asking for trouble.
6) Learn the rules of safe web surfing so you wont' have any more problems.

The student's response was that he didn't have time for all this, and could someone please show him how to fix his problem.

My Response:

1) Bedtime: Go to Microsoft.com/downloads and download XP SP2 patch. Go to bed. Time: 5 minutes.
2) Morning: Tell PC to burn XP SP2 patch to a CD or copy it to a USB hard drive. Go to school. Time: 5 minutes.
3) Bedtime: Run FAST Wizard in XP and tell XP to back up all your files and settings to another PC or to a USB hard drive. Go to bed. Time: 5 minutes.
4) Next morning: Insert the XP Install CD and tell XP to re-install. Go to school. Time: 30 minutes.
5) Evening: Arrive home and XP is installed. Doubleclick on the XP SP2 patch to install SP2. You can use the PC in the meantime if you want. Time: 5 minutes.
Run FAST Wizard in XP and tell XP to put all your files and settings back on your new system. Time: 5 minutes.
Total time invested: Less than an hour, plus any re-intalls of applications you need to re-install. Plus, you end up with a recent backup of your important files.
Total computer downtime: Less than an hour.

Of course, he isn't going to take my advice.

Effort Expended:
THREE Antivirus programs downloaded, installed, and scanned.
FIVE Antispyware programs downloaded, installed, and scanned.
Multiple posts on a help forum.

End Result:
Problem still exists.

Update From PC Owner:
.....At ~6:30 pm, my laptop started acting really funny, and when I checked, all of its memory resources were being used by some unknown program....I went home, woke laptop up (to backup notes), and when I logged into my account everything went nuts.... Sounds came out of my speaker like none I have every heard before, the cpu cycled wildly from 0 load to 100% load, hard drive spun like nuts...I powered off the laptop and rebooted in safe mode. Everything looks ok, until I try to run any program or open any of my files. As far as I can tell, every one of my non system files is now corrupted and unreadable.....

Just in case anybody cares to take my advice, let me repeat it:

1) Back up your important data.
2) Reinstall your OS and your applications.
3) Install Antivirus and a single active Antispyware application.
4) If you are using XP, be SURE to update to SP2 and keep the firewall ON.
5) Create a Limited-Privileges account (Limited User in Windows XP) and USE IT.
6) Learn the rules of safe web surfing so you wont' have any more problems.

Seek and Ye Shall Find - Getting Found on the Internet

RTA Information Technology, Tempe, Arziona

My clients, small business owners, are constantly battling to be discovered by potential customers. One way to be found is by having a public web site. But just having a web site isn't enough. Customers have to be able to FIND your web site.

Go to MSN Search or Google Search and type my name: "Myron Johnson"
In the MSN Search, half of the first page will be links to my web pages. I'm not nearly as popular on Google, but you'll still find me.

On the other hand, I've seen clients with web sites that couldn't be found even if you know the name of the company!

What's the difference?
Web site Search Engine Optimization.

How do you get found on search engines?
There are three steps:
1) Get indexed by search engines
2) Have relevant content on your web pages, including Titles and Descriptions that are appropriate to each web page
3) Get the search engines to rank your site above all others

Get Indexed by Search Engines
First, you must be found the by search engine. All the search engines are constantly probing the Internet, looking for web sites and changes in sites. The sites are indexed by key words that are stored in huge databases. Besides the content of the sites, things like the Titles and Descriptions of the web pages are indexed.

Have Relevant Content on Your Web Pages
The search engine compares the search term entered, calculates how well each web site matches the search term, and then lists the matches. Sites are ranked by how well they match the search term, but in case of a tie, the site with the hightest importance wins.

Convince Search Engines That Your Site is "Important"
To place high in search rankings, search engines must consider your site to be important. Google periodically ranks the importance of web sites. All sites are ranked on a scale from 0 to 10, with 10 being the most important. Google's ranking system is a bit fuzzy, and changes periodically, but it's generally agreed that the number of links to your site, especially from "important" sites on the Intenet, will greatly affect your site's own importance rating.


What does this mean to you, the web site designer?

Well, you obviously have to get your site listed on the major search engines. There are free submission forms on many sites, including Google's. If you can get in one search engine, other engines will usually find you eventually. The discovery process can take a month or two. The number-one search engine is Google. More people use it than any other engine. Yahoo is next. MSN Search is next. AOL probably follows MSN. If you want many people to find your web site, you want to be listed on the most popular search engines.

But you also have to have relevant content on your web pages. Think about what a searcher would use as a search term. Make sure that the most likely search terms are included on at least one web page on your site. Be sure that the Title and Description of your web pages also includes the most important search terms.

Other rules about web pages:

Search engines like to see unique content. Zillions of links to other sites isn't unique content. Neither is a list of repeated search words. Most web designers believe that the best policy is to write significant, orginal content for your site.
Make your pages fairly long. You should have several hundred words on each page.
Include your most important key words as Headers and near the top of the page.

If you follow these rules, you should be able to significantly improve your search ranking in MSN Search. Look at how well "Myron Johnson" does in MSN Search.

Google is tougher. First, Google hasn't even updated its page rankings in five months. If you create a site today, it could take five more months to get a non-zero page rank. Unless your site has very unique content, it'll be hard to show up anywhere near the top in search rankings. Expect more like the tenth page of listings until you get a non-zero Page Rank.

How do you know your Google Page Rank?
Download the Google Tool Bar, http://toolbar.google.com , and set it so you can see the PageRank of each page you browse.

Some other key information about Google Page Rank:
http://www.pagerankprediction.com displays the current Page Rank of your web page, plus a prediction of its rank after then next Google PageRank update.
http://www.mcdar.net/Q-Check/datatool.asp displays the rank of your web page when a specified search term is submitted. Google, it turns out, has multiple datacenters. You may find that some datacenters will rank your page higher than other. For a certain search term, my home page ranks between 7th and 200th in the listings!

I've left the subject of "backlinks" to last. This is the art of getting other important sites to link to yours. You can PAY for links, but Google frowns on it and if the paid links come from a "link farm", you may find they don't help your PageRank. The overall best way to get incoming links is to create unique and worthwhile content on your web site. Then let other people and web site owners know about your site. You can also create a blog, which may find readers interested in your content.

My RAID Rules

RTA Information Technology, Tempe, AZ

RAID arrays (Redundant Array of Inexpensive Drives) are being used by more home PC users than ever. Many want to speed their hard drive performance. This means RAID 0 (striping). Others want to keep their data safe using mirrored drives (RAID 1). No matter which you choose, consider my four RAID rules.

MY RAID RULES:

1) RAID, no matter WHAT kind of RAID array, is NOT a substitute for backups. If you don't want to lose your data, make a BACKUP. Preferably on tape or removable hard drive, where it can be kept safe and away from your computer. Even mirrored RAID drives don't protect against user error, accidental overwrites, accidental deletion, malicious deletion, drive controller failure, worms, viruses, trojans, fire, theft, or flood.

2) RAID arrays of all types are subject to hardware and user mistakes that can cause data loss. RAID arrays ARE COMPLEX and things can go wrong. See 1), above.

3) RAID 1 (mirroring) is easy to use and is the SAFEST RAID array. It's the least storage-efficient array, but has some big ease-of-use advantages. One advantage is you can pull one of the drives and have an instant full backup of your drive. But, see 1) above. People have lost ALL their data on a RAID 1, mirrored, array.

4) RAID 0 (striping) is MUCH more likely to lose data than any other RAID array. Let me put it bluntly:
A RAID 0 array is a disaster waiting to happen.
As long as you realize this and keep ongoing backups, then use RAID 0 if it suits you. See 1), above.

-----------------------------------------------------------------------
Summary Rule:
If you care about your data, have a backup plan. RAID 0, RAID 1, RAID 5, or no RAID at all, it makes no difference.

Stop BadWare! New International Group to Fight Spyware.

RTA Information Technology, Tempe, Arizona

The new Stop Badware Coalition, http://stopbadware.org , is a group of companies dedicated to exposing the damage that spyware and adware distributors cause our economy and the IT industry. Harvard Law's Berkman Center for Internet and Society, Oxford's Internet Institute, and Consumer Reports' WebWatch Project sponsor the group, along with Google, Sun, and Lenovo.

The group's web site opened for business on Wednesday, January 25, 2006. It already has forms for submitting user and technical reports of malware attacks. Such infestations reportedly cost home computer owners billions of dollars each year.

As an IT consultant, I see the effects of these attacks constantly. As the malware has become more clever, I see even experienced users hit. The recent WMF exploit for Windows XP and the Sony DRM Rootkit showed that uninvited software can invade a wide audience.

I'm dismayed by the destruction that malware causes. I estimate that roughly half of home PCs have a spyware or adware infection of some sort. Pick up a newspaper and you'll read of disgusted computer users giving up and buying new computers to fix PCs ground to a near-halt by spyware. But, alas, a month later, that shiny new PC is infected, too.....

Malware is becoming an albatross around Microsoft's neck. I see more Linux promoters than ever, correctly pointing out that Linux has had few malware attacks. This isn't because Linux is bug free or necessarily more secure. In fact, until recently, it was pretty easy to leave security holes in a default Linux installation. But Windows is such a big target, it's tempting for everyone to try to hit it first. Microsoft's Internet Explorer browser and Outlook email client have been other victims of their own popularity.

I haven't yet explored Vista's claim of enhanced security. I have my fingers crossed. And Microsoft's direct involvement in the Anti-Spyware and Anti-Virus market are, I think, signs of Microsoft's concern for the damage being done to its reputation by the ongoing deluge of malware.

StopBadware.org intends to publicize the existence of, the creators of, and the people who profit from malware. By doing so, StopBadware will, no doubt, be the target of numerous lawsuits.

Hang tight, guys. We're all behind you.

Getting Through Life on a Limited User Account

RTA Information Technology, Tempe, Arizona

The day after the Windows WMF exploit hit, I decided to live my life on a Limited User Account. Although this wouldn't have prevented a WMF hit on my personal PC, it would have minimized the damage. I've seen the effect of a trojan hit on a user with Local Administrator rights on his PC, and the results aren't pretty. I always recommend giving limited rights to my clients. But I thought I should live with those same, limited, rights.

In the world of Windows XP, 2000, and 2003, there are two sets of accounts that we deal with. The first are Local Accounts. Local Accounts are created inside the local PC's Windows installation. A Local Account only applies to that PC and the Account has no visibility on other PCs or on the business' Domain.

The second set of accounts are the Domain Accounts. These are created and stored on the Domain Controllers (such as Small Business Server 2003). A Domain Account's properties are valid on any PC in the Domain. Even if a PC is taken off the network, it will still remember the last version of properties that a Domain Account possesses (credential caching).

When you log onto a PC on a workgroup, the only option is to log into a Local Account. But when you log onto a PC on a Domain, you have the choice of logging in as either a Local Account or a Domain Account.

Within the local computer, you can also set Domain accounts to have Local rights. You can make a Domain Administrator, for instance, have the rights of a Local Administrator. It's common for a Domain user with low rights (a Domain User) to have Local Administrator rights on the PC. That combination allows the user to install programs and perform other administrative actions on the local PC, but limits his rights on the rest of the network. But Local Administrator rights really hurt when a trojan or virus strikes.

Many common actions on a local PC require Local Administrator rights. You need Local Administrator rights to install or remove many programs. You need those rights to change networking properties. You need Local Administrator rights to delete many files on a PC. These same priviliges also allow a trojan or virus free reign over your PC if you accidentally run them.

The lowest (and best, from a safety standpoint) set of User rights is:
Local User = User
Domain User = User

As an IT consultant, working as a "User" is an especially tough decision. I frequently view and change the networking properties of my PC. I provide help to clients and I need to view the settings control panels. It's impossible to remember every single detail of every control panel. Most "normal" users don't need to change these items all day long, like I do.

And I install programs on my PC. No, I don't add a lot of junk to my PCs. I stopped doing that many years ago. If I feel the need to install something, I'll do it on another PC if possible. Or I'll do it in a Virtual PC window, isolating it from my personal PC. But still need to install and remove programs on occasion.

Right now, I'm evaluating Microsoft's Business Contact Manager (Version 2). And I'm having problems. For the life of me, I can't get it to run properly without having Local Administrator rights on my PC. The MSDE database won't allow me access to create a new Contact. I'm waiting for a Microsoft BCM expert to get back to me on that one.

But I'm deciding that even an IT Pro CAN live as a Limited User. With some tricks. I'll list some below.

My best friend is the "Run as....." command. This option is available with a right-mouse-click on many programs. You can use it from the Start menu. You can even use it to open a Command Prompt (DOS) window.

When you select "Run as....", you are given the option to execute a program using user credentials different than those you selected at Log On. You can choose to be a Local or Domain Administrator, if you know the account name and the password. Or, you can select lower rights than you normally have.

"Run as..." has been a Linux staple for years. It's used to give temporary "Root" rights to an administrator, while letting him work normally with lower rights on his PC. This same option has been available to Windows users for years, but has been pretty much ignored.

Sometimes, though, the "Run as...." command doesn't work as expected. A program install may appear to finish, but may not work as expected. You just have to try it to see what happens.

How do you examine and set User rights?
Well, first, you guessed it.....you have to be an Administrator!
Locally, log in as Local Administrator and set the Local rights of the various accounts.

Local Accounts are best managed in the "User Accounts" control panel of your PC.
You'll have to give Local Administrator credentials when you open this control panel.



If you examine the properties of a user, you can choose which Security Groups the user is a member of. The most commonly chosen options are "Users", "Power Users", and "Administrators".



You can view and change the rights of various Local and Domain accounts. You can, for instance, give a Domain Administrator only limited rights on your PC. Remember, we are setting the LOCAL rights of both Local and Domain Accounts. You can only log onto a PC with either a Local Account or a Domain Account, not both. Your rights on the Domain will be set on the Domain Controller. You rights ON THE LOCAL PC will be set by the Local PC, using this control panel.

Note that the Standard User group is the "Power Users Group", giving access to many system settings and allowing installation of programs that don't affect Windows System files.

Double check your work. It's easy to let an account end up with Local Administrator rights when you thought you'd turned them off. A quick check is to go into the local "Add or Remove Programs" control panel. If you are a Local Administrator, you'll have the right to "Remove" all of the intalled progams. A Local User won't have "Remove" rights for many programs.

Easy but SECURE Passwords - Think "Pass Phrases"!

RTA Information Technology, Tempe, Arizona

Don't you hate remembering passwords? I do?

Most people:
1) Write them down near their computer.
2) Make up an easy password. It usually consists of a word from the dictionary, followed by some numbers. Often, the password includes the name of family or pets.
3) When forced to change a password, they increment the number at the end of the password.

If this sounds like you, you're normal! And you are a prime candidate for having your password stolen!

Don't keep your password near your computer. And, so-called "Dictionary Attacks" can break your password in minutes! Dictionary Attacks go through the entire contents of the Dictionary, adding numbers to the beginning and end of each word. A Dictionary Attack will quickly find the right combination, and you've been hacked!

What's the solution? Pass phrases!

What's a pass phrase? It's a LONG bunch of words, numbers, or characters that's easy for you to remember, but hard to crack. Just the fact that it's LONG means it'll take a LOT of guesses to get your password. Even if you use all English words, think of how many combinations there are? Combine six words together, add a few special characters (^%$[+), and you've made it a near-impossible task for a password cracker.

Consider the following three passwords:
1) "Paula11"
2) "Az7%lV8"
3) "Consider buying a GREAT business server."

"Paula11" is what most people use, given a choice. It's easy to remember. It's easy to type. Paula is your daughter or wife.

It's seven characters long. It'll take a Dictionary Attack a few minutes to break. If I look up information about you, I can probably GUESS your password. If you are required to change your password periodically, it may be "Paula99" by now. I can guess that one, too.

2) "Az7$IV8" is what's commonly suggested by the "security-aware" computer system. It's nearly impossible to remember. It's difficult to type. This might be an password assigned randomly by a computer. For sure, nobody would EVER voluntarily pick it.

It's also seven characters long. It'd take a Brute Force attack (every possible combination of letters and numbers) a few hours to break. It's hard to remember, hard to type, and easy to break.

3) "Consider buying a GREAT business server."
This is a pass phrase. It's easy to remember. It's easy to type. It means something to me.

It's FORTY CHARACTERS long. It'll require the world's fasted computer YEARS to do a successful Brute Force Attack. You'll never be able to guess it manually. An even better pass phrase would be "Consider buying a xxxxx business server." Tha'ts even tougher to crack, and no harder to type or remember.

Get the idea?

My rules for secure passwords:
1) It's OK to write down passwords. Just keep them someplace safe and not on your desk!
2) Use more than one password. If a single password somehow gets exposed, you don't want the thief to have access to ALL your accounts. Pick two or three GOOD passphrases and use them on different accounts. Write them down some place safe if you don't use them frequently.
3) Use long, complex, pass phrases. The longer the better. Windows Server 2003, Small Business Server 2003, Windows XP and 2000 allow VERY long passwords, and they allow special keyboard characters. Make your passphrases long and add spaces and a special character or two.
Your pass phrase doesn't have to be hard to type. Make it easy on yourself. Just throw in a couple of extra, easy-to-type characters. Toss in an extra "space" or two. Or four. It doesn't have to be fancy. Just long.
4) I don't recommend enforcing too-frequent password changes, since most people simply modify their existing password. Instead, go for a GOOD passphrase and keep it secret! There's no reason to have to change your password every month. Pick a strong password and change it yearly. Have a "Password Day" annually, when you change your passwords.
5) If you accidentally gave your password to somebody, change it wherever you've used it.

Passwords are the only barrier between thieves and your money and your data. Don't skimp on their length. Good passwords don't have to be hard to remember. They just have to be long.

Obtaining Replacement Microsoft OEM Media

RTA Information Technology, Tempe, Arizona

If you've lost or damaged Microsoft OEM installation media, a Microsoft Partner (System Builder) can request a replacement at:
http://oem.microsoft.com/script/mr/MediaReplacement.aspx

The System Builder needs to furnish the COA Serial Number, or,
* "A copy of the original invoice, with software clearly identified"
* "A Copy of your dated sales receipt"

I haven't used this service, but I ASSUME this only applies to OEM software that the Microsoft Partner originally provided to the end user. I'd be surprised if the Partner could order replacements for Dell OEM software, for example.

The Microsoft Customer Service number for all this is:
866-230-0560 (North America).

Microsoft Releases Windows Update for WMF Exploit

RTA Information Technology - Tempe, Arizona

Microsoft has released its official patch for the WMF Exploit at 2:00pm PST, Thursday, January 5. Employing 200 Microsoft employees to develop and test this patch, Microsoft has released it five days earlier than planned.

RTA recommends that all XP, 2000, and 2003 computers be updated with this patch, available through http://update.microsoft.com, or through your normal automatic updates.

A REALLY SCARY Attack on Windows - New WMF Exploit Infects Fully Patched Windows XP Users Who Browse Contaminated Web Sites - And a Temporary Fix

RTA Information Technology, Tempe, Arizona

A brand-new, very dangerous, infection has been seen. You can catch this one by simply surfing to a contaminated web site or even viewing a photograph contained in an email. NO other action is required.

I've witnessed a video of a user browsing a "safe" web site and being attacked by a BANNER AD that's coming from an infected site. The malware instantly installs itself, adding numerous desktop links, affecting the screensaver, and lots of other nasties. It makes a MESS!

http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html

This will infect FULLY PATCHED XP, SP2 computers running Internet Explorer, running antivirus and antispyware software! It can also infect computers running other web browsers under some circumstances.

As always, damage could be limited if the user isn't an Administrator on his PC (either a Local or Domain Administrator). However, about 90% of users still have Administrator rights on their PCs, so this infection proceeds with full Administrator or System rights.

A temporary fix has been published:

From the command prompt, type REGSVR32 /U SHIMGVW.DLL (include the spaces). A reboot is recommended. (It works post reboot as well. It is a permanent workaround).

You can also do this by going to Start, Run and then pasting in the above command.
This disables your ability to view images using the Windows picture and fax viewer. You won't be able to preview images in Explorer, either.

Once the exploit is patched, you can simply type “REGSVR32 SHIMGVW.DLL” to bring back the functionality.

A Free Way to Protect Your Family and Your Business Computers

RTA Information Technology, Tempe, Arizona

Microsoft's Shared Computer Toolkit for Windows XP is a free and little-known way to protect your family's or your business' computers from damage and unauthorized use.

Don't want your kids or your employees to browse the Internet? The Toolkit can restrict users, on a per-person basis, from accessing Internet Explorer, Firefox, or other browsers.

With the free User Restrictions tool, you can:
* Restrict access to Windows system utilities
* Prohibit access to important data
* Prevent users from running unauthorized software
* Simplify the start menu

Want to stop your kids or employees from making changes to menus or the desktop, from installing programs, or allowing malware to modify critical system files?

With the free Disk Protection tool, you can:
* Protect operating system files
* Clear changes when the computer restarts
* Automate critical and antivirus updates
* Choose to save changes to disk

These tools take advantage of the little-known local Security Policies available on Windows XP (both Home and Professional versions). Companies that use a Windows Server can create Group Policies to do the same thing. But home users or companies that don't have a Server can take easily take advantage of the local Security Policies with these tools.

Give these free tools a try. But do it NOW, BEFORE damage is done to your home or business computers. As I've noted in previous Blog commentaries, repairing a malware invasion on a PC can cause dangerous leaks of private information and can render your PC useless.

PART 1 - Dangerous Spyware - Why you shouldn't assume you got it all removed.

RTA Information Technology, Tempe, Arizona

This is why I recommend that most people simply re-format their PC when contaminated by most spyware. Note that all the software and settings listed below happened after two mouse clicks!

This morning, I examined a client's XP Professional PC. He'd accidentally clicked on and installed some spyware last Friday. He was on a Domain and had Power User credentials (big mistake). The same would happen to a non-Domain user who was logged in with Administrator rights (like 99.9% of home users).

Along with the spyware, he got the following:

His DNS settings were reset to a Russian DNS server.*
BackOrifice was installed.
Several Trojans that grab passwords were installed.
A fake antispyware application (UnSpyPC) was installed.
A Trojan that installs NEW spyware was installed.
Symantec Antivirus was disabled by a setting in the Registry.
Multiple spyware and trojan programs were installed as "Run at boot" programs in the Registry.

Routine scans caught the following:
Microsoft's Malicious Software Removal Tool caught nothing.
Microsoft's Antispyware caught two (Trojan.Downloader.Small.Popcorn64 and PWS Pinch (password catcher))
Spybot S&D 1.4 caught (and supposedly removed) 53 items, including CoolWWWSearch and a dozen other major adware, spyware, and trojan applications.
HiJackThis 1.99 showed me the BackOrifice, plus three or four more trojans.

What a mess. Yuck.
We're copying data files to another PC and re-formatting.

==WHOIS results for 85.255.114.50 (the new DNS server)
==Generated by www.DNSstuff.com
==Location: Belarus
==Inhoster hosting company
==OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
----------------------------------------------------------------------------
*Pay close attention to the resetting of the DNS services. This is REALLY nasty. It works this way:

The client types in "www.wellsfargo.com" or "www.bankofamerica.com" in his browser (IE or whatever).
Instead of going to Qwest DNS server, his computer goes to the Russian DNS server to resolve the location of "www.wellsfargo.com" or "www.bankofamerica.com".
The Russian DNS server sends the browser to a FAKE Russian site and a fake bank's web site comes up in the browser (ANY browser) and offers to serve him, stealing his account information in the process.
There's NO way to know that you aren't in the 'real' site. You MANUALLY typed, "www.wellsfargo.com" in the browser, so you figure you are safe.

Would most people catch the DNS reassignment? The only reason I noticed it was that I couldn't access an INTERNAL company web site (http://Companyweb, hosted by the company's SBS 2003 server). The PC was able to resolve other PCs on the network (via NetBIOS) and the Russian DNS server pointed to external web sites just fine. But you'd NEVER know it when that Russian DNS server decided to send your next web request to a fake site.

The Computer Backup Dilemma

RTA Information Technology, Tempe, Arizona

"What's a mother to do?"

That was the question raised by a decades-old television commercial, lamenting the dilemma of getting children to do what they should do to keep heathy and happy. Which leads us to computer backups.

Hard drives fail all the time. The mean-time-between-failure for recent hard drives is about eleven years. More or less. Practically speaking, the odds of a hard drive failing are about one-in-ten each year you use it.

What happens when your hard drive fails? At a minimum, it means getting the drive replaced and re-installing all your software. If you have any important data (like irreplaceable pictures of you departed grandmother or your family's financial information), then, hopefully, you have backups.

At worst, you lose everything. Do you have important data? Do you have backups of that data? Have you ever tested those backups to make sure they are good?

How much is your data worth to you? Hundreds of thousands of U.S. computer owners have to ask themselves that question every year. Their hard drives have failed or their operating system has failed and they have to decide how much they are willing to pay to recover their data.

Yes, data can often be recovered. The cost and difficulty depend on what failed. Recovering data, at a minimum, will involve removing the hard drive, installing it into another computer, and copying the data. That takes hours. Frequently, the problem is more serious than that. The drive's electronics have failed. The drive must be taken apart and repaired before data can be recovered. Even worse is when the drive's internal platter or head is damaged. Data recovery will cost thousands of dollars in that case.

Two Kinds of Backups

Want to save money and avoid the pain and sorrow of data loss? Make backups.

In general, you can make two times of backups: System and data. Frequent data backups are a must. The frequency depends on how often you change your data and how easy it is to re-create it. In other words, the frequency depends on how valuable the data is to you.

System backups allow you to easily recover your operating system, your applications, your settings, and your passwords. For many computer owners, system backups may take up more space than data backups, but need not be done very often. For many of us, a yearly system backup, which makes it easy to recover our basic PC and the applications we use most often, is adequate.

How to Backup

There are a multitude of ways to backup critical data. Copy data across a network to another PC. Copy the data to a CD-R or a DVD-R. Copy it to an external USB hard drive. Or put a memory card into your PC and copy your files to that. The best way for you depends on how much data you have to backup.

OpenOffice 2.0

RTA Information Technology, Tempe, Arizona

I'm trying out OpenOffice 2.0.

I'm running it inside of Virtual PC 2004, to avoid any conflicts with my main PC. OpenOffice, for those not into such things, is open source software. It's FREE!

OO 2.0 includes equivalents to Microsoft's Access, Excel, Word, PowerPoint, along with a drawing program and a mathematics program. It will open most Microsoft documents. Even Access 2003 tables. It will also do a "Save As...." into most Microsoft file formats (but NOT Access). The native format for saves is XML, which Microsoft is moving towards with MS Office 12, to be released in late 2006.



I just opened a pre-exisint PowerPoint 2003 presentation. It opened fine in "Impress", OO 2.0's presentation software. Impress looks a LOT like MS PowerPoint 2003! I was able to do a slideshow without a problem. I was also able to modify the document, save it in MS PowerPoint format, and re-open it on my main PC, using Microsoft's PowerPoint 2003.

Impressive, so far!

Vista Beta Preview

RTA Information Technology, Tempe, Arizona

I saw a first-person demo of Vista the other day.

One of the obvious gotcha's is that the high-end graphics version of Vista will require a 256MB graphics card. There aren't that many 256MB cards around. You can't even BUY 256MB versions of some fairly recent, higher-end cards, like the popular Nvida 6600GT.

The scaling graphics in the folder views is cool. But they've been doing that in Linux shells for years. DESQview-X, ca. 1993, had scaled graphics in windows.

It's too bad that MS didn't get the new WinFS file system ready in time. Some ar speculating that WinFS for Vista will be released in the first Service Pack. Whenever that will be.

It's unclear (even to Microsoft, apparently) exactly how many versions of Vista will exist. There will be at least two home versions, a business version, a multi-media version, and who knows what other versions. Not to mention both 32-bit and 64-bit versions. Plus the new Longhorn Server.

I DO have a Beta copy of Vista (I'm not sure which version it is), but I haven't gotten around to installing it anywhere. I may put in Virtual PC 2004, but I understand there are some work-arounds necessary to do that successfully.

Sony DRM Installs Root Kit with Spyware-like Properties

RTA Information Technology, Tempe, Arizona

Sony continues to make headlines with its Digital Rights Management (DRM) software. The most worrisome (to consumers) version is contained on 52 Sony copy-protected music CDs. Originally outed in Mark Russinovich's blog, without warning the software installs a root kit on Windows PCs, tells Sony every time a copy-protected song is played, and can easily act as a camouflage for viruses or other malware.

Sony has now recalled all CDs protected by this "XCP" version of copy protection, promising to replace any customer's CDs with non-copy-protected versions.

There are currently class action lawsuits against Sony in three states. Some larger companies have outlawed ALL music CDs from company computers.

Analysis:

There are major issues here, untested in U.S. courts.

1) How much disclosure is necessary in an End User License Agreement (EULA)? Is a software maker obligated to inform the purchaser that software being installed:a) Is NOT just a "music player", but is a root kit that modifies key system functions?b) Sends out encrypted information across the Internet without asking the user?c) Runs constantly on the computer, using up CPU cycles.d) Cannot be un-installed?e) Modifies system properties to hide certain files (possibly introducing a security hazard)?

2) How much liability does Sony have for damages caused by their software?
Sony's EULA limits damage to a maximum of $5. What if the DRM program, which installs as a root kit, directly causes data loss for a company? Or requires that a computer operating system be rebuilt?