Your New Server

It’s probably that time again.  You knew it was coming but that old 2008R2 has been running well or at least it was until recently.

So what to do now that 2008R2 is done and if you knew me you had an SBS2011 (with Exchange & SharePoint as well as 2008R2 server).  The good news is the hardware is probably cheaper for more CPU/RAM/Storage/Speed, the bad news is Microsoft isn’t going to let you off easy on the software costs (hard to beat $900 for SBS).

Migrations are not easy and being your system is probably 5+ years of clutter with leftover accounts, email, and more; a fresh start would probably help.  So here is what you’ll need and what it’ll take to get there:

  • New server box (i7 Hex Core, 64GB RAM, 2x SSD and 2x HDD, 2x Backup USB drives & extra NetCard)  All totaled it’ll probably by about $2500-3000.
  • MS Server 2016, we’ll use the VM licenses to get more mileage from this $1000 base software.  You will have CAL costs per user ($100/user)
  • Exchange 2016 is another $1500 plus $150/user.  You only need this if you want local Exchange which you probably do.. if you cloud mail count on $10/month/user for anything better than crap.  Even at 5 users the ROI is 4 years.
  • 1x SSL domain wildcard @ $150/year
  • The last part is the sheer work involved.  This will usually take me 30-50 hours on just a single machine with VMs running Exchange and all the data transfer and setup (as well as migrating you workstations).  The good part is large and more complicated doesn’t increase labour much, even triple server boxes and a dozen VMs with 35 workstations will still be less than 100 hours.

All in for your single box Server & Exchange for 5 users for under $10000, Each additional user is $250 (2x CALs).  The amount of data can affect the time required, plan a weekend at the office while it’s migrated.  Come Monday everyone has a new profile with their old data still there, email migrated, toys installed and very little to complain about.  This would be a great time to retire the old tired workstations as well or possibly just wipe and reinstall.

I know, you see $10,000 and nearly have an involuntary bowel movement.  Think about it though, the cheapest POS new car is double that, heck your copier is likely that much.  Your business could survive without a vehicle (you can rent one) but turn off the network and see how it all turns out.

Balls in your court, upgrade before the old beast dies and it’s smooth sailing.  Wait too long and it fails and it’ll cost a bunch more and a much more painful upgrade with significant down time (no one keeps servers in stock, these are custom computers).  I can work miracles, sometimes even resurrecting the dead server.. but not every time, so keep the 5 year replacement idea firmly in your thoughts (moving parts wear out).

Send me a message if you want more details.

SBS 2011 goes bye-bye

Alas Microsoft is in the process of ending the 2008R2 server and Exchange 2010 from regular support and updates (limited support until 2020 but only critical security patches).  This means all those companies that have one of these awesome beasties will need an upgrade in 2017 or 2018 (or risk some serious problems).

So what’s the plan?  The plan is head to 2016 and opening your wallet.  There is no more cheap ride on SBS (it’s dead) so you need 2 servers and purchase a full Exchange.  At this point the best in-house option is a powerful CPU & loads of memory and run the Exchange on a VM.  It’ll cost about $4000 in software/licensing alone for 10 users including the base Server software.

If that makes you cringe you can host the Exchange with a partner of mine (HostedBizz) and get a Canada-only cloud at $10/month/user and I will still keep it running normally.  Unlimited mailbox size and good old Exchange so your phone will be happy and no SSL for you to mess with (saves $100/year).

If you need a quote on the hardware for this I’ll get you something current but your looking at an i7 hex-core with 32GB RAM, 2x SSD and 2x 2TB HDD.  Some extra cheap extra bits will help (like a network card for the VMs and some new 4TB USB backup drives).  The server is ‘cheap’ it’s the software that’ll hurt this time.  I have UNIX alternatives (like Zentyal) but the maintenance will eat your savings.

For the accountants out there the cloud services offer a better tax advantage @ $10/month/user the on-premises solution of Exchange 2016 with be $1500 & $150/user and about a 5 year lifespan making the ROI and easy calculation (remember software has a smaller/longer write off spread over time but is cheaper in real $).

Call/Email me if you have questions

Randsomware – the ‘new’ virus type

HelpLocky encrypts your data using AES encryption and then demands .5 bitcoins to decrypt your files.  Though the ransomware sounds like one named by my kids, there is nothing childish about it.  It targets a large number of file extensions and even more importantly, encrypts data on unmapped network shares.  If you don’t have a backup your data is gone, unless you pay and hope they payment isn’t yet another scam.

Those of you with a server are pretty safe.  Backups, Shadow Copies and the like but stand-alone computers are at risk.  The virus (usually run as a script or macro from an email attachment) will disable your shadow copy (removing backups) and sometime hunt the backups down wiping them out.

So far I’ve seem 5 infections of this virus and only 1 had data loss (that client at least remembers me specifically telling them.. “Seriously, you really need a backup of some type, you know, just in case”).  Each infection differed in the targeted files.  Sometimes it was MS Office files, image files or PDFs but there is no limit to what it COULD encrypt.. it just happened to have a priority before we stopped it.

Why did the anti-virus get it?  Because the user ran it, not as a virus but a function with their security and authorization.  Much trickier, to limit what the user can do a file (like saving & deleting) than limiting access to the same file.  It sound like a fine point but the micro-management required means you need a server and if you had one this virus is only inconvenient event, not a source of data loss.

The real victims are home users and ‘server less’ environments.  The most recent off-line backup could be the only fall back.

So if you see a .locky file on your machine, reboot.. NOW!  Pull the power cord if you need to it’s only in memory (usually) and that stops the encryption process.  If you are on a network you can look at the file properties of the newly created ‘How to fix’ file in the same directly (could be a few names but you’ll know it when you see it) and the under the Details of the file properties it’ll tell you the user/system infected (the one that created the new file).  Reboot that machine ASAP.

Google can offer you some help recovering, so can Malwarebytes.org (in finding any viral leftovers).  Your server and backups are your best hope, failing those a few bitcoins and some trust in the makers of the virus are all you might have left.

Backup often, trust no email attachments.

SBS is dead, but not forgotten.

UpgradeMicrosoft officially ended the Small Business Server (aka SBS) to the chagrin of many smaller companies wanting in-house control of their data at a reasonable cost.  With this move the cost of having an in-house solution for email & data went up by $3000 or more.  I’ll explain the changes and how you can make a new SBS that will at least do the same job as before.

SBS was unique in it allowed the Domain Control & Exchange to co-exist on the same server, normally this didn’t work.. Exchange doesn’t like being on a DC.  The new method means every company needs 2 servers in their office or move email to the Cloud, as we know in Canada that’s not going to work (unless you have no email from the government or government contracts which REQUIRE your mail & server be in the country).

The new solution is a computer powerful enough to run 2 servers, one normally and the 2nd virtually.  Windows Server Essentials 2012 will be the base machine and another copy of Server 2012 Standard runs as a VM (but not a DC) and there resides the Exchange server.  Many other changes are also needed and the setup is much longer and of course the server more complicated.  Instead of the $900 + licenses (past 5) on SBS you now have $500 for Essentials (upto 25 users), $1000 for Standard but also $900 Exchange & $110/user.

Of course setting up 2 servers takes longer (even if one is virtual), the hardware is more expensive and you need a few extra parts (like a VM drive for Exchange).  All in all an in-house system went from about $6000 (hardware, software & labour) to about $10,000.  You can no longer buy SBS 2011 but for those with a copy you could keep it running on new hardware for a least a few more years (after all SBS 2003 just ended it life).

HeartBleed & Microsoft

HackedThe Heartbleed vulnerability in OpenSSL has received a significant amount of attention, worry naught it won’t get you unless you have Apache on your Windows server. Microsoft services were not impacted by the OpenSSL vulnerability and the Windows implementation of SSL/TLS was also not impacted.

Rest assured that default configurations of Windows do not include OpenSSL, and are not impacted by this vulnerability.   Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.

Vitualization vs. Cloud Computing

WorldwidePeople often get the terms “virtualization” and “cloud computing” confused, believing that they can be used interchangeably when, in fact, they are diametrically opposed.

Virtualization tricks your software into believing that it’s running on a real server, network or storage that is actually there, but it’s not: it’s virtualized. Essentially we are hiding the infrastructure from software, which allows software to believe that nothing is changing even if we move the ‘server’ to a new machine or new location.  Portable and easy to get running on new hardware.

Cloud computing is the exact opposite. A real public or private cloud richly exposes the infrastructure to the application which is not only infrastructure-aware; it is dependent on its interactions with the infrastructure.  This allows companies to turn off resources when they’re not using them and add additional resources when required, basically making a server more powerful when needed.

The PR teams will tell you Cloud Computing is the way to go, the destination and ultimate goal of business computing.  Complete horse crap.  It’s probably the next ‘leaky condo’ with more central points of failure than any system in existence (because you need to connect to it the entire path is vulnerable from failure).

Cloud computing and data storage bind client to the service providers like nothing else the monthly fees are reasonable on a per user basis but company wide they can become onerous without offering any local hardware maintenance (which is often the largest cost).  One special consideration for Canadian customer is you are not allowed to have any government communication or documents leave the country, which mean even GMail violates government contracts let alone files on the cloud.

DNS Happens

How DNS happens

How DNS happens

DNS (Domain Name Service) has been around since the first time someone tried a name instead of an IP to get somewhere on the Internet.  Which translates to only a few years younger than the first network. What happens when you type ‘google.ca’ isn’t stunningly complex, it’s really no more than your machine looking up the number of that domain and then sending you there.  The really interesting part is how much we rely on it and how it’s embedded into nearly everything.  In fact the Internet would grind to a halt in about 5 minutes without it and the fact it is made of millions of simple text files is a minor marvel.

So why the news on DNS?  My home internet (to my server) went out a few days ago and it is one of a chain of DNS servers that maintain a few domains.  It also exposed an vulnerability in my redundancy which I had thought covered, turns out some companies know less of DNS than I do and thier system weren’t capable of taking the added load.  Thus the DNS entries began to expire and the scramble was on.  Long story short, I managed to get a new DNS system up in a few hours and migrate things to a more stable platform.  The whole system is better than ever and more fault tolerant. This meant some email outages for a time and though email can recover, the deliveries where later than expected.

What I learned yet another software system that doesn’t do what it claims and I didn’t even get an error the system wasn’t working as expected.  No way to check and the only way to discover the flaw was to create the problem it was meant to protect against, seems a rather hard way to test a system.  I’ll have to break down and learn to use Unix on the command line and stop relying on a GUI that tries to hide thier failures behind pretty icons.

I’ve never been a proponent of ‘hard testing’ where one creates the disaster to check the recovery system.  My reasoning being if things are other than planned (see Murphy’s law) you’ll have created a problem you do not have the solution for (or your recovery plan would have worked).

So I’ve learned a few new tricks, found a useful service for DNS replication and for one day of annoyance managed to ‘hard test’ my failover system.  Now I just have to get my own regular Internet connection back, thank the tech gods for cell phone tethering 🙂

Server Migration

The web server (and backup mail) is moving from the old DDS (fractional dedicated server) to a newer ‘virutal’ server located in the ‘cloud’.  The advantages are it’s a little more reliable but mostly it cleans up years of alterations and upgrades and it’s far more expandable.

Dec 14th – The old server dies tonight at 9pm, everything I could find to move I moved and it’s been off for a few days and no complaints, one can only hope it all migrated properly.  The new server is faster and MUCH cleaner.  If you have any issues or problem don’t hesitate to call.

SSL encryption compromised

You know that little HTTPS: we all love to trust when we do online transactions.. well the old versions (TLS v1.0 and earlier) have been compromised.  This means a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that’s passing between a web-server and an end-user browser.

Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the destination website.

At this point the hack isn’t usable by the average weenie on some remote country, the processing power needed is extreme but as the code is improved it’ll become more important to rely on TLS v1.1+ to remain secure.  The major browsers will likely soon release a patch to implement TLS v1.2 but it’s up to the website to deploy the other end to ensure secure communication.

Just thought you should know in case you didn’t feel vulnerable enough already.

You had WHO call you?

In Canada we don’t get the FBI, NSA, CIA, Homeland Security, State Police, Local Cops or a myriad of odd agencies with dubious jurisdictions wanting to know much of anything regarding your computer server.  In Canada you get one of two agencies 95% of the time, RCMP or CSIS, neither is good but both are better than the US alternatives that are often more interested in their goals than preserving your data.

What has been getting the attention lately has been around for over a year now and courtesy of the PRC (Peoples Republic of China).  Few will come right out and say it but state based espionage is the bread and butter of China’s financial machine.. what you can’t develop, you steal.

The target of choice right now is Microsoft Small Business Server 2003.  It’s a good OS and system but if compromised it can be difficult to detect, but here is something you can look for:

C:\Inetpub\wwwroot\iisstart.htm
Examine the file with Notepad and at the very top do you see any ‘funny’ code?  Something like this:

<!–czozNjM=–!>
<html>
<head>
<meta http-equiv=”Content-Type”
content=”text/html;
etc…

That code at the top.. that’s the signature that not all is right in your system.  Who, what, how and all the rest I’m researching but your machine, though not compromised, is quite possibly working for the bad guys.

I’ll add a comment when I have a name and process for removing this beasty.