Well here you go!

Small Business Server 2003

• Post 25 – SMTP
• Port 80 – HTTP
• Port 443 – HTTPS
• Port 444 – CompanyWeb,
• Port 4125 – Remote Web Workplace, Remote desktop from RWW
• Port 1723 – VPN

Small Business Server 2008

• Port 25 – SMTP
• Port 80 – HTTP
• Port 443 – HTTPS
• Port 987 – CompanyWeb
• Port 1723 – VPN

This is caused by a little known issue in Vista where a certain key in the registry becomes corrupted, normally by a 3rd party registry cleaning program.

Anyway, don’t despair, the fix is below:

If your PC is part of a domain and has offline files setup follow Parts 1 & 2, if not head straight to Part 2.

Part 1 – Disable Offline Files:

1. Open the control panel
2. Click on the offline files icon
3. Click “disable offline files” (if it says “enable offline file” click this the click apply then click “disable offline files”)
4. If you get any UAC prompts click continue then click “OK”
5. Finally restart you PC

Part 2 – Amending the Registry

1. Determine your Vista version, 32 or 64bit – Click start, right click Computer, selected properties and check system type on the right
2. Download the “VistaFolderGlitch32.rar” or “VistaFolderGlitch64.rar ” file (depending Vista version)
3. Extract the contents of the RAR archive (use WinRar from www.rarlabs.com) to your desktop
4. Finally run the file, OK the security warning and any UAC messages.
5. Finally reboot the computer and all should be fine

A recent report by the DB Security Company Imperva based on 32 million passwords exposed from  the rockyou.com security breach has highlighted patterns and the most popular passwords used. The full report is available here.

The Top Ten Common Passwords

The Top Ten common insecure passwords are:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

Key findings:

• About 30% of users chose passwords whose length is equal or below six characters.
• Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
• Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits,  adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”.

The effect to businesses

Even though Microsoft are trying to enforce password policies in the design of their Active Directory infrastructures, many IT Administrators are disabling these features at the request of management. This is causing major vulnerability.

In our market place, the Microsoft Small Business Server is key to many SME network deployments, and features such as Remote Web Workplace, Outlook Web Access and VPN access are enabled for many users.

The flaw to this is that in an SME environment the number of users is small, and as such usernames are generally easy to guess as many companies use just First Names as the username. It’s much easier for a hacker to attempt a brute force attack on First name combinations rather than the more complex First name Last Name permutations.

For example, the username of “chris” who has a password of “123456″ or “Password” is going to be very easy to break. If Chris happens to be at Director level, there is going to be no end of information that can be accessed by the hacker.

Our Recommendations for Usernames

So our recommendation in a business domain is that usernames are based on a pattern that is not directly related to First Names, but either has a prefix or is based on First name and Last Name to infinitely increase the username possibilities. If you’re signing up to a web site that shows a “Screen” or “Nick” name, ensure this is different to your username.

Our Recommendations for Passwords

Using passwords based around your name, family, or words found in a dictionary are not secure as these are the basis for simple dictionary attacks. Many websites now offer a scale of complexity when signing up provide a guide to users about their passwords. It should contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;” If there is only one letter or special character, it should not be either the first or last character in the password.

So to sum up, in a business and web environment it is important that both your usernames and passwords are designed to increase complexity to reduce the effectiveness of a Brute Force attack, and never use one of the passwords listed above.