How secure is SBS2003?

Considering I am on the verge of an argument with one of EE's Linux Zone Advisors, I am really glad you asked this question :)

Honestly, I see the point made by the *nix nuts out there, Windows has been legendary in its vulnerabilities and exploits.  The key point here is updatability (assuming that is even a word).

If you keep your server fully up to date, only the best of the best hackers will be able to cause you grief, and quite honestly, they are not going to be interested in your SBS network.

And this is where Windows has a HUGE advantage over linux - updates.  Sure, I have played with linux over the years, and while i never enjoyed it (considering lots of my hardware wouldn't work and the answers were "yeah, it isn't going to") I did see the red hat updater (or something like that).  It didn't include everything on the system, as microsoft updates do, and is a downside in using the open source platform.  Sure, 1,000 independant coders making quality software the world over is a great idea, but if one of them gives up on a project, you need to wait for someone else to pick it up or change to another program to do it for you.  It is unpolished, unprofessional, and awkward.

Were that not the case, I would probably give it another go - and I am sure they will get there, but they are not there yet.

So, with that out of the way, how secure is SBS.  Well, that all depends.  You seem to have configured the system by the book, which is good, but it does not include your router/firewall setup.  The only ports you need open are really 443 and 25 - the more you open, the more ways in.  You can also open the VPN ports, and 444 for sharepoint and 4125 for RWW, if you are going to use them.

Now, SMTP (25) is going to be secure as long as you are not an open relay, and even more secure if you enable tarpitting and recipient filtering.  There is no way into a system with SMTP, your greatest risk is being used as a spam bot, or being harvested for spam yourself.

As for SSL (443), specifically OWA, As long as you have a good password policy that requires strong passwords and change them often, the risk is very minimal.

ISA is just a software firewall, it never really floated my boat, i prefer a nice big router.

With port 3389 open, you are possibly at risk of someone bruting your accounts - but a good policy should help remove some of that.  There is also the possibility of a man in the middle attack, but the likelyhood of someone specifically targetting you, and knowing you were going to connect and from where, is really, really low.

In short, properly configured your SBS server will be as hard as anything else out there providing the same services.  The more you want your server to do, the more at risk you are of another way someone can get in.

As for this furry toothed linux tragic, I would be taking anything he says with a grain of salt.  Any really biased opinion is going to have little value - and while I know I am going to be biased towards MS, I like to consider myself relatively open to *nix - I don't hate it, it just isn't for me.

-red

In all of my conversations with Linux gurus or guru wannabees, I can ask a simple question (keep in mind we deploy 98.5% SBS Premium): You get your best tools, and we can sit down together and watch them try to work on my SBS Premium box with ISA setup and configured properly. With ISA SP3, we will be seeing a sea of red - that is denies!

ISA is more than a software firewall! Check out isaserver.org for more info. It is one of the best ways to manage data coming in or leaving the SBS network ... period. This is one of the main reasons why we pretty much only deploy Premium Edition of SBS. For a few extra dollars, the client gets an enterprise level of protection and user/software access management.

We have clients with Internet facing SBS Premium servers hosting email and providing HTTP filtering for Server 2003 Web Edition farms that have been running trouble free for years now. We have yet to see a successful attack.

For SBS standard, it is not much different since the built in firewall service is configured by the CEICW to only allow the ports already mentioned with the exception of 3389.

You should actually use the native Remote Web Workplace connectivity to manage your SBS boxes. This further reduces the server's exposure. It gives you SSL protection for your management access without the risk of having a port open.

The principle, as far as Linux is concerned, is having so many services running on one box. Because of the way Linux operates. Each SBS like component, email like SendMail or QMail, Squid for firewall and proxy, Apache for web based services, SSH for remote management and connectivity, MySQL for databases, PHP for scripting and environments, Samba for sharing data files and folders across the internal network, and more all present an attack vector for someone to try and crack their way into the system.

SBS is not like that. Microsoft in the guise of the SBS team took a lot of time to make sure that each component of SBS plays nice together. They took the time to make sure that there would be a reduced attack vector by presenting what is essentially one secure and united front for access to the server: Remote Web Workplace. This front has a few facets in that VPN and Outlook Web Access can also be dialed in for access to data and email respectively. But, we are still presented with one way in: Through an SSL secured portal that requires us to authenticate BEFORE we get any further.

That is what a Linux person will not understand without sitting them down in front of the server's console and showing them point by point how things operate on a SBS box. Then we would let them watch the live traffic monitoring feature in ISA to gain an understanding of just how tight things run on SBS.

That in a nutshell, this late at night, is an off the top of my head run down of what is said to the Linux people I come across on a regular basis.

Philip

Just to put this into context if I may from my own area.

ISA Server has never been hacked - There are no security patches or security updates issued for the product. Yes, windows has its updates (we all know about those) but once ISA is installed and the hardening routines run the environment is solid. ISA is EAL4+ accredited and got that level before both the Cisco PIX and the ASA devices.

As has been pointed out above though, once you start opening ports then the risks start.

ISA has its critics and I respect their views but it is a specialist product. It can be installed straight out of the box and it will work but to get the best out of it requires a slightly deeper knowledge in the same way that most products do. As SBS was built specifically for the tasks it performs with its modified environment, its own version of ISA Server, its integrating wizards etc, I will continue to be a fan of SBS for quite sometime.

Linux/Unix has its uses and its rightful place in the industry but for most of the organisations where SBS is a cost-effective solution for them, adding a Unix environment to the Windows environment is not an administrative overhead they would want to take on.

If SBS was not secure though, it would have been dead long ago, regardless of our thoughts on the product

In my experience the real security problems with using a microsoft server is the attitude of the users.  People tend to log in to them as administrator, then they want a tutorial for something or a software package and they fire up IE and go browsing.  They clutter up the desktop, save stuff wherever they feel like it, and pretty soon your nice server is all bloated and has all sorts of garbage that very well could make it less secure.

On linux you typically don't have a gui, so if you need something you use your PC to go surfing.  Chances are that whatever you do install on the linux box won't be updating something that could affect other processes the way installing something on windows can whack out your registry.

I love my linux boxes because the lower level admins don't ever even log in to them, let alone install stupid programs to change the background images, etc.

So in my opinion a properly set up windows box is just as secure as a linux box, maybe even more so.  You just have to have a strict discipline when using it.

This solution solves most security & gui issues, 1. Always rename the administrator account and create another user account with limited access - basic practice I always think and 2. why supply a keyboard, mouse and monitor for a machine that, should have restricted access and can be accessed remotely, my default install is always as above and my GUI is always as initial config, clients don't go near a machine that doesn't have a monitor, they tend to think of it as something mystic, that they shouldn't touch.