Best way to setup a secure SBS2003 network

Posted on 2007-08-06
Last Modified: 2013-12-04
I wish to find out the most secure way to setup a windows SBS 2003  network which obviously will be running exchange, Do I need a DMZ  i will be running an FTP Server.  
This is what i have.
1 X SBS 2003 Server  Exchange,AD, RAS
1 X Netbox Blue  Firewall
1 X Windows 2003 Server (File Server)
20 x Workstations all running XP
3 X HP Printers  Print Server?
1 X FTP Server
1 X Wireless access Point for internal Domain users.
1 X wireless access point with only access to internet nothing else for visitors

 I have always setup my server and file server and workstations on the same IP range ?
is this incorrect ? and forwaded the ports is there a more secure way to setup a network  any input is greatly appreciated.

Question by:big_daddy_pimp
    LVL 12

    Expert Comment

    by:Imtiaz Hasham
    Hi there,

    The setup you have used is fine coz you can use the Firewall to NAT the public IP from the private IP (1st type of firewall) and then forward the relevant ports to the server (e.g. if you server is, forward port 25 - SMTP to receive emails) rather than DMZ the server. And don't open port 80, just 443!

    Kind regards,

    Author Comment

    is it that simple i am unsure, i  have people telling me my network is unsecure and I should be running a DMZ for my mail server  etc.

    LVL 12

    Accepted Solution

    Trust me, I install so many mailservers and I just allow Port 25 for incoming mails and allow all ports for outbound (less secure).

    I then allow port 443 incoming and use the SBS Internet Configuration Wizard to configure the sub-sites I want the world to view and tada!
    LVL 58

    Assisted Solution

    No, putting your SBS server as a DMZ server is the worst place to put it. Putting it in the DMZ means that your SBS can be accessed through EVERY and ANY port on the internet. However, if you do port forwarding, then the server can only be accessed through the ports you specify, i.e. 25 for SMTP, 443 for HTTPS and 1723 for PPTP VPN.

    For example, if your server is in the DMZ, hackers will be able to connect on potentially dangerous ports such as Netbios 139. This may result in them accessing file shares and printer queues. As many sites state, it is very dangerous to have this port open on an active server:
    There are also many other ports just as dangerous.

    The only time I would recommend using a DMZ is if you have a machine which isn't important and isn't part of the network. It would receive all the malicious hackers' attempts to access the network, but there wouldn't be anything on the machine for them to get to. You would also have to have a router as a gateway to the rest of the network to ensure the DMZ machine can't access it. Personally, I don't see the point in this, provided your existing router has a decent firewall to block access attempts on ports you haven't opened.

    Yes, setting up on the IP range 192.168.0.x/24 wouldn't be a problem. SBS normally tries to setup on 192.168.16.x, but you can change this during SBS setup and it won't cause any problems. If you were running a larger 2k3 domain with many workstations/servers then that wouldn't be suitable since there wouldn't be enough IP addresses (you would use 10.x.x.x/8 or 172.16.x.x instead) but for SBS that IP range is fine!

    Hope this helps
    LVL 58

    Expert Comment

    Here's a scenario where you might use a DMZ:
    LVL 58

    Expert Comment

    Oops, you'll need to copy and paste that address, the (computing) wasn't hyperlinked for some reason.

    Perhaps this will work instead?
    LVL 18

    Expert Comment

    Tigermatt, I would like to correct you on one thing. And I don't want points for it ;-)
    Setting up a DMZ does not mean that that server is accessible through every and any port.
    A decent firewall allows exactly the same filtering from the internet to the DMZ as is does from the internet to the internal network.
    Only some cheapo firewalls have what they call a DMZ which is just a full forward to a certain internal address. This really is not a DMZ.
    The reason for a DMZ is for putting machines with public services, and seperate those from your internal network. So when those get cracked there is a another firewall hurdle (DMZ->internal) which protects your internal network.
    A DMZ is usually used to host services which need to be accesible from internal and external.
    Or to host a proxy.
    And it is indeed not the place to put a SBS.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    In a recent article here at Experts Exchange (, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now