Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Best way to setup a secure SBS2003 network

Posted on 2007-08-06
Medium Priority
Last Modified: 2013-12-04
I wish to find out the most secure way to setup a windows SBS 2003  network which obviously will be running exchange, Do I need a DMZ  i will be running an FTP Server.  
This is what i have.
1 X SBS 2003 Server  Exchange,AD, RAS
1 X Netbox Blue  Firewall
1 X Windows 2003 Server (File Server)
20 x Workstations all running XP
3 X HP Printers  Print Server?
1 X FTP Server
1 X Wireless access Point for internal Domain users.
1 X wireless access point with only access to internet nothing else for visitors

 I have always setup my server and file server and workstations on the same IP range ?
is this incorrect ? and forwaded the ports is there a more secure way to setup a network  any input is greatly appreciated.

Question by:big_daddy_pimp
LVL 12

Expert Comment

by:Imtiaz Hasham
ID: 19637506
Hi there,

The setup you have used is fine coz you can use the Firewall to NAT the public IP from the private IP (1st type of firewall) and then forward the relevant ports to the server (e.g. if you server is, forward port 25 - SMTP to receive emails) rather than DMZ the server. And don't open port 80, just 443!

Kind regards,

Author Comment

ID: 19637532
is it that simple i am unsure, i  have people telling me my network is unsecure and I should be running a DMZ for my mail server  etc.

LVL 12

Accepted Solution

Imtiaz Hasham earned 750 total points
ID: 19637552
Trust me, I install so many mailservers and I just allow Port 25 for incoming mails and allow all ports for outbound (less secure).

I then allow port 443 incoming and use the SBS Internet Configuration Wizard to configure the sub-sites I want the world to view and tada!
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 58

Assisted Solution

tigermatt earned 750 total points
ID: 19637592
No, putting your SBS server as a DMZ server is the worst place to put it. Putting it in the DMZ means that your SBS can be accessed through EVERY and ANY port on the internet. However, if you do port forwarding, then the server can only be accessed through the ports you specify, i.e. 25 for SMTP, 443 for HTTPS and 1723 for PPTP VPN.

For example, if your server is in the DMZ, hackers will be able to connect on potentially dangerous ports such as Netbios 139. This may result in them accessing file shares and printer queues. As many sites state, it is very dangerous to have this port open on an active server: http://www.iss.net/security_center/advice/Exploits/Ports/139/default.htm
There are also many other ports just as dangerous.

The only time I would recommend using a DMZ is if you have a machine which isn't important and isn't part of the network. It would receive all the malicious hackers' attempts to access the network, but there wouldn't be anything on the machine for them to get to. You would also have to have a router as a gateway to the rest of the network to ensure the DMZ machine can't access it. Personally, I don't see the point in this, provided your existing router has a decent firewall to block access attempts on ports you haven't opened.

Yes, setting up on the IP range 192.168.0.x/24 wouldn't be a problem. SBS normally tries to setup on 192.168.16.x, but you can change this during SBS setup and it won't cause any problems. If you were running a larger 2k3 domain with many workstations/servers then that wouldn't be suitable since there wouldn't be enough IP addresses (you would use 10.x.x.x/8 or 172.16.x.x instead) but for SBS that IP range is fine!

Hope this helps
LVL 58

Expert Comment

ID: 19637923
Here's a scenario where you might use a DMZ: http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)
LVL 58

Expert Comment

ID: 19637929
Oops, you'll need to copy and paste that address, the (computing) wasn't hyperlinked for some reason.

Perhaps this will work instead? http://en.wikipedia.org/wiki/Demilitarized_zone_%28computing%29
LVL 18

Expert Comment

ID: 19638208
Tigermatt, I would like to correct you on one thing. And I don't want points for it ;-)
Setting up a DMZ does not mean that that server is accessible through every and any port.
A decent firewall allows exactly the same filtering from the internet to the DMZ as is does from the internet to the internal network.
Only some cheapo firewalls have what they call a DMZ which is just a full forward to a certain internal address. This really is not a DMZ.
The reason for a DMZ is for putting machines with public services, and seperate those from your internal network. So when those get cracked there is a another firewall hurdle (DMZ->internal) which protects your internal network.
A DMZ is usually used to host services which need to be accesible from internal and external.
Or to host a proxy.
And it is indeed not the place to put a SBS.


Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…
Suggested Courses
Course of the Month12 days, 4 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question