Best way to setup a secure SBS2003 network

I wish to find out the most secure way to setup a windows SBS 2003  network which obviously will be running exchange, Do I need a DMZ  i will be running an FTP Server.  
This is what i have.
1 X SBS 2003 Server  Exchange,AD, RAS
1 X Netbox Blue  Firewall
1 X Windows 2003 Server (File Server)
20 x Workstations all running XP
3 X HP Printers  Print Server?
1 X FTP Server
1 X Wireless access Point for internal Domain users.
1 X wireless access point with only access to internet nothing else for visitors

 I have always setup my server and file server and workstations on the same IP range ?
is this incorrect ? and forwaded the ports is there a more secure way to setup a network  any input is greatly appreciated.

Who is Participating?
Imtiaz HashamTechnical Director / IT ConsultantCommented:
Trust me, I install so many mailservers and I just allow Port 25 for incoming mails and allow all ports for outbound (less secure).

I then allow port 443 incoming and use the SBS Internet Configuration Wizard to configure the sub-sites I want the world to view and tada!
Imtiaz HashamTechnical Director / IT ConsultantCommented:
Hi there,

The setup you have used is fine coz you can use the Firewall to NAT the public IP from the private IP (1st type of firewall) and then forward the relevant ports to the server (e.g. if you server is, forward port 25 - SMTP to receive emails) rather than DMZ the server. And don't open port 80, just 443!

Kind regards,
big_daddy_pimpAuthor Commented:
is it that simple i am unsure, i  have people telling me my network is unsecure and I should be running a DMZ for my mail server  etc.

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

No, putting your SBS server as a DMZ server is the worst place to put it. Putting it in the DMZ means that your SBS can be accessed through EVERY and ANY port on the internet. However, if you do port forwarding, then the server can only be accessed through the ports you specify, i.e. 25 for SMTP, 443 for HTTPS and 1723 for PPTP VPN.

For example, if your server is in the DMZ, hackers will be able to connect on potentially dangerous ports such as Netbios 139. This may result in them accessing file shares and printer queues. As many sites state, it is very dangerous to have this port open on an active server:
There are also many other ports just as dangerous.

The only time I would recommend using a DMZ is if you have a machine which isn't important and isn't part of the network. It would receive all the malicious hackers' attempts to access the network, but there wouldn't be anything on the machine for them to get to. You would also have to have a router as a gateway to the rest of the network to ensure the DMZ machine can't access it. Personally, I don't see the point in this, provided your existing router has a decent firewall to block access attempts on ports you haven't opened.

Yes, setting up on the IP range 192.168.0.x/24 wouldn't be a problem. SBS normally tries to setup on 192.168.16.x, but you can change this during SBS setup and it won't cause any problems. If you were running a larger 2k3 domain with many workstations/servers then that wouldn't be suitable since there wouldn't be enough IP addresses (you would use 10.x.x.x/8 or 172.16.x.x instead) but for SBS that IP range is fine!

Hope this helps
Here's a scenario where you might use a DMZ:
Oops, you'll need to copy and paste that address, the (computing) wasn't hyperlinked for some reason.

Perhaps this will work instead?
Tigermatt, I would like to correct you on one thing. And I don't want points for it ;-)
Setting up a DMZ does not mean that that server is accessible through every and any port.
A decent firewall allows exactly the same filtering from the internet to the DMZ as is does from the internet to the internal network.
Only some cheapo firewalls have what they call a DMZ which is just a full forward to a certain internal address. This really is not a DMZ.
The reason for a DMZ is for putting machines with public services, and seperate those from your internal network. So when those get cracked there is a another firewall hurdle (DMZ->internal) which protects your internal network.
A DMZ is usually used to host services which need to be accesible from internal and external.
Or to host a proxy.
And it is indeed not the place to put a SBS.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.