Sun, Dec 19 2004 2:36
Securing Microsoft Small Business Server 2000
So I'm up really late...um early today because I wanted to get my GSEC renewal out of the way. 6 binders are laid out in front of me as I took the online exam. And I just finished up ...yeah... I recertified! Yeah! I had to laugh... one of the questions had to do with passphrases. You can bet the GSEC folks don't recommend a password of “password”.
So I'm just kinda “brain vegging” out now and finish surfing the site when I notice a recent GSEC certificate holder did a practical that is called “Securing Microsoft Small Business Server 2000”. Way to go Matt Gibson for showcasing in your practical that SBS is a box that you CAN build on security [even SBS 2000 for that matter and I would argue that SBS 2003 is even better]. A practical is the first part of the GSEC exam process where you write a “white paper”. Most students hated that part, but I LOVED writing the practical. I look back at mine now... it was so lame. Back then I thought power user was good enough security on my desktop. Now, I totally agree with Matt's assessment of killing off Win98's and removing local admin rights. The next advanced version of Harry's book will have a “how to“ from Jeff Middleton on this concept.
Oh I could just kiss Matt for this paragraph:
“The single adapter configuration is potentially the least secure of all the SBS network configurations, due to the fact that ISA can only be used for its caching components, and not its firewall or proxy components. Far too often, the firewall (if any) used in this topology is only a basic NAT/PAT router, with no proxying or access control list capabilities. Unless the firewall can provide advanced ACL capabilities, this configuration should not be used. If a hardware firewall must be used (corporate policy), then it should ideally be used in conjunction with ISA, not as a replacement for it. This configuration should be avoided at all costs, as it does not provide any advantages over the two NIC configuration, while coming at a higher security risk.“
We constantly get into the one nic/two nic arguements including inside the Microsoft's own documents. I'll keep a firewall/router on the outside, but i LOVE my egress filtering firewall smack dab on my domain controller, thank you very much.
If you are still maintaining a SBS 2000 network this is a pretty good security primer on that platform. Keep in mind for SBS 2003, a lot of the “tightening” listed here is automagically done and then some for that platform. The everyone group in Windows 2003 no longer includes “annoymous”, auditing is already turned on, just a lot of the tweaks he has in here are already on the SBS 2003 system.
Check out Matt's practical!
Filed under: Security