THE OFFICIAL BLOG OF THE SBS "DIVA"

On the Security 360 webcast that was on earlier today, the topic was on "browser hardening".  And the VERY first question was about Small Businesses and they were looking for guidance on hardening.. and the question included hardening of the SBS box.  I tell ya... us SBSers are EVERYWHERE aren't they? 

Here is the guidance I would highly recommend as guidance for locking down a SBS box.

1. Walk to the server.
2. Turn around.
3. Yes, I said turn around.
4. I really mean, you need to turn around.
5. Walk to the nearest workstation that has a user working on it.
6. Shove the user aside (nicely of course, but you want to be in front of that user's workstation using their session).
7. Click on the date and time in the corner.

Got that?

So why is that a hardening step for locking down a SBS box?

Because I would strongly argue that your biggest threats on a SBS network is the end users.  End that have local administrator rights.  End users that can download and click.  And if you can click on that date and time and it comes up and allows you to modify it, that user most definitely has the right to introduce risks into your system.  So lets talk about how we can harden the workstations, shall we?

Want to harden a SBS server and network?  Start by hardening the user. 

• You don't surf at the server
• You don't use the server as a workstation
• You educate your users that "download here for free" translates into "yes, you really do want malware on your box, don't you?"
• You have an acceptable use policy that says "yes, this is okay to do" and "no, this isn't appropriate for our firm" - check with the sans.org policy site to set up an acceptable use policy.

So that that you have that education task out of the way... you harden the desktop.  Here's the hard part... you need to check with the applications that are poorly written and won't work under these conditions.  Some of these things are not for all..but it will take YOU some time to do, so play first on your own boxes before rolling this out to your clients.

• Get more control using Group policy - Consider IE active X browser filtering using this KB by Nick "the naked MVP" Whittome -
  • Outlook Web Access and Small Business Server Remote Web Workplace do not function if XP Service Pack 2 Add-on Blocking is enabled via group policy:
    http://support.microsoft.com/kb/555235/en-us
  • I honestly do not think that we do enough in group policy in SBS.  We have the GPMC tool right under the hood and all it takes is us to get up to speed.  GRAB A BOOK.  And read this spreadsheet to see all the potential for things you can control.
• Use ISA 2004 (only in premium) or your firewall software to block sites
  • We had this the other day... mysite.com is not for business and thus sites like those should not be used in the office.  Bad sites introduce risk. 
• Get those workstations down to "normal" user mode.
  • Sit down with that client/customer and see what key line of business applications they have.  If they are "designed for XP" they will natively run under this 'normal' user mode or LUA.  If they are not logo'd, come out to the newsgroups, communitities and google on ways to get that app down to 'normal user' mode.  Yell at the vendor. 
  • So many of the latest security vulnerabilities will launch things in the 'context' of the user, so the lower rights you have, the better you are
  • Review Aaron's blog about these issues
• Get patches on those boxes/Get on the latest software.
  • When SBS 2k3 R2 comes out, the "green check" of updates will be there to help keep that system up to date.  You don't have to wait until then or buy it if you don't want to.  Download WSUS now.
  • IF YOU DO NOTHING ELSE, FLIP YOUR SYSTEMS OVER TO MICROSOFT UPDATE.  Yes, I know I'm yelling, but we truly now, with Microsoft update, have the ability to patch our entire system (YES even ISA Server 2004 - which hasn't needed a patch yet), so all the way from the workstations to the server can now be done by MU.  If you have not, all you have to do is go to Windows Update and on the right hand side is the place to click to "flip the bits" over to Microsoft Update.
• Install the same sort of security at home that you do at the office
  • We buy Trend pccillian for all home pcs (especially those that remotely connect back to the network)
  • We require that they have XP sp2, firewalls and all the normal stuff I have here at the office.
• Follow some of the information and guidance on Dana's blog.  He had a webcast on Compliance at the SBsummit..

But even with all of this... what's the best way to harden a SBS server and a network?

You start by hardening ME.  Me the business owner.  Me the onsite admin.  You harden me, you get me to understand that you can't just harden the server, that "I" have to change.  I can't download things like I used to.  I can't surf like I used to. I have to be a little less trusting.  A little more aware.  A little more paranoid.  Accepting of the balance between security and business that I need.  We need to work on this together.  You need me to understand that there's no easy fix.  No one button that I can point you to.

You don't get it by downloading a guide.

You start by hardening ME.

Only then will you have a hardened Small Business Server network.