THE OFFICIAL BLOG OF THE SBS "DIVA"

"How can I harden my SBS server?"

"What's the best practice for SBS?"

I really hate those questions.... I really do.  Because it assumes that each firm has the same assets, the same risks, the same everything.  And last I looked around... businesses have differences.  So when someone sets up a SBS box with all the wizards... the ports you open, the things you enable should be tailored for each client.  Don't need something?  Don't install it.  Don't need a port open?  Don't open it.  Don't have Windows 98 machines?  Change supported authentication.... Don't need to accept all those attachments... only allow the attachmens that firm needs.

But the best thing you can do for each client?  Is to stop asking for "best practice" and instead think about the practice that is just right for each client.

The other day in the newsgroup someone wrote in about a client that wanted to have guranteed access from any computer, anywhere, any access from any Kiosk computer ever.  Now if that client has no assets on that server that he cares about, you could do exactly that.  Tell that person sure, go ahead, attach from anywhere.  But if you have data on that server that you care about, understand that there are indeed known risks from remoting in from a machine that you don't have control of the security of a computer.  And down here in this space, unless  you have network access protection..... it's a risk.. that you need to discuss with your client.

Sometimes you don't need to enable all the whistles and bells and instead only set up one whistle..and maybe one bell.

But know thy assets that need to be protected.... know thy enemy and how they will get in.. and sometimes they CAN get in using keyloggers on a Kiosk computer... so depending on the asset you are protecting... all access, all the time, isn't the 'best practice'.