Seems like we need some type of grand SBS Unifying Theory. On the one hand, we have this fabulous all-in-one box that is perfectly priced for the small business and brings a plethora of enterprise-worthy capabilities that you could previously only find in a Fortune 500 company. Easily one of the most transformational of these is remote access, giving workers access to their info and workspaces no matter where they are.
On the other hand, the cadre of talented and intelligent consultants who have built respectable consulting practices on this product are telling us that most of the things that make SBS so compelling are too dangerous to actually be employed. No RDP! No VPN! No business data on the SBS box - which would include files as well as databases! No pubic web sites! No FTP!
If the only bang for the buck I can get out of SBS is Exchange, why bother? I can find a whole truck load of free SMTP and POP mail servers if I want to host my own mail.
So what's the SBS Grand Unifying Theory? Because right now it seems that the immoveable object (SBS as a first class all-in-one solution) and the irresistable force (most SBS capabilities are too vulnerable to be exposed on the external network) are in violent conflict with one another.
I didn't say "no RDP"... what I said was no RDP from any ol' external access. What I mean by this is that generally speaking ONLY the consultant should be doing a direct RDP to the server itself. Everyone else (and I do me EVERYONE ELSE) should be using the access that was built for remote access...and that is Remote Web Workplace.
Who said anything about no business data on a SBS box? I do, as do most of us...and BECAUSE we have business data we make the choice to limit who does unfettered VPN access to the box. Unless you take the time (and most of us do not) to limit the kind/type/means of VPN access, the person making the connection with their home PC that is probably bot-netted and owned, will make a layer 3 full connection to your network. Unless you are like Dana Epp of www.scorpionsoft.com and have Windows 2008/RC and Network Access Protection running, what we're doing here is making risk choices.
Yes we can have remote access... but it's limited to who needs it and from what locations and types.
Yes to Remote Web Workplace as that's the safest connection.
Yes to RDP but ONLY to server administrators and limited to their locations. The entire world does not need to have the ability to try to connect to your server's port 3389.
Why Exchange? Shared calendars. Active Sync. I'm sorry but hosted email is not the same when you have a full on rich Exchange in your own backyard.. pop3 does not cut the mustard.
When hosting websites externally is cheap .. do so. When hosting ftp externally (as there's not much protecting that password) is cheap, do so.
But you cannot ...and no one is saying to shut off/down/limit Remote Web Workplace to those users that need it (...well.. I do say don't use kiosk computers).
But this isn't about saying "No" all the time.. it's determining what the right balance of risk versus implentation is. Most SBS capabilities are indeed too vulnerable to expose to everyone in the entire universe...nor would you want to in the Enterprise space as well.....and that's exactly why the consultant doesn't do exactly that. He or she finds the right balance of exposing some services to full access (RWW) and some to limited access (RDP and VPN).
The balance is different for each client as well.
Does everyone in the entire Internet need access to your server's RDP port? Nope. And that's the point that Eriq and Amy were trying to get across. THEY need access. The entire world doesn't.
The wonderful thing about SBS is that it's flexible enough to be able to build the right solution for many clients.