THE OFFICIAL BLOG OF THE SBS "DIVA"

So I'm reading gthe WEBS partner FAQ... and this section catches my eye...

Windows Server 2008 Standard technologies, Forefront Security for Exchange Server, Windows Live
OneCare for Server, server and client reporting, network‐wide patch management and other
technologies within SBS 2008 provide small businesses with excellent security and data protection.
Changes to this new version product are based on customer and partner feedback. With every new
version of a product, we do a lot of research and evaluate customer and partner feedback to determine
how we can enhance the solution at an affordable cost.

Gotta love marketing... how to tap dance around the answer in 5 easy lessons.

Okay so some people love ISA, some hate it.  Many folks wanted it off the domain controller and moved to a separate server.  The facts are as it stands ISA 2006 cannot be installed on a 64 bit platform and ISA Forefront Gateway...whatever it's called (as someone joked they are incentivized by the longer and tongue twister of names), aka the ISA next aka Nitrogen that not even Wikipedia is estimating it will be released... http://en.wikipedia.org/wiki/Microsoft_Internet_Security_and_Acceleration_Server (see P.S below)

The reality is that if you think that SBS 2008 without ISA and without the RRAS's simple firewall and then adding in WSUS, Trial versions of OneCare and Trial versions of ForeFront is in any way equivalent to how even SBS 2003 standard shipped with a basic Linksys style firewall , you really need your head examined. 

You cannot, you should not... and YOU WILL not stick SBS 2008 on the web without an external firewall.  Most of you don't place SBS 2003 without an external firewall now.  But the reality is that both SBS 2003 standard and premium had WAY more of an external edge than SBS 2008 does even it if was right on the very same device that was the domain controller and what not.

The firewall that is on the network connection for SBS 2008 has holes poked in it and you will be poking more.  What they SHOULD have spun that answer into was the reality of how you will set up SBS 2008.  Just like SBS 2003 you can choose the RIGHT firewall.  Got someone loosey goosey and doesn't care about security?  Buy them a Linksys (and then watch as within weeks they want to start limiting their end users).  Care a lot more about security?  Check out the gang from www.Calyptix.com.  You'll put on the outside edge the RIGHT firewall for the paranoia level of the network.  And no longer will that firewall be on the domain controller for every Tom, *** and Vendor to "blame ISA" for the state of their crappy application that doesn't do what it's supposed to.  No longer will your edge device also be your very same Domain Controller.  You and I will have a very distinct edge device.

Also remember that for those that have Software assurance (or buy it) that we'll get whatever ISA is released as it peels off.  So to answer that question the RIGHT way, yes as SBS 2008 premium ships out of the box, SBS 2008 premium IS more insecure than SBS 2003 Premium was at the time 2003 shipped.  With that said, given the threats on the web, given the Internet reality, having that firewall piece be flexible so we can ratchet up the RIGHT amount security means that we can MAKE SBS 2008 Premium MORE SECURE than it's 2003 era counterpart.

If you still want your ISA and eat it too.... grab Software Assurance.

Bottom line does it "ship" more insecure, yes.  Does it provide the ability to be MORE secure?  You betcha it does.

P.S.  keep reading that doc.... it's got SA info in there that I have not see in black and white from Microsoft before.....including info on Forefront Threat Management Gateway