THE OFFICIAL BLOG OF THE SBS "DIVA"

So Dana Epp in his excellent Security blog has a post today asking for a SBS MVP and I just pinged up Dana with an MVP in his area, Steven Banks and another MVP, Jeff Middleton as well and posted this as a comment to his blog:

As I said to Dana, I'd recommend ISA 2000 at this time as we SBSers won't get a wizardized ISA 2004 until SBS sp1 comes out which is waiting on Windows 2003 sp1 [got that roadmap?]

IMHO if you open up for OWA, you DON'T have to open up port 80, you can fully function with a port 443.  Opening up Sharepoint for annonymous access [oh yeah that is something that is optional and we can do that too] is what I think is our potentially weakest issue going on in the future.

Before I'd budget for RSA keyfobs, I'd budget for a patch management solution as WUS/MUS isn't ready and SUS is not enough.  I'm a died in the wool www.Shavlik.com gal myself.

Because we are all on one box, because we are doing OWA, we can't do high security hardening and we have to say with Enterprise or Legacy settings.  We track pretty closely as a matter of fact with those CIS benchmarks.

This one vendor did a "test" of security issues with SBS 2003 http://www.predatorwatch.com/vulnerability_alerts.html  the problem is they are/were scanning it for vulnerabilities from the inside where all our "squishy ports" are.  Thus this is a totally bogus analysis as it isn't looking at the machine from where the attackers would be seeing it as.  And yes, I've pinged those folks about the inaccuracy of their press release and they fail to respond.

Honestly, patching, antivirus, firewall AND Passphrases and we do just fine out here.