USA India
Home Articles UserTV Press Releases Dictionary Books Education Careers B-Channels Resources Forums Blogs Classifieds
Friday 29 Aug, 2008 eNewsletter Register Login
My Profile
Harry
Blogs
Today in Blogs
Recent Blogs
Popular Blogs
Most Viewed Blogs
Community Recommended
Blogs by Category
Networking / Security
Communications
Electronics
Hardware
Operating Systems
Software
Programming
Opensource
Database
Internet
Wireless
Mobile Computing
Graphics
Multimedia
Gadgets
Adobe
Apple Mac
Autodesk
Cisco
Citrix
Google
IBM
Microsoft
Oracle
PHP
SUN
Others
 
  Post a Blog blogs Home
Category >> Networking / Security
More SBS 2003 security - book excerpt
Posted by : Harry | Tue,8 Jul 2008 | 17:00:24
Tags : sbs,smb,sbs 2003
Rating :
Comments (0) Views (161) Email Blog Forums Save to Favourites
More from this user Print Blog Bookmarks
Add to
 

I am Harry Brelsford, the author of Windows Small Business Server 2003 Best Practices and I am posting up pages! More from Chapter 5 on security -

 

SBS Setup Revisited

Believe it or not, you’ve already taken significant steps so far in making your SBS network secure. For example, you have deployed the SPRINGERS network with two network adapter cards (aka network interface card or NIC) that will create something of a “Great Barrier Reef” (GBR) to create a division between good and evil (Figure 5-1). The GBR will make even more sense in a few more passages when you explore the Routing and Remote Access Service (RRAS) basic firewall capability in SBS 2003.

Notes:

 Visit www.microsoft.com/technet for the latest updates for any Microsoft product.

Figure 5-1

This figure shows at a high-level how two network adapter cards work in conjunction with SBS 2003.

BEST PRACTICE: You’ll recall that the two network adapter cards were suggested during the SBS setup at mid-point via a setup warning message. This was discussed in Chapter 3. And I’m honor bound to comment that while the two network adapter card method is much preferred, remember that the crown jewels are sitting atop the “reef,” to follow my analogy. You have been so advised.

Another task you completed in the SBS 2003 setup phase was naming the internal domain (SPRINGERSLTD.LOCAL). This act laid the foundation for having separate DNS domains and creating separation from the outside world. Read on to the next paragraph to “hear the rest of the story” on this.

You also completed the E-mail and Internet Connection Wizard (EICW) in the prior Chapter (Chapter 4). It was necessary to complete that wizard, which applied many security configurations to SBS 2003, in that particular chapter to maintain “order” in the SPRINGERS methodology. In the EICW, you referred to and configured SBS 2003 to realize and recognize the external domain (SPRINGERSLTD.COM). So between the SBS 2003 setup process and completing the EICW, you effectively created domain separation, which is a good thing. Why? Because you’ve shielded the internal domain from external viewing. But heed this disclaimer: The outsiders can still see the external IP address of the wild side network adapter card on the SBS server machine.

Whether you knew it or not, basic auditing was turned on as part of the SBS setup process so that logons are recorded in the Security log under Event Viewer (this is located under System Tools beneath Computer Management (Local) under Advanced Management). My forthcoming advanced text on SBS 2003 will cover auditing in much more detail.

And finally, you completed the password policies settings, read the security best practices stuff from the To Do List, completed the remote access configurations (which inherently have security in mind), and so on. So you’re not new to security in SBS.

Updates!

With SBS 2003, as soon as you’re connected to the Internet, you need to RUN, NOT WALK to implement the very latest patches. This will make your machine “fit” for service, and should be done given the speed in which gremlins travel on the Internet. As elegantly pointed out by Microsoft CEO Steve Ballmer at the SBS 2003 launch at the WWPC, the time between identification of vulnerability and acts that exploit said vulnerability has been dramatically compressed. Waiting only minutes prior to implementing the latest patches clearly exposes your “naked” SBS 2003 server machine to worms and other bad stuff. And if your SBS server machine is located in New Delhi, India, be sure to immediately secure it physically so it’s not attacked and stolen by monkeys! (An almost-true story here as told to yours truly).

 Visit www.microsoft.com/technet for the latest updates for any Microsoft product.

Automatic Updates!

Because this is such an easy step, it’s easy to overlook. In fact, overlooking this task is one of Microsoft’s great fears and was the subject of extensive media coverage in the fall of 2003. Why? Because Microsoft, as displayed by Ballmer in his WWPC keynote address, has typically released a patch to correct a vulnerability before someone exploits that vulnerability (e.g., Microsoft released its SQL Server Slammer patch before the worm was released in the wild). But the problem is that folks don’t take the time update their computers. So while the patch existed, in many cases it hadn’t been applied. That certainly reflected some “dark days” in the world of network administration and exposed some of us to be less than competent at our SBSer job.

This specific issue about getting folks to update their system has spawned significant debate in the technology community and media. One side believes that Microsoft should automatically update your system as its default, out of the box configuration. Others are concerned about the privacy issues involved in allowing Microsoft to collect machine configuration information (so it can decide what to apply!). You are encouraged to follow popular journals such as CRN (www.crn.com) to monitor this technical/social/political debate.

Note that you will remember in Chapter 4 the automatic update function started to run at the conclusion of the E-mail and Internet Connection Wizard (EICW). However, I elected to defer the in-depth updating discussion until this chapter to make it “fit” the security discussion.

You might be amazed at how easy it is to actually update your SBS 2003 system with the latest patches. Follow these steps.

1         &nbs p;          Log on to your SBS 2003 server machine (e.g., SPRINGERS1) as Administrator (which in the case of SPRINGERS would use the password Husky9999!).

2         &nbs p;          Click Start, All Programs, Windows Update.

3         &nbs p;          Click Next at the Automatic Updates Setup Wizard page where you are welcomed.

 

BEST PRACTICE: Perhaps the socio-political discussion earlier in this section hit home with you. On the Automatic Updates Setup Wizard page, there are links that allow you to learn how automatic updates

 Visit www.smbnation.com for additional SMB and SBS book, newsletter and conference resources.

impact your licensing agreement and how Microsoft’s privacy policy affects you when Automatic Update is run.

4.         The Notification Settings page (Figure 5-2) allows you to configure the Automatic Update settings. This relates to the degree in which you want the update function to be automatic. For example, are you interested in having the updates automatically updated and applied? Probably not, as I’ll explain in the next Best Practice. The default selection regarding downloading updates automatically and notify­ing you is the preferred method (this is advisory mode).

Figure 5-2

For SPRINGERS, please make your screen look similar to this figure.

BEST PRACTICE: Civil liberties and privacy concerns aside, you want some control over how your updates are applied and the automatic deployment of updates is typically frowned upon. Why? Because you may well want to test the updates on a sample network (e.g., SPRINGERS with a live Internet connection on a test server) before applying the updates to a real production machine. Once in a blue

 Visit www.microsoft.com/technet for the latest updates for any Microsoft product.

moon, a patch will fix one thing and break two (that statement isn’t to fault Microsoft, but rather speak the truth and appreciate the complexities of software interaction).

So test and verify whenever possible before deploying patches on a production server machine!

 

5.         Click Finish on the Completing the Automatic Updates Setup Wiz­ard page. Note there is no link titled “here” to save this as part of your SBS 2003 network notebook, because this isn’t a native SBS 2003 Wizard.

 

6.         An Internet Explorer Web browser will launch and connect to Microsoft’s automatic update site (http://v4.windowsupdate.micro­soft.com/en/default.asp). Note in the case of your imaginary imple­mentation of SPRINGERS, it may well be that you aren’t truly connected to the Internet. But in the “real world” you likely would be connected to the Internet and could complete this task as expected.

 

7.         Approve the request from Microsoft to download a component called “Windows Update” to analyze your machine by clicking Yes. It is this process that will assess what patches are missing and need to be applied. Oh, and you may select the checkbox to Always trust con­tent from Microsoft Corporation.

 

8.         On the Welcome to Windows Update page that appears, click Scan for updates.

 

9.         A screen of suggested updates will be displayed next (titled Pick updates to install). Click Review and install updates.

 

10.       The actual updates to approve and install are shown in Figure 5-3 on the Total Selected Updates screen. You may remove updates at this point that you do not care to install. Because this book, being written in the fall of 2003, is only as current as the day on which I wrote it, I can’t even hope to recreate a figure that displays the update you’re likely to see at a future date. Bear with me. Assuming the suggested updates are acceptable, click Install Now.

 

Notes:

Figure 5-3

Carefully review each update before proceeding. If in doubt, remove the update and reconsider it at a future time (don’t wait too long though, but be careful nonetheless).

Notes:

 Visit www.microsoft.com/technet for the latest updates for any Microsoft product.

11.       You will likely need to approve a license agreement for one or more of the updates being applied. Such an agreement might look like Fig­ure 5-4. Click Accept.

Figure 5-4

Accept any necessary license agreements so that you can proceed.

Notes:

 

 

12.       A component progress dialog box will be displayed similar to Figure 5-5.

 

13.       You will arrive at the Installation Complete page seen in Figure 5­6 and you will likely be asked for a reboot at this stage. This is nor­mal; see my further discussion under patch management.

 

Figure 5-5

You can monitor the status of the updates being applied.

Notes:

 Visit www.microsoft.com/technet for the latest updates for any Microsoft product.

Figure 5-6

Success followed by a reboot.

BEST PRACTICE: Don’t forget to run Automatic Update on all of your workstations. These individual workstations on the SBS network need to stay-ship shape as well!

BEST PRACTICE: Sometimes you’ll have a configuration that is slightly different from what Automatic Update expects to see and what it can report. For example, perhaps Automatic Update isn’t the best way to keep your legacy NetMeeting application patched because it doesn’t necessarily know about, care about, and have the smarts to deal with that application. So some updates are applied manually by visiting the Microsoft security Web site at www.microsoft.com/security.

Of course the above paragraph only begs the question: HOW

WOULD YOU KNOW TO GO TO THAT SITE AND CHECK FOR

 Visit www.smbnation.com for additional SMB and SBS book, newsletter and conference resources.

MANUAL UPDATES? Calm down! You can subscribe to my SBS newsletter wherein I’ll announce such updates and you can subscribe to the Microsoft security bulletins at the aforementioned site to receive similar notices. See the resources section near the end of this chapter for more information.
 
Comments (0) Views (161) Email Blog Forums Save to Favourites
More from this user Print Blog Bookmarks
Add to
 Comments
Sorry!! There are no records to display
Comments
Your Name * E-mail Address * Your Website
 
Your Comments *
Enter code shown below
 
View all | Recent | Popular | Community Recommended | Most Viewed | Today in Blog
 
 
Recent Posts
Early Bird Rate for SMB N...
SBS 2003 Faxing Detailed...
Faxing in SBS 2003...
Beyond Remote Desktop in ...
Advanced Mobility in SBS ...
Comments By
Sorry!! There are no comments posted for this blog
My Important Tags
sbs (74Blogs)
smb (29Blogs)
smb nation (27Blogs)
harry brelsford (27Blogs)
brelsford (13Blogs)
WSS (11Blogs)
exchange (10Blogs)
outlook (7Blogs)
Mobile (5Blogs)
sbs 2008 (5Blogs)
Top 99 Tags
Sponsored Links
Copyright © 2001-2008 ComputerUser, Inc., All Rights Reserved
About us | Terms of use | Privacy Policy | Legal | Trademark/Copyright | Awards | Advertise | Writer guidelines | Sitemap | Contact | FAQ's | Feedback  | Link to us

Here are the topics we cover computer certification computer careers computer training computer games consulting data recovery data security digital entertainment emerging technology gadget reviews handheld computers hardware reviews home automation home networks home office how-to advice internet linux local companies local news local profiles macintosh mp3 players network security online music online security open-source small-business technology soho software reviews technology books technology dictionary vpn web site reviews wi-fi windows wireless technology tech articles tech news press releases tech dictionary education resources career solutions create your personal blog upload your videos become a writer usergroups special interest group SIG 3com cipts adobe adobe certified expert apc ncpi apple achds acpt acsa actc avaya bea 8.1 certified administrator 8.1 certified architect 8.1 certified developer 9 certified administrator bicsi rcdd checkpoint ccmse ccsa ccsa ngx ccse ccse ng plus with ai ccse ngx cisco access routing and lan switching ccda ccdp ccie ccip ccna ccnp ccnp old ccsp ccvp crmam ip communications optical proctored exams for validating knowledge sales specialist storage networking vpn and security wireless lan citrix cca 3.0 cca 4.0 cca 4.5 cca xp ccea 3.0 ccea 4.0 ccea xp ccia ciw ciw associate ciw certified instructor master ciw admin master ciw designer master ciw enterprise developer security analyst comptia a+ network+ security+ server+ computer associates ca cusa cuse cwna cwna cwsp dell eccouncil cea cep certified ethical hacker chfi e-commerce architect emc emc specialist implemenation technology foundations enterasys ese eta exam express exin exin itil extreme networks ena ens filemaker f7cd f8cd fortinet fortigate foundry cne fujitsu fujitsu guidance software ence hdi css hda hdm hdsa hitachi hitachi certified professional hp ais apc app aps ase certified systems developer csa cse master ase huawei hcne hyperion hcp ibm advanced deployment professional advanced technical expert application developer business process analyst certified administrator certified advanced system administrator certified advanced technical expert certified associate developer certified enterprise developer certified solution designer certified specialist certified systems expert database administrator db2 deployment professional enterprise developer eserver certified specialist ibm on demand business solution advisor solution designer solutions developer solutions expert storage administrator system administator iisfa cifi intel isaca cisa isc cissp sscp iseb itil ism cpm juniper jncia jncis legato lcaa lcea lotus clp lpi lpic level 1 lpic level 2 lpic level 3 macromedia mcafee mcdata csnd microsoft crm mbs mcad .net mcdba mcdst mcitp mcp mcpd mcsa longhorn mcsa 2003 mcsa 2008 mcsd .net mcse mcse 2000 security mcse 2000 to mcse 2003 upgrade mcse 2003 mcse 2003 messaging mcse 2003 security mcse 2008 mcts microsoft business solutions microsoft partner competency mile2 cnsa network appliance nac-na nac-nie naca nace nacp network general sniffer certified professional nokia nokia security administrator nortel ncde ncds ncse ncss ncts novell5 cna 5 cne 6 cna 6 cne 6.5 cne cne upgrade omg ocup oracle 10g dba 10g oca 11i 8i dba 9i dba 9i internet application developer oca ocp8 to ocp8i dba upgrade exam pmi project management professional polycom pcve redhat rhce rhct sair sas institute sas scp saas scp snia snia certified architect snia certified professional snia certified systems engineer snia storage networking certification program administrator professional associate symantec scse scsp scta scts teradata tca v2r5 tcad v2r5 tcda v2r5 tcis v2r5 tcm v2r5 tcp v2r5 tia ccnt ctp tibco tcp trusecure ticsa veritas infraguard chamber of commerce vcp vmware certified professional webex linkedin facebook myspace Professional page layout, image editing, vector illustration, and print production Website design, development, prototyping, and blogging Creation of rich interactive content Industry-standard visual effects and motion graphics Video capture, editing, and production; DVD titling; and digital audio, Adobe Photoshop CS3 extended, Adobe illustrator CS3,Adobe indesign CS3,Adobe Acrobat 8 Professional, Adobe Flash CS3 Professional, Adobe Dreamweaver CS3,Adobe Contribute CS3,Adobe Fireworks CS3,Adobe After Effects CS3 Professional, Adobe Premiere Pro CS3,Adobe Soundbooth CS3,Adobe Encore CS3,Adobe OnLocation,Adobe Bridge CS3,Adobe Version Cue CS3,Adobe Device Central CS3,Adobe Stock Photos, Intel Pentium 4 (1.4GHz processor for DV; 3.4GHz processor for HDV), Intel Centrino, Intel Xeon, (dual 2.8GHz processors for HD), or Intel Core, Duo (or compatible) processor; SSE2-enabled processor required for AMD systems Microsoft Windows XP with Service Pack 2 or Microsoft Windows Vista Home Premium, Business, Ultimate, or Enterprise (certified for 32-bit editions) 1GB of RAM for DV; 2GB of RAM for HDV and HD; more RAM recommended when running multiple components 10GB of available hard-disk space (additional free space required during installation) Dedicated 7,200 RPM hard drive for DV and HDV editing; striped disk array storage (RAID 0) for HD; SCSI disk subsystem preferred Microsoft DirectX compatible sound card (multichannel ASIO-compatible sound card recommended),1,280x1,024 monitor resolution with 32-bit color adapter Blu-ray burner required for Blu-ray Disc creation OHCI compatible IEEE 1394 port for DV and HDV capture, export to tape, and transmit to DV device QuickTime 7.1.2 software required to use QuickTime features Broadband Internet connection required for Adobe Stock Photos* and other services