Re: Experiences using SBS2003 as web server?? - Patch Management??
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 03/12/04
- Next message: Steve Foster [SBS MVP]: "Re: ISA n Seti@home"
- Previous message: Steve Foster [SBS MVP]: "Re: ALIAS in Exchange and how to Access System-Mailbox?"
- In reply to: Ken Doerbecker: "Re: Experiences using SBS2003 as web server?? - Patch Management??"
- Next in thread: Russ: "Re: Experiences using SBS2003 as web server?? - Patch Management??"
- Reply: Russ: "Re: Experiences using SBS2003 as web server?? - Patch Management??"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 12 Mar 2004 08:50:16 -0800
I'm not a cheerleader for running a web site on SBS, I'd do Russ's
recommendation. If you DO want to run a web server, you'd better patch
that sucker and not just have a backup.
No, WU is not enough at the present time and if you are serious about
web hosting, sign up for security bulletins [see the tag line below] and
get yourself a copy of Shavlik's hfnetchpro.
I would not open port 80 in my firm because of what I do. At the same
time, it's by desktops that are my security issues, not my server.
[Okay I'm not getting the short skirt and the pompoms... let's just make
that clear right now ;-)
Ken Doerbecker wrote:
> Susan,
> Thanks for your reply. Although I fully realize that you are an
> bonafide SBS cheerleader, I agree with your comments.
> At the risk of invoking Murphy's law I'll add that I have six SBS
> customers, all on public IPs, and, to the best of our knowledge, none
> of them experienced a successful attack of any kind ever. Reviewing
> the logs on the firewalls, it looks like attacks are attempted several
> times a day. Of course, we keep the AV up to date and have Windows
> Updates automatically installed every night. We also use a small
> hardware firewall in each case.
> Opening up the ports necessary to fully utilize all the webs services
> that 2003 provides worries me a little bit. We are running both a
> hardware firewall and the integrated software firewall in SBS 2003.
> One question on patch management. Does running Windows Update
> regularly and installing both the critical and recomended updates
> daily constitute an acceptable patch management program in your
> opinion? If not what would you do in addition to that?
> Thanks,
> Ken
>
>
> On Thu, 11 Mar 2004 21:59:22 -0800, "Susan Bradley, CPA aka Ebitz -
> SBS Rocks [MVP]" <sbradcpa@pacbell.net> wrote:
>
>
>>I would add that it depends on the requirements for protecting data as
>>set by HIPAA or other jurisdictional requirements.
>>
>>The most IMPORTANT step to take if you DO host a web site on your server
>>[any server for that matter] is to ensure that you have a patch
>>management program in place in addition to the disaster plan.
>>
>>In my industry, if I woke up tomorrow and found that due to my non
>>patching habits I had "Hacked by ___insert name here___" defacing my
>>internal web site, I would be bound to inform each and everyone of the
>>tax clients in my office [doesn't matter the size] that their personal
>>information was possibly viewed by an unauthorized person. Having a
>>backup of my server would be the least of my problems.
>>
>>Patching
>>Antivirus
>>Firewall
>>
>>The Security triangle. You must have all three in place.
>>
>>I would argue that my SBS box and network is more secure than my
>>sister's large enterprise. :-)
>>
>>It's not the size of the box, it's who's driving it IMHO.
>>
>>I've not sent her viruses. Her firm gets infected all the time.
>>
>>Susan
>>
>>anonymous@discussions.microsoft.com wrote:
>>
>>>The whole SBS concept is a low security endeavor designed
>>>by Microsoft. In a large enterprize your company assets
>>>would not be on the same computer as the firewall
>>>software, and would not be on the same server as the web
>>>server etc.
>>>
>>>Anyones recommendation for a large enterprise where the
>>>target is larger and the data more valuable would be to
>>>keep company data isolated from public network services.
>>>
>>>If you don't have major trade secrets to protect and have
>>>a robust disaster recovery plan, then you can decide to
>>>take the small risk of combining pubic services with
>>>private data on the same computer.
>>>
>>>an MCSE security specialist
>>>
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>Anyone have any advice to give me.
>>>>
>>>>I'm planning on using my SBS2003 server to host some web
>>>
>>>pages with
>>>
>>>
>>>>public access to them. I have differences of opinion from
>>>
>>>the MS folks
>>>
>>>
>>>>as to wether or not that is a good idea. I know it is
>>>
>>>capable of doing
>>>
>>>
>>>>it, question is - is it a good idea (administration,
>>>
>>>security, attack
>>>
>>>
>>>>wise, etc.)
>>>>
>>>>Reason for doing so is that there will be data collected
>>>
>>>into an SQL
>>>
>>>
>>>>database that I want to keep on my local server and use
>>>
>>>with other
>>>
>>>
>>>>internal applications.
>>>>
>>>>Any opinions are welcome.
>>>>
>>>>Thanks,
>>>>Ken
>>>>.
>>>>
>
>
-- http://www.sbslinks.com/really.htm
- Next message: Steve Foster [SBS MVP]: "Re: ISA n Seti@home"
- Previous message: Steve Foster [SBS MVP]: "Re: ALIAS in Exchange and how to Access System-Mailbox?"
- In reply to: Ken Doerbecker: "Re: Experiences using SBS2003 as web server?? - Patch Management??"
- Next in thread: Russ: "Re: Experiences using SBS2003 as web server?? - Patch Management??"
- Reply: Russ: "Re: Experiences using SBS2003 as web server?? - Patch Management??"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
