Re: Security experts criticize an SBS installation

If I had a dime every time some two bit "security expert" thought Microsoft products were insecure I'd have a lot of dimes and a lot of folks that haven't looked at Microsoft products since WinNT.

The reality is Victor, a properly maintained network of any flavor is safe as secure whether that network is SBS or anything else. The key is maintenance.

Show me a compromised network of any size and I'll show you one improperly configured, monitored and managed.

I have a GSEC security credential, volunteer for the Center for Internet Security and know that my security of my network is based more on the lack of control of my workstations than it is with that ISA box.

I cannot, to the best of my knowledge, remember a SBS box that has been hacked when the passwords are long/strong/secure, the box is patched, and the workstations are configured based on the risk of each person. In my office that means that many are non admin. It also means you don't surf from the server.

But a SBS server ..even with that "so called" hacked in umpteen minutes ISA server ...Get him to tell you in details how he hacked into ISA server.

I'll bet you a mountain dew that he used a sucky password, or the server wasn't patched, or some other way that I'm sorry, doesn't prove didly squat that ISA is inherently more insecure. It's more likely that someone doesn't know how to set up ISA.

Do now understand that ISA server no matter where that ISA server is ... is only as secure as the weakest link .. therefore if it's not patched, the network has lousy passwords, etc etc..that's the important issue these days.

Look around this newsgroup Victor... do you see blood guts and gore of hacked up boxes?

Anyone that has a nailed box around here does so because they violated the rules of using a stupid password, surfed at the server and introduced malware, or the workstations have introduced the risk. Which honestly these days.. 99.99999999% of my risks come from stupid users... and not from that SBS.

Isn't that proof to you right there that the risk we take is certainly manageable when you look at this newsgroup?

Look around. We do just fine. That security "expert" is no expert in my book.

I'd love to chat one on one with these folks.. they prob haven't used windows since the NT era.

Susan Bradley
MCP, SBSC, GSEC
SBS MVP
Security MVP
And .. "gimme a break" on those security experts advice to you

Victor Banks wrote:
I just had an experience that has left me very unsettled. Our client has a 15-user network and has been running SBS 2003 Premium with ISA 2004 for well over a year now with no problems. Three weeks ago the owner fired his office manager under rather mysterious circumstances. We were not told that he had been dismissed until a week after the fact. We still have not been told what the office manager is suspected of doing. When we were finally contacted, the place was swarming with the client's lawyer and "security experts" who started tearing the place to pieces. They now intend to install a video camera system and spy software on the server and all the workstations. They sent the office manager's workstation to a laboratory to be imaged and analyzed (even though we already had images that could have been provided). But beyond that, we have basically been told that the SBS is to be bulldozed and replaced with a plain Windows server, and even that step is to be taken grudgingly, as the line of business application is an old DOS program and could run from a mapped drive on a NAS. They already have installed a hardware firewall in front of the SBS and shut off RRAS. (The "hardware is better than software" canard.) We still have no remote access. Yet the office manager's password had not been changed and the account was still active until I arrived a week later. The rational for this revolution is that the SBS is horribly insecure; one of the guys on this team claims to have broken through ISA in 20 minutes. Exchange is to be outsourced to an external hosted Exchange provider, as even that is too risky to keep in-house.

Here is my question. I have another 30 or so of these networks out there. Do I take this seriously or are my SBS installations reasonably secure? I have to provide straight answers to my clients. If it's as bad as these guys say, I have no business selling it to anyone.


.

Relevant Pages

  • Re: RWW Timing
    ... If you have installed ISA, ... Expand the server node and highlight ''Monitoring''. ... In the following website you can find many useful resources related to SBS ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • RE: Front End/Back End communication
    ... MVP -- ISA Firewalls ... There is no such thing as security perfection. ... single front-end/back-end Exchange Server will find this setup to be ...
    (Focus-Microsoft)
  • Re: DHCP Issues. Very strange
    ... default order of rule in ISA 2004. ... Windows SharePoint Services intranet site, ... server certificate on Web server name column and then click Next. ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS VPN setup?
    ... The 2-nic configuration is used when the SBS server will *also* act as your network's firewall. ... You purchase 2k3 PREMIUM and that comes with ISA to handle the firewall duties. ... To compare apples to apples, let us assume there is a network setup as I outlined above...and the firewall appliance is an ISA server, such as those available from Celestix. ...
    (microsoft.public.windows.server.sbs)
  • RE: ISA access rules, help
    ... please let me know whether you're using ISA 2000 or ISA 2004 ... (SBS SP0 or SBS SP1). ... the ISA server will not be used as a proxy server. ... Since SBS already used port 80, ...
    (microsoft.public.windows.server.sbs)