Windows 2003 Small Buiness Server

I'm setting up a small business office for a client.

I have very little experience with Windows 2003 Server.

Is securing a 2003 server much different than securing a 2000 server?

Here will be the setup:

Comcast business connection (cable) --> Cisco 831 router (which I know how to configure/secure) --> 12 port unmanaged switch --> 4 client PCs (XP Pro) and a Windows 2003 small business server.

I will be creating a domain.

I'll create home drives, and set proper permissions. I'll have logon scripts and groups to map correct drives. 2K3 Small Business Server (SBS) has exchange in it, so we will be using exchange for interoffice email and calander (etc.). They wish to share contacts, and I know how to set that up with the permissions.

There will also be a strong password policy and will have to change their passwords every 60 or 90 days. I think I'll make it 60 days.

I will kill unnecessary services.

They will be using VPN though. Configure VPN through the cisco router and use an IPSec client... such as SSH Sentinal. It will be a setup similar to this.

Do you think it is necessary to have a firewall on the server?
They are unwilling to pay for a firewall on the server and there will be the cisco at the boarder.

I will be creating ACLs in the router to only allow connections from two static residential cable connections. (So they can access files and email from home).

We will be using the email accounts that come with the cable connection... so no public services. (except for VPN which will be protected via ACLs at the router, IPSec and UIDs and PWDs).

I've looked over the Microsoft Guide to securing Windows 2003.. but have not had as much time as I'd hope to read the whole guide. I won't be setting this up for another week or so... so I have some time to read still.

There will be antivirus, but only on the clients which will be automatically updated.
The server and the clients will be configured to automatically download and install windows updates everyday at some time. (as of yet undecided)

The users are somewhat tech savy users and will local admins on the workstations.
(they need to be able to do installs for software that is frequently updated and requires admin)

There will be little administration on my part. I'm just setting it up and whatnot.

They didn't want to pay for a backup solution... so I'll be backing up nightly to two client PCs...
(less than 5 gig backup). 1 night to client PC 1, next night to client PC 2. I warned them of the dangers of keeping backups onsite... and they still didn't want to do offsite backups. (tape rotation).

Physical security isn't really a concern. Its an office thats had the same four employees for the longest time. They always had access to just about any paper files that are around the office... and the digital data will also be in paper format...

Any suggestions? They really don't want to spend any more money and wanted 2k3 (or I would have setup a *nix box... to do the same exact thing...). I got a steal on the cisco ($250) so they were willing to pay for that. I'm kind of doing this as a favor... not making too much money off of this. But the experience I get will be payment enough. :)

I have set up several SBS 4.0-2003.

The new SBS 2003 has 2 vesions...Standard and Premium...
Premium includes MSSQL and ISA

I have always used 2 NICs in the server one for the internal clients and one connected to the internet via a router ( for that extra layer of security)...but I think you will be ok with the Cisco on the perimeter

For a back up solution the SBS has the ablity to back up to disk..
Also you can look at the VXA drive... I find then an inexpensive and reliable solution for small business

HTHs in some way

MLF

morganlefay: Thanks for your input. I believe we are using the standard version... but I have to double check.

Do you just leave it at a default install? Or, what steps do you take in securing the 2k3 server?
Pretty much the same way you would do a 2k server?

I know I'll be killing services... and permissions and etc.

Don't think there will be much use for group policy... because they will have local admin anyway.

Before, they were just sharing files between the clients and have never had a problem.

They really just wanted the server for internal messaging/calendar/etc. along with the VPN.

Good idea on the backup to drive... but that is basically what I'll be doing. I'll just backup to a client PC drive over the network. I can set the permissionson that so only the backup operator/system/domain admin will have access to it. So, the users can't mess with it.

AFIK.... I would secure it like a W2K server.... MS has lots of article available

The SBS has lots of wizards which you can bypass...such as your backup...I am not sure if it will allow to backup to a mapped or network drive. there are 2 backups included...one SBS and the native NTBACKUP( you may have more functionality with the native backup)

You may have to back up to local disk..then run a .bat file to xcopy over to a mapped drive.
the SBS 20003 uses Volume Shadow Copy which allows for the backup of open files (new) and is Exchange aware

The links below are excellent resources

http://www.microsoft.com/windowsserv...&lang=en&cr=US


http://www.smallbizserver.net/DesktopDefault.aspx


http://support.microsoft.com/default...-US;sbserv2003

Good luck

MLF

I have never played with 2003 but it's connection to Exchange via secure html has me interested.

Quote:

---

There will be antivirus, but only on the clients which will be automatically updated.
The server and the clients will be configured to automatically download and install windows updates everyday at some time. (as of yet undecided)

---

I would HIGHLY recoment a server based antivirus to scan the mailbox store for exchange. Client based antivirus is no where near as effective at catching viri than stopping it as it goes through exchange. I base that on my own practical experience with McAfee. But if budget is a concern then client lockdown is sufficient vs. the risk. Only protect the exchange information store, file level antivirus is not recomended but if used, do not scan exchange folders.

Oh and set up the outlook to exchange connection using that secure http protocol, I hear it's the bomb. If they only want VPN access to exchange then your covered by it's own design for secure remote access. -Peace

Quote:

---

Don't think there will be much use for group policy... because they will have local admin anyway.

---

gasps!


No NO, I would design the infrastructure from the beginning using group policy. :D You mentioned you were setting up users so it's the perfect time. Have you backed up exchange before?

Quote:

---

I would HIGHLY recoment a server based antivirus to scan the mailbox store for exchange. Client based antivirus is no where near as effective at catching viri than stopping it as it goes through exchange. I base that on my own practical experience with McAfee. But if budget is a concern then client lockdown is sufficient vs. the risk. Only protect the exchange information store, file level antivirus is not recomended but if used, do not scan exchange folders.

---

Thats what I was going to do... but they didn't want their own external email server...

So, they will be using a web based email client and external email won't be touching the server. So, if there updated AV on each client... then viruses should not be a problem... because all files will be scanned before they get to the server...

I was thinking about doing group policy... but at this time it doesn't make much sense... (at least to me). They aren't going to get anymore users anytime soon... its a small lawfirm.

I have backed up exchange before... but I used something that was WAY more expensive ...
There is simply no need for this kind of backup solution in a place like that.

I thought that 2k3 is supposed to be able to backup exchange ok?
I'll have to dig into that a bit more.

EDIT: Ah, yes. Here it is... backup exchange 2003...

Just curious... why would you use group policy for something like this? Is there really a need? They will have to be able to get around it if they need too... as there will be no full time admin. I'm going to be doing as little administration as possible... I'm not getting paid for this. I'm just doing this as a favor... :rolleyes:

A few things:

Locking down W2K3 is *almost* identicle to W2K and in your case, will be the same as a 2K lockdown. Do the standard stuff that you would on any W2K server.

Using a standard AV client can do damage to the mailstore on Exchange (you mentioned internal e-mail). Look into the appropriate method of AV protection on the vendor's site. You didn't mention which AV solution you are using. If it's Symantec, they make something specifically for Exchange.

Your perimeter will be sufficiently protected if you install the IOS that includes FW capabilities (which I'm sure you are).

Group policy can be pressed against the law of diminishing returns. There is a point where it is more of a pain in the ass to setup than simply configuring the workstations. In your case, since there is no admin onsite, the road you have mapped out sounds reasonable.

TheHorse took the word out of my mouth, but in reverse. Group policy on a new network would be easy to set up. You take say the Lawyers and the Secretaries, toss them in their own group then apply workstation specific policies without touching each box. Now in your situation, perhaps I am wrong in that you won't be managing the system So this is where I agree with you both, based on your dollar amount given, it may not be worth your time. Security and integrity of workstations is not a major risk in this case, so I cave on my earlier comment.

I was asking about exachange because if you don't use a good program then the exchange logs never get written to the data base and cleared properly. And like horse mentioned, improper virus scanning will damage the mail store. Most badacious. The one built into windows works just fine there is no need to buy an expensive solution to this scenario. I would however, backup the exchange store seperate from the rest of the machine files. So run two backup jobs every day. It's a great cost saver. You can then script a file copy to move it off the box and send a message to someone that it was complete every night via net message or something.

Quote:

---

So, they will be using a web based email client and external email won't be touching the server. So, if there updated AV on each client... then viruses should not be a problem... because all files will be scanned before they get to the server...

---

Maybe I am looking at this too deep Phish but to share calendars they have to connect to exchange. The mail messages, calendars, folders etc. are stored on Exchange. The information store is where this is all located, you can't even view the contents let alone figure out exactly how it works. Are you engineering something else where they are only using outlook for smtp? To share infor there has to be a public repository on exchange?

//edit OK thing I got it, you are using Exchange for only Internal and they are using a web based email system for external, had to read it all again.

horse: Thanks for the advise. I'll configure it like a 2k box.

roadclosed: Yes. They will be using exchange only for internal stuff. Everything external will be done via comcast's webmail page. So, you still think I need AV for the exchange mailbox store? Even though it will be getting no external mail?