August 19, 2004
Dana using SBS2003? No I am NOT nuts
Ok, so I never expected this. A little itty bitty blog entry that would cause such a stir that I received over 25 private emails from people.... ranging for honest to goodness help and suggestions to quasi-death threats for being so stupid. Why don't you guys ever comment on my blog???
Rather than respond to each email individually, I thought I would just break down and explain my thought process on why I am considering SBS2003.
As a computer security professional who LOVES Unix environments... you would think I would stay away from ever having a Microsoft product on an Internet facing server. You wouldn't be far off from that assumption, as Microsoft's history in this manner hasn't been the greatest. Quite frankly I refuse to look at any version of Microsoft's operating system older than Windows Server 2003. However, I think that only the fool hearted would back themselves into a corner and take a stance of an OS zealot. We saw this years ago when "Team OS/2" was preaching that you need to be "Warped". Not a pretty sight. Then we saw it with Linux. Hey... I got sucked into that one.... as I truly believe in many of the benefits of the operating system. I was one of the original geeks at LinuxWorld, preaching the powers of Linux before it was kewl to do so.
Yet for me, over the years I have come to realize it is all about selecting the right tool for the right job. Absolute security is a myth. What needs to be done is to find the right tools with the right safeguards to help defend against the digital divide. In other words, its about putting enough security in to defend against the risks exposed to us out there. Not ALL the security in the world. "Just enough security" to do the job. Am I going to prevent covert black bag ops issued by foreign governments from circumventing my safeguards? Probably not... the ISP that hosts my servers will typically fold like a cheap suit under pressure. But by understanding the threats to which I am exposed to while ensuring I have control over the assets I wish to protect, coupled with smart decisions on how to mitigate these threats in a practical manner, I can gain the assurance that I need in using a Windows platform of today.
You see, any operating system can be made safe. It is just that practically every commercial operating system shipped today isn't done so in its initial state. And I include many Linux environments in there as well... not just Windows. Just as an OS can be made safe... it is just as easy to make it susceptible to attack.
Past these views, the decision is then weighed against fiscal responsibility. After all, I am an owner of a really small ISV where cash is king... and spending thousands upon thousands of dollars for licensing doesn't make a whole lot of sense when you don't need to. And that is the point of view I would like to use as I talk about my decision to look at Small Business Server 2003. It might make sense if I give some background information to help you see how I came to my decision.
The Growth of a Small ISV
In the past two years I have been building a small ISV that is focused on building host-based intrusion prevention software for the Microsoft Windows platform. Focused towards the small to medium business target demographic who use Microsoft Windows servers, I found myself being emmersed in the platform. For good, bad or indifferent I have come to realize that Windows Server 2003 isn't all that bad. It has a ways to go yet... but the kernel itself is getting pretty good.
Self funding the company, the last thing I wanted to do was to shell out tens of thousands of dollars for all the licenses I would need to run a Microsoft shop. Being a fan of Linux with years of experience under my belt, it took me less than an hour to get a Debian server up and running with SSH, email, secure web, database and all the fixings. An hour after that, I had the firewall in place, a good IDS net and remote logging and monitoring facilities that would rival an ISP NOC. It cost me little more than my time for a couple of hours, the cost for the hardware and the cost to put it at the ISP. When measuring direct TCO for this solution, its a joke to try to measure it against Windows Server. Microsoft's offerings fall flat on their face. They simply CANNOT measure up to a Linux server focused on offering a simple hardened web server with email and database access (Personally I am a PostgreSQL fan). Now before you freak out and try to pull out all the Microsoft marketing hype on TCO... give it up. Read the whole article before your criticize.
You see, if you have the experience and have normal "Internet services" access needs a Linux server is a great choice. You know what you are getting. Very little EXTRA is exposed... and you don't have to fear the unknown. You know what you are running, and you know what to secure against. But what if you have more needs? What if you have to grow the business communications? What if you need it to scale to support more business services. Well, then options for Linux start to thin out.
Let me explain where I am going in the next two years so that point can make sense. I am growing the business and expect to be hiring at a minimum 25 new people. Most of these people will work in a virtual environment, working in the field or from home most of the time. Telephony is managed by using VoIP services through an Internet PBX offered through a company called Packet8 which gives me excellent PSTN access while ensuring clean PBX bridging functionality across the Internet.
Email, shared calendaring, contacts and files will be managed through Outlook Web Access (OWA). Lets be honest, very few offerings in Linux support such good group collaberation and communications as Exchange. Although commerical competitors such as GroupWise and Lotus Notes are nice, the complete integration that Microsoft has done in the browser with OWA 2003 is just amazing. Have you seen this thing? Not only is it pretty... but its extremely functional... and works just like the Outlook client. And lets not go into the open source group collaberation servers, or webmail clients like SquirrrelMail. They are just not ready for real collabertive business interaction and use.
Why not use the Outlook client then over HTTPS? (Yes you can do this if you didn't know) Well, you will be able to. But only on machines I can trust; machines the company has actual authority over and can manage. In many situations though, that won't be available. OWA (and OMA for those of us lucky enough to have an MPx200) will be the only solution for them.
To strengthen the authentication process and create a strong audit policy for these remote users to Active Directory I am going to roll out two factor authentication with one time passwords (OTP). I was originally looking at using RSA SecurID keyfobs and the USB 6100 USB key smartcard, but the costs are quite prohibitive for a small company such as mine. You have to buy at a MINIMUM 25 licenses TO START, and there are ongoing licensing costs and upgrades to tokens needed after a period of time. I found another company offering similar technology, but at a fraction of the cost. Authenex offers an OTP token called A-Key which ALSO supports USB key storage for PKI. The interesting thing is that the OTP is shown ON the USB key, where as RSA uses a smartcard approach and requires a USB driver be installed to work. RSA's approach won't work when at a location where USB access is prohibited, or not desireable. Which is why I am looking at Authenex.
A note to the security vendors out there. Small businesses are not second class citizens! We have security needs just like the big boys. Why is it so hard to believe a small business of 5 or 10 people wouldn't want to implement strong security solutions? Think about that next time you do market research. You are missing a HUGE target demographic and I bet if you looked... you have some easy wins that could increase you sales pipeline.
So anyways, I have been taking a bit of a tangent explaining what is going to happen and give you a background on some of my needs. Now let me explain why I blogged about looking for a SBS MVP. Quite frankly I think Microsoft is doing a big diservice to its customers in not talking about SBS, and I wanted to poke around to see who was in the field. For small companies like my own, Microsoft has a very compelling offering which actually DOES show a sane TCO argument. It's in an unknown product solution called Small Business Server 2003, more commonly known as SBS2003 (or sometimes just SBS).
SBS2003 is an an inexpensive server solution which is really just Windows Server 2003 installed with Exchange 2003, SharePoint, ISA 2000 and SQL Server. It is slightly more restricted than Windows Server 2003 in that all the components must be loaded on a single domain controller. Although you can have secondary file and print servers... everything else must reside on a single box. From a security perspective this isn't really desirable (See my post on the 8 Rules of Information Security to understand why; the Rule of Seperation is really important here.), as you really should separate services, but its a reasonable limitation for most small businesses. After all, most small businesses don't have a plethora of server hardware to support seperation anyways.
Another limitation includes the fact you can only have one domain. The domain is based on Active Directory, but it cannot form trust relationships, which kinda sucks for more complex deployments. Again, not a serious limitation for most small businesses. The final limitation that I know of is that there is a client limit. You can only buy 75 CALs (Client Access Licenses) for the server. At this point, you will probably be moving to a larger server anyways, so again... this isn't a real big limitation for most small businesses.
Depending where you get it, this entire bundled solution costs about 1/5th the cost of a similar deployment done by putting pieces together of various Microsoft technologies due to its tight integration with all the components. The cost savings are enormous, and match in many respects to the same costs of a Red Hat Advanced Server offering similar services. But that tight integration is also its weakness (in my opinion), which is why I was calling out to SBS experts.
I have real concern with not knowing how everything is interacting on this box. If you recall, earlier in this post I explained how that was a strong point in Linux. I don't have that same confidence in SBS. As I am not an expert in Sharepoint or IIS configuration, I get chills when reading documentation about how you can surf to shared resources in this manner with a browser. I begin to fret when I see administrative tools accessable via little known URLs (which attackers know)... especially when I thought I turned them off. This is where experience comes into play, which is why I am seeking out a local expert in the lower mainland of BC.
All I want to do is expose two ports.... SMTP (port 25) and HTTPS (port 443) to the world. The first for mail coming in and going out and the second for OWA access. I don't want ANYONE to be able to go to ANY URL without first authenticating to Active Directory... and quite frankly... I don't know how to configure that. And thats why I am seeking out the expertise.
I had some interesting and helpful feedback from Susan Bradley who introduced me to a few MVPs and gave me some recommendations. It looks like I might not need an MVP after all, but just a really qualified MCSE or something. Of course, with the ratio of idiots to experts in the MCSE field, its really hard to determine which camp they lie in. I guess some further research may assist me in making that determination.
So there you have it. I don't have really complex needs... but they are not exactly normal either. I am confident that SBS can be locked down... just as I am confident that I can find default Linux installs that are not. No operating system is a panacea, but I do believe Microsoft's SBS offering makes sense, is cost effective and is quite manageable. I know I am just being paranoid, but I would rather be that than be 0wned. So thanks to those who have sent me feedback and hooked me up with others. And thanks to those who have criticized me and challenged me to explain myself. Writing this has made me realize I am maturing in my understanding and management of risk, and breaking the shackles of ignorance as it comes to operating system zealousy. (Ask around... I used to be pretty bad).Posted by SilverStr at August 19, 2004 02:50 PM | TrackBack