August 19, 2004

Dana using SBS2003? No I am NOT nuts

Ok, so I never expected this. A little itty bitty blog entry that would cause such a stir that I received over 25 private emails from people.... ranging for honest to goodness help and suggestions to quasi-death threats for being so stupid. Why don't you guys ever comment on my blog???

Rather than respond to each email individually, I thought I would just break down and explain my thought process on why I am considering SBS2003.

As a computer security professional who LOVES Unix environments... you would think I would stay away from ever having a Microsoft product on an Internet facing server. You wouldn't be far off from that assumption, as Microsoft's history in this manner hasn't been the greatest. Quite frankly I refuse to look at any version of Microsoft's operating system older than Windows Server 2003. However, I think that only the fool hearted would back themselves into a corner and take a stance of an OS zealot. We saw this years ago when "Team OS/2" was preaching that you need to be "Warped". Not a pretty sight. Then we saw it with Linux. Hey... I got sucked into that one.... as I truly believe in many of the benefits of the operating system. I was one of the original geeks at LinuxWorld, preaching the powers of Linux before it was kewl to do so.

Yet for me, over the years I have come to realize it is all about selecting the right tool for the right job. Absolute security is a myth. What needs to be done is to find the right tools with the right safeguards to help defend against the digital divide. In other words, its about putting enough security in to defend against the risks exposed to us out there. Not ALL the security in the world. "Just enough security" to do the job. Am I going to prevent covert black bag ops issued by foreign governments from circumventing my safeguards? Probably not... the ISP that hosts my servers will typically fold like a cheap suit under pressure. But by understanding the threats to which I am exposed to while ensuring I have control over the assets I wish to protect, coupled with smart decisions on how to mitigate these threats in a practical manner, I can gain the assurance that I need in using a Windows platform of today.

You see, any operating system can be made safe. It is just that practically every commercial operating system shipped today isn't done so in its initial state. And I include many Linux environments in there as well... not just Windows. Just as an OS can be made safe... it is just as easy to make it susceptible to attack.

Past these views, the decision is then weighed against fiscal responsibility. After all, I am an owner of a really small ISV where cash is king... and spending thousands upon thousands of dollars for licensing doesn't make a whole lot of sense when you don't need to. And that is the point of view I would like to use as I talk about my decision to look at Small Business Server 2003. It might make sense if I give some background information to help you see how I came to my decision.

The Growth of a Small ISV


In the past two years I have been building a small ISV that is focused on building host-based intrusion prevention software for the Microsoft Windows platform. Focused towards the small to medium business target demographic who use Microsoft Windows servers, I found myself being emmersed in the platform. For good, bad or indifferent I have come to realize that Windows Server 2003 isn't all that bad. It has a ways to go yet... but the kernel itself is getting pretty good.

Self funding the company, the last thing I wanted to do was to shell out tens of thousands of dollars for all the licenses I would need to run a Microsoft shop. Being a fan of Linux with years of experience under my belt, it took me less than an hour to get a Debian server up and running with SSH, email, secure web, database and all the fixings. An hour after that, I had the firewall in place, a good IDS net and remote logging and monitoring facilities that would rival an ISP NOC. It cost me little more than my time for a couple of hours, the cost for the hardware and the cost to put it at the ISP. When measuring direct TCO for this solution, its a joke to try to measure it against Windows Server. Microsoft's offerings fall flat on their face. They simply CANNOT measure up to a Linux server focused on offering a simple hardened web server with email and database access (Personally I am a PostgreSQL fan). Now before you freak out and try to pull out all the Microsoft marketing hype on TCO... give it up. Read the whole article before your criticize.

You see, if you have the experience and have normal "Internet services" access needs a Linux server is a great choice. You know what you are getting. Very little EXTRA is exposed... and you don't have to fear the unknown. You know what you are running, and you know what to secure against. But what if you have more needs? What if you have to grow the business communications? What if you need it to scale to support more business services. Well, then options for Linux start to thin out.

Let me explain where I am going in the next two years so that point can make sense. I am growing the business and expect to be hiring at a minimum 25 new people. Most of these people will work in a virtual environment, working in the field or from home most of the time. Telephony is managed by using VoIP services through an Internet PBX offered through a company called Packet8 which gives me excellent PSTN access while ensuring clean PBX bridging functionality across the Internet.

Email, shared calendaring, contacts and files will be managed through Outlook Web Access (OWA). Lets be honest, very few offerings in Linux support such good group collaberation and communications as Exchange. Although commerical competitors such as GroupWise and Lotus Notes are nice, the complete integration that Microsoft has done in the browser with OWA 2003 is just amazing. Have you seen this thing? Not only is it pretty... but its extremely functional... and works just like the Outlook client. And lets not go into the open source group collaberation servers, or webmail clients like SquirrrelMail. They are just not ready for real collabertive business interaction and use.

Why not use the Outlook client then over HTTPS? (Yes you can do this if you didn't know) Well, you will be able to. But only on machines I can trust; machines the company has actual authority over and can manage. In many situations though, that won't be available. OWA (and OMA for those of us lucky enough to have an MPx200) will be the only solution for them.

To strengthen the authentication process and create a strong audit policy for these remote users to Active Directory I am going to roll out two factor authentication with one time passwords (OTP). I was originally looking at using RSA SecurID keyfobs and the USB 6100 USB key smartcard, but the costs are quite prohibitive for a small company such as mine. You have to buy at a MINIMUM 25 licenses TO START, and there are ongoing licensing costs and upgrades to tokens needed after a period of time. I found another company offering similar technology, but at a fraction of the cost. Authenex offers an OTP token called A-Key which ALSO supports USB key storage for PKI. The interesting thing is that the OTP is shown ON the USB key, where as RSA uses a smartcard approach and requires a USB driver be installed to work. RSA's approach won't work when at a location where USB access is prohibited, or not desireable. Which is why I am looking at Authenex.

A note to the security vendors out there. Small businesses are not second class citizens! We have security needs just like the big boys. Why is it so hard to believe a small business of 5 or 10 people wouldn't want to implement strong security solutions? Think about that next time you do market research. You are missing a HUGE target demographic and I bet if you looked... you have some easy wins that could increase you sales pipeline.

So anyways, I have been taking a bit of a tangent explaining what is going to happen and give you a background on some of my needs. Now let me explain why I blogged about looking for a SBS MVP. Quite frankly I think Microsoft is doing a big diservice to its customers in not talking about SBS, and I wanted to poke around to see who was in the field. For small companies like my own, Microsoft has a very compelling offering which actually DOES show a sane TCO argument. It's in an unknown product solution called Small Business Server 2003, more commonly known as SBS2003 (or sometimes just SBS).

SBS2003 is an an inexpensive server solution which is really just Windows Server 2003 installed with Exchange 2003, SharePoint, ISA 2000 and SQL Server. It is slightly more restricted than Windows Server 2003 in that all the components must be loaded on a single domain controller. Although you can have secondary file and print servers... everything else must reside on a single box. From a security perspective this isn't really desirable (See my post on the 8 Rules of Information Security to understand why; the Rule of Seperation is really important here.), as you really should separate services, but its a reasonable limitation for most small businesses. After all, most small businesses don't have a plethora of server hardware to support seperation anyways.

Another limitation includes the fact you can only have one domain. The domain is based on Active Directory, but it cannot form trust relationships, which kinda sucks for more complex deployments. Again, not a serious limitation for most small businesses. The final limitation that I know of is that there is a client limit. You can only buy 75 CALs (Client Access Licenses) for the server. At this point, you will probably be moving to a larger server anyways, so again... this isn't a real big limitation for most small businesses.

Depending where you get it, this entire bundled solution costs about 1/5th the cost of a similar deployment done by putting pieces together of various Microsoft technologies due to its tight integration with all the components. The cost savings are enormous, and match in many respects to the same costs of a Red Hat Advanced Server offering similar services. But that tight integration is also its weakness (in my opinion), which is why I was calling out to SBS experts.

I have real concern with not knowing how everything is interacting on this box. If you recall, earlier in this post I explained how that was a strong point in Linux. I don't have that same confidence in SBS. As I am not an expert in Sharepoint or IIS configuration, I get chills when reading documentation about how you can surf to shared resources in this manner with a browser. I begin to fret when I see administrative tools accessable via little known URLs (which attackers know)... especially when I thought I turned them off. This is where experience comes into play, which is why I am seeking out a local expert in the lower mainland of BC.

All I want to do is expose two ports.... SMTP (port 25) and HTTPS (port 443) to the world. The first for mail coming in and going out and the second for OWA access. I don't want ANYONE to be able to go to ANY URL without first authenticating to Active Directory... and quite frankly... I don't know how to configure that. And thats why I am seeking out the expertise.

I had some interesting and helpful feedback from Susan Bradley who introduced me to a few MVPs and gave me some recommendations. It looks like I might not need an MVP after all, but just a really qualified MCSE or something. Of course, with the ratio of idiots to experts in the MCSE field, its really hard to determine which camp they lie in. I guess some further research may assist me in making that determination.

So there you have it. I don't have really complex needs... but they are not exactly normal either. I am confident that SBS can be locked down... just as I am confident that I can find default Linux installs that are not. No operating system is a panacea, but I do believe Microsoft's SBS offering makes sense, is cost effective and is quite manageable. I know I am just being paranoid, but I would rather be that than be 0wned. So thanks to those who have sent me feedback and hooked me up with others. And thanks to those who have criticized me and challenged me to explain myself. Writing this has made me realize I am maturing in my understanding and management of risk, and breaking the shackles of ignorance as it comes to operating system zealousy. (Ask around... I used to be pretty bad).

Posted by SilverStr at August 19, 2004 02:50 PM | TrackBack
Comments


Don't look for a MCSE. Look for someone who is a SBSer. Now that "may" be a MCSE but a MCSE who is an SBSer will put ISA on there [sorry but I'm a fan]

And I tell ya ....my security issues these days are my desktop NOT my server.

More info on SBS can be found at http://www.smallbizserver.net including a white paper on ISA for dummies.

Don't critize the platform until you've tried it. We're actually getting complaints that it's TOO locked down as some of the services are shut off and the consultant has to re-enable them.

Posted by: Susan at August 19, 2004 05:44 PM

And I realize Dana wasn't critizing it, but his "death threats" emailers were. ;-)

Seriously, I've got 100% AD network with www.shavlik.com 's hfnetchkPro. Do you big server networks have that?

Posted by: Susan at August 19, 2004 05:46 PM

Plus there are plenty of us Exchange geeks blogging to help with any security issues specific to OWA, OMA, etc. :-)

Posted by: KC Lemson at August 19, 2004 07:54 PM

SBS is severely ideal for a small business. In fact Microsoft with Windows Server 2003 and SBS2003 are starting to cater to the more small to medium sized businesses. There's more command-line driven stuff which a lot of us Linux freaks are familiar with.

SBS totally makes sense in your shoes. It makes sense in ours but we couldn't get a good discount on it like we could with the full Server product. Also I think SalesLogix wouldn't work fully with it so I had to scrap trying to get SBS2003 for our next server. Pretty soon we'll be able to afford 2 servers and I can share some of the load. SBS makes complete sense to us where this one server is extremely loaded but manages to stay afloat. I have a linux firewall that shares a small burden by running the FTP services but I do that because it's directly connected to the internet. Trying to port forward PASV FTP connections would have been a huge pain and a complete waste of my time. Besides proftpd runs a lot better than IIS does IMHO (where FTP is concerned).

If I was running Windows Server 2003 I could help you. The funny thing is SBS and the full product aren't all much different. The only real differences are you can do a lot less on the SBS product but the functionality is the same. So if I could do what you needed on Server 2003, you could perform the SAME EXACT STEPS and duplicate it on SBS. There are some differences but they're barely noticable.

Posted by: Jeremy Brayton at August 20, 2004 12:28 PM

Hi Dana,

I spent a reasonable amount of time and effort investigating and building a Linux-based SBS 2000 replacement box, because - in my opinion - SBS 2000 was a waste of time and money. SBS 4.5 was really nice, but SBS 2000 was Microsoft just going through the motions, and charging us for the experience.

Then I saw SBS 2003 - and I immediately dropped my work on the Linux replacement - as you said, OWA is awesome, and the integration of the SBS package itself, especially when teamed up with Windows XP Pro and Office 2003 on the desktop (after all, Windows 2000 Pro and Windows XP Pro are the most common desktop OSes in businesses), is next to seamless.

Microsoft has a fair way to go with regards to Licensing issues - they are still too confusing and too unenforceable (by their own software), but this is something there has been ongoing arguement over in a number of places, and is unlikely to be resolved anytime in the foreseeable future. Well, an easy almost full solution would be for Microsoft to have a Licensing Server in their Server OS that actually works and doesn't rely on the Administrator writing stuff on various pieces of paper and hoping that when the Admin changes, the paperwork is all kept in a nice, safe and easily recoverable place.

Also, I still prefer a multifaceted security approach, therefore am unwilling to use ISA on SBS as the only security from the outside world. I always have a stand alone firewall (generally running a secured *BSD or Linux OS), and now that SBS is available in Standard and Premium (Standard + SQL Server + ISA Server) I generally install Standard as that is all the client needs. And the cost savings are significant over the inflated SBS 2000 pricing (only one product - equivalent to SBS 2003 Premium).

Microsoft has come ahead in leaps and bounds when it comes to security in SBS 2003, Windows Server 2003 and this generation of products. Windows XP SP2 is helping a lot here - even though it still has a number of vulnerabilities yet to be exploited. As Susan mentioned, desktop security is a more problematic area than Server security these days - just look at where the majority of attacks come from - "social engineering" worms and trojans. User education is critical for a secure system - always was, but it is becoming more critical every day.

We have Outlook over HTTPS for controlled users, as well as OWA in place for a number of clients. They are all happy with the functionality, and a few even use OWA locally instead of Outlook proper. Personally, I have Outlook on my desktop, and Outlook over HTTPS on my laptop, so that wherever I go, I have a full copy of my email with me in a full email client.

As with every OS and application, there is still some way to go, but Microsoft has done an admirable job with SBS2003 in particular. It is easy(ish) to install, easy to configure, easy to secure, easy to use, and provides a nice experience for the network users. There are a number of things that can be done to further secure it from default, but by default it is pretty tight.

Posted by: Hilton Travis at August 20, 2004 04:42 PM

It might be by design, but there are so many goodies packed into the SBS bundle that it is hard to resist! Sure we can go browse www.sourceforge.net and find a million things for free, but MS is so good at "making it easy" that I just can't complain too much. Security, ok security is a little harder, you have to think, setup and configure, but we wouldn't want to loose all motivation to keep a few brain cells alive!

Posted by: Anne Stanton at August 20, 2004 05:05 PM

"you can do a lot less on the SBS product"...

uh.. you can do more ;-) We have Exchange, Sharepoint, ISA server and SQL.

http://www.sbslinks.com/Us_v_them.htm

Seriously, my security issues these days are my desktops with Malware, not my server.

And everyone does realize that even the Standard version of SBS comes with a firewall. The premium version contains ISA Server. But you "can" set it up with an external firewall if you like. And before someone says "oh but hardware firewalls are so much more secure", let me point you to the list of vulnerabilties for hardware firewalls on the Secunia web site.

Posted by: Susan at August 20, 2004 05:05 PM

Ummm...

A Hardware firewall is a SOFTWARE firewall with it's own box.

It's all ONE'S and ZERO's my freinds!

Posted by: Gavin at August 20, 2004 06:01 PM

SBS is going to be a great match for your needs. We started with SBS 4.0, went to 4.5, went to SBS 2000 and finally broke out to separate servers as we have grown.

SBS is a fantastic value and served our needs very well and economically. With ISA installed it is a very secure product right out of the box. I imagine it is even more so with 2003 and IIS6's emphasis on security (as compared to NT4 and IIS5).

The only "problem" we really ever had with SBS was the inherent problem of running everything on 1 box. We ran ISA, Exchange, SQL and file/print. So if Exchange had a problem and needed to be rebooted (as was often the case on NT) you suddenly had 25 people who couldn't do any work. It made finding maintenance windows difficult.

Aside from that it was a great product and served our needs well. I think it will do the same in your case.

Posted by: Peter at August 21, 2004 03:28 PM

Dana,

As an FYI from a member of the IT Community, with one foot in each camp (Linux & MS), I would suggest you look into a little used applicaiton that is a part of Samba, known as WinBindd. It permits or aids Samba to authenticate against the AD server. Once that is configured, other services such as VPN (IPSec) can use samba to authenticate against the AD. It IS complicated, adn means more moving parts, but it also helps to limit the number of palces you hvae to watch for users and user password related hacks and attacks. If you would like more information, please let me know.

Daniel Curry
http://www.pcpn.net
dcurry@pcpn.net

Posted by: Daniel Curry at August 22, 2004 10:30 AM

I use SBS2003, win2K3, Linux, FreeBSD, etc etc.

A good alternative to SBS2003 would be ClarkConnect (www.clarkconnect.com), if you want to stay with Linux.

This has everything bult in and many consider it a SBS2003 killer, especially if connected with the excellent Gateway Services that make VPN set up easy as pie.

Remember, viruses, and worms are still rare in the 'NIX world.

But seriously, I think integration is the way forward, and I have successfully integrated Linux and SBS2003 to get the best of both worlds.

Good luck.

Ola Bamgboye
IT Architect
OS INTEGRATION Limited

Posted by: Oladele Bamgboye at September 26, 2004 05:48 AM

Oladele,

One of the reasons its rare on Linux is the fact there is few business services uses by the masses to attack! Don't kind yourself in believing that malicious code cannot be written for Linux.... its far from that.

Comparing ClarkConnect to SBS2003 is like comparing apples to oranges. Where is the shared calendering? Shared contacts? Collaberative web sharing? These are just to name a few key areas that businesses typically need.

I don't consider any Linux a SBS killer, since no Linux HAS the BUSINESS features needed.

I have Linux boxes here. BSD boxes and Windows boxes. Its about using the right tool for the right job. And for office collaboration for employees... ClarkConnect is DEFINITELY not it.

Posted by: SilverStr at September 26, 2004 08:10 AM