Is SBS 2003 secure or not?

So I had a few people email me who attended SMB Nation who wanted to know if SBS 2003 was secure or not. They are worried that the fact that my hardening kit found so many items to recommend changes for, that maybe SBS isn't as secure as it should be.

I think I should debunk that kind of worry here and now.

Absolute security is a myth. With enough time and money an adversary can find a way to access a system. ANY system. ANY operating system. You should read the 10 Immutable Laws of Security to get an idea of just some of the ways an adversary can gain access.

But here is the reality. Any operating system can be made secure. Just as any operating system can be made INSECURE. It's all about how it's configured. Commercial operating system vendors have to weigh security defaults against usage of the system for the masses... the customers purchasing their OS. Traditionally (aka the past) that has been shown to be riddled with insecure practices in an effort to make the system work easier for the user, sacrificing security.

But SBS is different. Wait. That's not right. SBS gets the BENEFIT of being different because Microsoft changed their thinking on this for all their current operating systems. Windows Server 2003 (the core under SBS) was radically redesigned using Microsoft's secure programming SD3 principles. If you don't know what those are, it boils down to:

• Secure by Design
  
• Secure by Default
  
• Secure in Deployment
  

SBS 2003 is much more secure than it previous versions. The attack surface of the system is considerably lessened with the approach Microsoft took in turning off services that are not needed. Most code has now went through special security dev tools like prefast, App Verifier and FxCop that help find problem areas in drivers and applications. Huge code audits occured before it's release, and we can see that impact on the rather small amount of bulletins that have been released on the platform, compared to its predecessors. The default settings are acceptable against the TYPICAL configuration of an SBS network, as determined by Microsoft. You CAN make parts of it more secure. But it is a rather secure platform to begin with.

My reason for hardening SBS 2003 isn't because I think the core OS is insecure. I am actually impressed with the Srv03 OS core and don't worry that much about it. The reason I harden SBS 2003 is because I am uncomfortable in having my web server, database server, mail server and DC on a single system... and want to do EVERYTHING I can to tighten the reigns on the system. Especially when you are exposing those application services on the network. Many hardening suggestions are security best practices. Some people may or may not agree with those settings. But that's the reason for individual hardening. It brings risks down to acceptable levels for ME. You may or may not associate the same risks as I do. That is your judgement call.

So is SBS 2003 secure? Sure is... for most people. But not enough for me. I regularly have script kiddies bombarding my servers. They rather enjoy it. After all, trying to crack my servers seems to make them feel 'leet. (God I wish they would go away). Only you can decide what is acceptable risk to you. I can't make that call for you. If you have the same concerns with having so many services on a single machine, download all the hardening guides I recommended at SMB Nation (the PPT with all the links are on your USB key) and spend a couple of days reading all the docs. (Its around 600 pages) It will explain how to harden those pieces, and you can decide what you want to secure further.

Good luck!