Thursday, 19 April 2007

SBS Premium and desktop security - BotNets, PWNED, & OWNED

Support Intelligence analyzes various aspects of, "eCrime including DDoS, Scanning, hosting Malware, sending Spam, etc".

They publish a list, called the Digest of Abuse Report, of the top 100 networks and the volume of incidents on them. One can subscribe to receive updates to the list.

The DOA report for Week 13, 2007.

An article, also written by SI, on Owned hosts of Banc of America Securities.

The above article, in my mind, is one really good reason to be selling the Premium version of SBS over the Standard version. Why? Because of the added network traffic security that can be found in Internet Security and Acceleration Server (ISA) 2000/2004 depending on what version of SBS Premium one is supporting.

One can closely monitor all aspects of network traffic being routed through the SBS server whether it is destined to an internal host or external network host. The type of traffic moving across the network or networks, from HTTP, SMTP, and all other protocol types is also monitored and reported on.

With ISA, one can also act on locking down certain types of network traffic, or sources of network traffic to mitigate a known threat, or even restrict a compromised system.

However, this takes a little bit of configuration on ISA and some monitoring on our part. It also takes learning to know the intricacies of configuring and tuning ISA.

Some questions that we need to ask when completing an SBS Premium install:
  • Have we setup the ISA reports to run daily?
  • Have we included an e-mail of those reports to us and a client contact if need be?
    • In many cases we are our client's only hope of mitigating network compromises.
  • Do we pay attention to those daily reports?
  • Have we configured the Server Performance Report to be emailed to us?
  • Do we look at them every morning?
One of the best ways to get to know the health and hiccups experienced on SBS based networks is to watch those reports every day. It is a good way to get to know the "personality" of each SBS server we support.

The threat of a client's network being compromised is real. The best that we can do for them is to provide a multi-tiered solution incorporating user Internet use training (yes ... this is # 1), layered system and software protection systems, and knowledge on our part of those threats. Of course, keeping in mind that a lot of our small business clients have limited I.T. budgets! :D

There is another business aspect to the configuration and monitoring of our SBS networks: A value added service for our clients.

I personally spend the first hour or two of my day going through the reports looking for issues or indicators for potential issues.

We offer this report monitoring as a "free" service, or value add, to our providing support to our SBS clients. They know that we are monitoring the health and well being of their SBS network because we let them know it, and that the service is free. To us, it is the cost of doing business.

One of the neat aspects of providing this service, is the proactive phone call: "Hi, this is Philip from MPECS, we see that there is a need for __ in the Server reports, could we schedule a time to address this please?" Or, something along those lines.

This instills in our clients a confidence and trust in our service. It is one of the ways to demonstrate that we care enough to be watching out for the well being of their business.

An excellent source of ISA information and tutorials can be found at

Via: Threat Level (27B Stroke 6), then TaoSecurity.

A definition of ASN at Autonomous System Number.

Trendmicro: Network Reputation - Estimated Spam Volume by ISP. (Secure Site).

Emergent Chaos' take on Support Intelligence: Month of Owned Corporations.

Keep in mind that ISA, layered security measures, and monitoring are only a some of the aspects to network and data security. This is by no means a comprehensive list!

Philip Elder
Microsoft Small Business Specialists

No comments: