Wednesday 29 August 2007

SBS - SBS Security and a Linux comparison

In all of our conversations with Linux gurus or guru wannabees, we can ask a simple question (keep in mind that we deploy 98.5% SBS Premium): You get your best tools, and we can sit down together and watch them try to work on our SBS Premium box with ISA setup and configured properly. With ISA SP3, we will be seeing a sea of red - that is denies!

ISA is more than a software firewall! Check out for more info. It is one of the best ways to manage data coming in or leaving the SBS network ... period. This is one of the main reasons why we pretty much only deploy Premium Edition of SBS. For a few extra dollars, the client gets an enterprise level of protection and user/software access management.

We have clients with Internet facing SBS Premium servers hosting email and providing HTTP filtering for Server 2003 Web Edition farms that have been running trouble free for years now. We have yet to see a successful attack.

For SBS standard, it is not much different since the built in firewall service is configured by the CEICW to only allow the requisite ports opened for SMTP and Remote Web Workplace access. The built in firewall cannot be as finely tuned as ISA, but it will provide that extra layer of protection over a firewall/router/gateway that should be protecting that SBS Standard box.

One should always use the native Remote Web Workplace connectivity to manage your SBS boxes. This further reduces the server's exposure. It gives you SSL protection for your management access without the risk of opening the 3389 port for Terminal Services.

The principle, as far as Linux is concerned, is having so many services running on one box. This is because of the way Linux operates. Each SBS like component, email like SendMail or QMail, Squid for firewall and proxy, Apache for web based services, SSH for remote management and connectivity, MySQL for databases, PHP for scripting and environments, Samba for sharing data files and folders across the internal network, and more all present an attack vector for someone to try and crack their way into the system.

Just the patch management alone on this kind of Linux setup would be a huge undertaking. Each server application product presents a different Web site or newsgroup that one would have to monitor for updates! Nevermind the conflicts that could arrise with all of these services installed on one box.

Small Business Server is not like that. Microsoft in the guise of the SBS team took a lot of time to make sure that each component of SBS plays nice together. They took the time to make sure that there would be a reduced attack vector by presenting what is essentially one secure and united front for access to the server: Remote Web Workplace. This front has a few facets in that VPN and Outlook Web Access can also be dialed in for access to data and email respectively. But, we are still presented with one way in: Through an SSL secured portal that requires us to authenticate BEFORE we get any further.

That is what a Linux person will not understand without sitting them down in front of the server's console and showing them point by point how things operate on a SBS box. Then we would let them watch the live traffic monitoring feature in ISA to gain an understanding of just how tight things run on SBS.

That in a nutshell, this late at night, is an off the top of the head run down of what is said to the Linux people we come across who protest the SBS configuration.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.


stryqx said...

I agree - I like the application-level firewalling that ISA Server 2004 does. It does a great job of blocking nefarious access to the poorly designed Web apps that invariably have to be presented across the Web.

The point you make about Linux isn't necessarily valid. A good distribution has patch management for a wide variety of packages. My FreeBSD boxes are as easy to keep patched as my Windows boxes, but that's because I've got a good understanding of FreeBSD and the packages I run on it, plus I use some good tools and sites (either provided by FreeBSD or part of the FreeBSD community) to keep the maintenance time down.

You can open up RDP access, but it's best to use TLS authentication.

Authenticated access and single sign-on (SSO) isn't all that it's cracked up to be. For example, if you've got Integrated Windows Authentication turned on in your SMTP configuration and you're presenting this to the outside world, then a dictionary attack can be performed on the SMTP service, which will then help gain you access to any other Windows authenticated service such as RWW or VPN. Similarly, RWW and VPN access can be brute-forced in a similar fashion. The only way to mitigate this exposure is to use two factor authentication or implement a PKI to successfully allow non-anonymous access to server resources.

Philip Elder Cluster MVP said...

I agree with your point on Linux. When I read it the next morning, it dawned on me that there are setups out there that provide some great patch support.

And, knowing your operating system is key to knowing what needs to be patched and when.

And yes, SSO, like anything else is a door. And, given the time, resources, and a possibly misconfigured server, someone could brute force their way in.

I do enjoy your input Chris, and as well, I really appreciate it.

Thanks for that,