In all of our conversations with Linux gurus or guru wannabees, we can ask a simple question (keep in mind that we deploy 98.5% SBS Premium): You get your best tools, and we can sit down together and watch them try to work on our SBS Premium box with ISA setup and configured properly. With ISA SP3, we will be seeing a sea of red - that is denies!
ISA is more than a software firewall! Check out isaserver.org for more info. It is one of the best ways to manage data coming in or leaving the SBS network ... period. This is one of the main reasons why we pretty much only deploy Premium Edition of SBS. For a few extra dollars, the client gets an enterprise level of protection and user/software access management.
We have clients with Internet facing SBS Premium servers hosting email and providing HTTP filtering for Server 2003 Web Edition farms that have been running trouble free for years now. We have yet to see a successful attack.
For SBS standard, it is not much different since the built in firewall service is configured by the CEICW to only allow the requisite ports opened for SMTP and Remote Web Workplace access. The built in firewall cannot be as finely tuned as ISA, but it will provide that extra layer of protection over a firewall/router/gateway that should be protecting that SBS Standard box.
One should always use the native Remote Web Workplace connectivity to manage your SBS boxes. This further reduces the server's exposure. It gives you SSL protection for your management access without the risk of opening the 3389 port for Terminal Services.
The principle, as far as Linux is concerned, is having so many services running on one box. This is because of the way Linux operates. Each SBS like component, email like SendMail or QMail, Squid for firewall and proxy, Apache for web based services, SSH for remote management and connectivity, MySQL for databases, PHP for scripting and environments, Samba for sharing data files and folders across the internal network, and more all present an attack vector for someone to try and crack their way into the system.
Just the patch management alone on this kind of Linux setup would be a huge undertaking. Each server application product presents a different Web site or newsgroup that one would have to monitor for updates! Nevermind the conflicts that could arrise with all of these services installed on one box.
Small Business Server is not like that. Microsoft in the guise of the SBS team took a lot of time to make sure that each component of SBS plays nice together. They took the time to make sure that there would be a reduced attack vector by presenting what is essentially one secure and united front for access to the server: Remote Web Workplace. This front has a few facets in that VPN and Outlook Web Access can also be dialed in for access to data and email respectively. But, we are still presented with one way in: Through an SSL secured portal that requires us to authenticate BEFORE we get any further.
That is what a Linux person will not understand without sitting them down in front of the server's console and showing them point by point how things operate on a SBS box. Then we would let them watch the live traffic monitoring feature in ISA to gain an understanding of just how tight things run on SBS.
That in a nutshell, this late at night, is an off the top of the head run down of what is said to the Linux people we come across who protest the SBS configuration.
Microsoft Small Business Specialists
*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.