Dana using SBS2003? No I am NOT nuts

Dana using SBS2003? No I am NOT nuts.

Ok, so I never expected this. A little itty bitty blog entry
that would cause such a stir that I received over 25 private emails
from people…. ranging for honest to goodness help and suggestions to
quasi-death threats for being so stupid. Why don't you guys ever
comment on my blog???

Rather than respond to each email individually, I thought I would
just break down and explain my thought process on why I am considering

As a computer security professional who LOVES Unix environments…
you would think I would stay away from ever having a Microsoft product
on an Internet facing server. You wouldn't be far off from that
assumption, as Microsoft's history in this manner hasn't been the
greatest. Quite frankly I refuse to look at any version of Microsoft's
operating system older than Windows Server 2003. However, I think that
only the fool hearted would back themselves into a corner and take a
stance of an OS zealot. We saw this years ago when “Team OS/2” was
preaching that you need to be “Warped”. Not a pretty sight. Then we saw
it with Linux. Hey… I got sucked into that one…. as I truly believe
in many of the benefits of the operating system. I was one of the
original geeks at LinuxWorld, preaching the powers of Linux before it
was kewl to do so.

Yet for me, over the years I have come to realize it is all about
selecting the right tool for the right job. Absolute security is a
myth. What needs to be done is to find the right tools with the right
safeguards to help defend against the digital divide. In other words,
its about putting enough security in to defend against the risks
exposed to us out there. Not ALL the security in the world. “Just
enough security” to do the job. Am I going to prevent covert black bag
ops issued by foreign governments from circumventing my safeguards?
Probably not… the ISP that hosts my servers will typically fold like
a cheap suit under pressure. But by understanding the threats to which
I am exposed to while ensuring I have control over the assets I wish to
protect, coupled with smart decisions on how to mitigate these threats
in a practical manner, I can gain the assurance that I need in using a
Windows platform of today.

You see, any operating system can be made safe. It is just that
practically every commercial operating system shipped today isn't done
so in its initial state. And I include many Linux environments in there
as well… not just Windows. Just as an OS can be made safe… it is
just as easy to make it susceptible to attack.

Past these views, the decision is then weighed against fiscal
responsibility. After all, I am an owner of a really small ISV where
cash is king… and spending thousands upon thousands of dollars for
licensing doesn't make a whole lot of sense when you don't need to. And
that is the point of view I would like to use as I talk about my
decision to look at Small Business Server 2003. It might make sense if
I give some background information to help you see how I came to my

The Growth of a Small ISV

In the past two years I have been building a small ISV that is focused
on building host-based intrusion prevention software for the Microsoft
Windows platform. Focused towards the small to medium business target
demographic who use Microsoft Windows servers, I found myself being
emmersed in the platform. For good, bad or indifferent I have come to
realize that Windows Server 2003 isn't all that bad. It has a ways to
go yet… but the kernel itself is getting pretty good.

Self funding the company, the last thing I wanted to do was to shell
out tens of thousands of dollars for all the licenses I would need to
run a Microsoft shop. Being a fan of Linux with years of experience
under my belt, it took me less than an hour to get a Debian server up
and running with SSH, email, secure web, database and all the fixings.
An hour after that, I had the firewall in place, a good IDS net and
remote logging and monitoring facilities that would rival an ISP NOC.
It cost me little more than my time for a couple of hours, the cost for
the hardware and the cost to put it at the ISP. When measuring direct
TCO for this solution, its a joke to try to measure it against Windows
Server. Microsoft's offerings fall flat on their face. They simply
CANNOT measure up to a Linux server focused on offering a simple
hardened web server with email and database access (Personally I am a
PostgreSQL fan). Now before you freak out and try to pull out all the
Microsoft marketing hype on TCO… give it up. Read the whole article
before your criticize.

You see, if you have the experience and have normal “Internet
services” access needs a Linux server is a great choice. You know what
you are getting. Very little EXTRA is exposed… and you don't have to
fear the unknown. You know what you are running, and you know what to
secure against. But what if you have more needs? What if you have to
grow the business communications? What if you need it to scale to
support more business services. Well, then options for Linux start to
thin out.

Let me explain where I am going in the next two years so that point
can make sense. I am growing the business and expect to be hiring at a
minimum 25 new people. Most of these people will work in a virtual
environment, working in the field or from home most of the time.
Telephony is managed by using VoIP services through an Internet PBX
offered through a company called Packet8 which gives me excellent PSTN access while ensuring clean PBX bridging functionality across the Internet.

Email, shared calendaring, contacts and files will be managed
through Outlook Web Access (OWA). Lets be honest, very few offerings in
Linux support such good group collaberation and communications as
Exchange. Although commerical competitors such as GroupWise and Lotus
Notes are nice, the complete integration that Microsoft has done in the
browser with OWA 2003 is just amazing. Have you seen this thing? Not
only is it pretty… but its extremely functional… and works just
like the Outlook client. And lets not go into the open source group
collaberation servers, or webmail clients like SquirrrelMail. They are
just not ready for real collabertive business interaction and use.

Why not use the Outlook client then over HTTPS? (Yes you can do this
if you didn't know) Well, you will be able to. But only on machines I
can trust; machines the company has actual authority over and can
manage. In many situations though, that won't be available. OWA (and
OMA for those of us lucky enough to have an MPx200) will be the only
solution for them.

To strengthen the authentication process and create a strong audit
policy for these remote users to Active Directory I am going to roll
out two factor authentication with one time passwords (OTP). I was
originally looking at using RSA SecurID keyfobs and the USB 6100 USB
key smartcard, but the costs are quite prohibitive for a small company
such as mine. You have to buy at a MINIMUM 25 licenses TO START, and
there are ongoing licensing costs and upgrades to tokens needed after a
period of time. I found another company offering similar technology,
but at a fraction of the cost. Authenex offers an OTP token called A-Key
which ALSO supports USB key storage for PKI. The interesting thing is
that the OTP is shown ON the USB key, where as RSA uses a smartcard
approach and requires a USB driver be installed to work. RSA's approach
won't work when at a location where USB access is prohibited, or not
desireable. Which is why I am looking at Authenex.

A note to the security vendors out there. Small businesses are not
second class citizens! We have security needs just like the big boys.
Why is it so hard to believe a small business of 5 or 10 people
wouldn't want to implement strong security solutions? Think about that
next time you do market research. You are missing a HUGE target
demographic and I bet if you looked… you have some easy wins that
could increase you sales pipeline.

So anyways, I have been taking a bit of a tangent explaining what is
going to happen and give you a background on some of my needs. Now let
me explain why I blogged
about looking for a SBS MVP. Quite frankly I think Microsoft is doing a
big diservice to its customers in not talking about SBS, and I wanted
to poke around to see who was in the field. For small companies like my
own, Microsoft has a very compelling offering which actually DOES show
a sane TCO argument. It's in an unknown product solution called Small Business Server 2003, more commonly known as SBS2003 (or sometimes just SBS).

SBS2003 is an an inexpensive server solution which is really just
Windows Server 2003 installed with Exchange 2003, SharePoint, ISA 2000
and SQL Server. It is slightly more restricted than Windows Server 2003
in that all the components must be loaded on a single domain
controller. Although you can have secondary file and print servers…
everything else must reside on a single box. From a security
perspective this isn't really desirable (See my post on the 8 Rules of Information Security
to understand why; the Rule of Seperation is really important here.),
as you really should separate services, but its a reasonable limitation
for most small businesses. After all, most small businesses don't have
a plethora of server hardware to support seperation anyways.

Another limitation includes the fact you can only have one domain.
The domain is based on Active Directory, but it cannot form trust
relationships, which kinda sucks for more complex deployments. Again,
not a serious limitation for most small businesses. The final
limitation that I know of is that there is a client limit. You can only
buy 75 CALs (Client Access Licenses) for the server. At this point, you
will probably be moving to a larger server anyways, so again… this
isn't a real big limitation for most small businesses.

Depending where you get it, this entire bundled solution costs about
1/5th the cost of a similar deployment done by putting pieces together
of various Microsoft technologies due to its tight integration with all
the components. The cost savings are enormous, and match in many
respects to the same costs of a Red Hat Advanced Server offering
similar services. But that tight integration is also its weakness (in
my opinion), which is why I was calling out to SBS experts.

I have real concern with not knowing how everything is interacting
on this box. If you recall, earlier in this post I explained how that
was a strong point in Linux. I don't have that same confidence in SBS.
As I am not an expert in Sharepoint or IIS configuration, I get chills
when reading documentation about how you can surf to shared resources
in this manner with a browser. I begin to fret when I see
administrative tools accessable via little known URLs (which attackers
know)… especially when I thought I turned them off. This is where
experience comes into play, which is why I am seeking out a local
expert in the lower mainland of BC.

All I want to do is expose two ports…. SMTP (port 25) and HTTPS
(port 443) to the world. The first for mail coming in and going out and
the second for OWA access. I don't want ANYONE to be able to go to ANY
URL without first authenticating to Active Directory… and quite
frankly… I don't know how to configure that. And thats why I am
seeking out the expertise.

I had some interesting and helpful feedback from Susan Bradley
who introduced me to a few MVPs and gave me some recommendations. It
looks like I might not need an MVP after all, but just a really
qualified MCSE or something. Of course, with the ratio of idiots to
experts in the MCSE field, its really hard to determine which camp they
lie in. I guess some further research may assist me in making that

So there you have it. I don't have really complex needs… but they
are not exactly normal either. I am confident that SBS can be locked
down… just as I am confident that I can find default Linux installs
that are not. No operating system is a panacea, but I do believe
Microsoft's SBS offering makes sense, is cost effective and is quite
manageable. I know I am just being paranoid, but I would rather be that
than be 0wned. So thanks to those who have sent me feedback and hooked
me up with others. And thanks to those who have criticized me and
challenged me to explain myself. Writing this has made me realize I am
maturing in my understanding and management of risk, and breaking the
shackles of ignorance as it comes to operating system zealousy. (Ask
around… I used to be pretty bad).

[Dana Epp's ramblings at the Sanctuary]

Leave a comment