Strategies for Securing SMB Networks

WOW! If your customers don’t have SA, they really missed out.

Software Assurance entitlement for SBS 2003 customers upgrading to SBS 2008

As we have previously documented, the product components that make up the SBS 2008 solution (Link to SBS 2008 Components) differs from SBS 2003 R2.  SA customers will therefore be granted one-time licenses for the following to be ‘made whole’, entitlement:

SBS 2003 R2 Component Product
Upgrade Path

Until such time ISA successor product, Forefront Threat Management Gateway 2010, is released upon which, a TMG 2010 license will be granted. ***

*Premium Edition  ** ISA 2006 does not run on Windows Server 2008 *** Version number subject to market availability

Note:  Customers will have to purchase SA separately (independent of SA for SBS) in order to receive future upgrades of the granted components as part of ongoing SA entitlement, except in the case of the ISA, where SA does not have to be attached to ISA 2006 in order to get TMG 2010 (I.e. SA attachment to SBS 2003 R2 entitles customer to TMG 2010). 

Also note:  SBS 2003 R2 CALs with SA will upgrade to SBS 2008 CAL Suite or SBS 2008 CAL Suite for Premium Users or Devices, depending on which edition of SBS server software your SA rights entitle you to. 

The Official SBS Blog : Software Assurance entitlement for SBS 2003 customers upgrading to SBS 2008

Let us count the ways in which by default an SBS 2008 RC0 server can be remotely accessed without using 3rd party tools.

• Remote Web Workplace: PC’s, Servers, Email
• Outlook Web Access
• Terminal Services
• Outlook Anywhere
• Exchange Active Sync
• VPN
• Telnet

Of these which is the most difficult to secure? Exchange Active Sync. Why? Because with Mobile 6 and Exchange 2007 you get direct access to Sharepoint files and Documents on shared folders on your internal network. The phone is smart enough to know that when it gets a link with an internal domain name that it needs to retrieve the document using Exchange Active Sync. So it’s possible to browse your internal network using your cell phone. This is very cool but also very dangerous.

How do we secure against data leakage? Disable the feature? It’s an awesome feature, a great tool to enhance mobile productivity. Remote wipe? Yes, but that’s really more disaster containment.

Unfortunately I don’t have the answer, just the question. SBS 2008 has a lot of remote productivity features that we’ll be sure to let our clients know about. But we’re also going have need to have a serious sit down talk about security and a really big sit down talk about mobility.

I’ve been a closet user of Carbonite backup for coming on 2 years now. I recommend it to my clients for backing up their home PC’s or traveling laptops. It’s not a heavy duty backup. It’s definitely light duty. There are not application agents. It is strictly made for backing up individual files.

Today I read on Susan Bradley’s blog that some backup applications have security issues. The issue at hand isn’t whether the data is secure, it is whether the encryption code, username and password are secure. Most pass these in plain text before the SSL tunnel comes up. The testing firm (from the UK) inserted a man in the middle attack to see whether they could grab the username and password. Only Carbonite and Mozy passed their test. Now the firm was disappointed that the error that Carbonite produced was Server Not Reachable Due To Maintenance. Personally I’m happy to get any kind of error when a man in the middle attack is taking place and the important part is that the backup did not take place and the data was not compromised.

Here at Harbor Computer Services we’ve decided to take the next step and join the Carbonite partner program. It’s dead simple. Alerts you if a problem with backup occurs. Is secure and doesn’t slow down your computer. It’s hard to ask for more.

RWW is one of the very best features of SBS. It’s lets employees work from home just as if they are sitting at the office and all they have to do is log into a web browser page. It’s the VPN killer and that’s a good thing. But with every awesome feature come security concerns. With RWW the security concern is that remote access to your network is easily obtained by guessing a username and password. Everyone knows that this is not difficult. This problem extends to the administrator account as well and it turns out that there’s no way to prevent the administrator account from accessing the network remotely using RWW. Yikes!

Let me introduce you to Dana Epp. He’s THE security solution guy for the SMB. Dana is an Enterprise Security MVP that owns a company called Scorpion Software near Calgary (Canada). Dana makes this wonderful product, designed for SBS, that easily and simply sets up 2-Factor authentication for RWW. It’s called RWW-Guard. Using RWW guard, along with the backend authentication provider AuthAnvil, users wanting to work from home have to also enter in a pin code from a Crypto key to gain access to the network. In this manner they have guaranteed that they know their username and password AND they are in possession of the Crypto key that is associated with that user account. The code on the Crypto key changed every minute. As simple as that we now know for sure that the user logging in is who they say they are because not only do they know something (a username and password) but they also have something (the Crypto key associated with that account). Further AuthAnvil records the time when the user logged in and logged off.

I mentioned above that there’s no way to prevent the administrator from using Remote Web Workplace. So as a FREE give away, Dana through Scorpion Software is giving you this tool. If you later want to extend it to all users and implement 2 Factor Authentication you can, but in the mean time for FREE you can protect your network from being hacked through RWW.

From Scorpion Software blog…

For those people that didn’t tune into the radio broadcast last week, Scorpion Software released a FREE tool to the community called "AuthAnvil RWWProtect" that allows better control of administrative logon behaviour for Small Business Server’s Remote Web Workplace (RWW). Included in this is easier to understand logging for RWW, and the ability to also add two-factor authentication (2FA) to RWW for administrators if you wish to.

My favorite quote from the community comes from Kerry Brown, who after hearing about RWWProtect sent an email to me that simply said:

Thank you Dana! I have a couple of servers that are being hammered on RWW very early every morning for a couple of hours. Every morning I have to figure out where it’s coming from and block the IP. Now I don’t have to wade through firewall logs to find the IP and I can block admin access. Thank you, thank you.

So if you want to prevent administrators from logging into your network via RWW, then feel free to download your own copy today. It is absolutely free. Of course, if you also want to add 2FA, you might want to check out our AuthAnvil product at www.authanvil.com. (In case you aren’t a customer already )

You can check out AuthAnvil RWWProtect here.

When we choose to host an application we give up a lot.

We give up:

• Ability to decide when in our business cycle is the best time for a software upgrade to occur
• Customization of the application
• Integration of the app with our other apps
• Frequency of backup
• Backup from the hosting company into my hands (most of the time)
• Best time to schedule maintenance so it doesn’t interfere with my business

To me these are huge considerations. We gain and we lose by hosting. But hosted apps are going to be the new world order. Microsoft is investing heavily in building data centers from which to lease us applications.

So assuming that this is the future and we’ve decided to accept the compromises, how do we get notified when an update, upgrade or maintenance is going to occur? Usually we don’t. If we do we get a blog post. Occasionally we get an email. But today I got from Culminis, the company hosting the sharepoint website for my usergroup, an email announcing that there will be maintenance performed 4 days from now with a calendar attachment. Excellent! This is the best communication I’ve had from any hosting company so far.

Way to go Culminis! May you lead the way for other hosting companies to follow.

In the race for an SMB Firewall appliance, Untangle is one of the leaders in the pack. It a Unified Threat Management product packing about a dozen open source applications under a slick web interface in an appliance form factor. (it is available as software only as well) If you’re an MSP they also have a nice monthly payment program. So take your shopping list to the webinar tomorrow and see how they stack up. Post a comment back here and let me know what you think about their product.

Details: http://www.smbnation.com/events_listpage.asp?Category=Webinars&Cat=Category

At the IT Pro Conference in New Orleans I presented briefly, as part of a panel, some things to think about when making the firewall decision for an SBS network. Don’t assume that the name brands are necessarily the best choice. We’ve got to seriously shop. Never before has this business space really had to sit down and do a serious evaluation of it’s firewall. Always previously Microsoft provided one. No more. It’s time to make a shopping list.

What do we have to protect?

• Domain controller. Active Directory. Usernames and Passwords
• Files and Folders. Other data, LOB perhaps.
• Exchange. Our ability to send and receive email securely.
• Outlook Web Access
• Outlook Anywhere. HTTP over RPC
• Remote Web Workplace. Remote access to workstations, server and sharepoint via a web portal.
• Exchange Active Sync
• RDP to Server or workstations
• Access to Sharepoint Intranet via the Web
• LOB vendor needs to get in to manage their app
• LOB app has a web facing portal
• Site-Site VPN Tunnels
• VOIP Phone system

What does the business owner want?

• Limit access to the Internet, by site, by whitelist, by time of day, by PC, by username, by usergroup, by group of PC’s, by job function, etc.
• No spam
• No malware
• Recording where people are spending their time
• Control IM and Social Networking
• Keep track of data leaks
• A nice readable customized report
• Free. (yeah, they are going to have to compromise)

What doe the IT Pro want?

• Great logs with lots of detail
• Easy VPN setup
• QOS
• ISP failover
• Simple Interface
• Active Directory integration
• Has to make the business owner happy
• Has to protect the network without fail or we end up on the chopping block
• Great support
• Trust. Why should I trust the company that has made this product?

Go forth and shop.

Hands down the most over looked, under utilized part of SBS is Sharepoint. It’s not like its new. It has been hanging around in SBS for 8 years. If you need to get up to speed, here’s how I suggest you do it. It worked for me and my staff.

First I bought a book; almost any sharepoint services book will do for an overview. Then I read up on how to install WSS 3.0 on an SBS server. Next I started to think about all of the things I could take from our server and put into sharepoint. The challenge of determining how to "sharepoint" something is a really good exercise. It’s not that we have a serious business case for moving our stuff onto sharepoint but doing so allows us to build some real work experience with different types of files and solutions. It’s our test lab.

Here’s what we have "sharepointed" so far for out own use.

• Public Folders of shared contact lists, calendar, licensing documents.
• A map of client locations using MapPoint
• RSS feeds for a list of blogs we read.
• Wiki for new How-To document creation
• A checklist of maintenance activities completed per client
• RSS feed of open tickets from our ticketing system
• Task list with reminders letting us know it’s time for domain registration or anti-virus license renewals.
• A purchase form to record items purchased for a client and the receipt that goes with it.

Never let it be said that you can’t get or afford training. Microsoft partner site is loaded with training resources. Here are some of the more interesting ones for Sharepoint.

Sharepoint on-demand partner training.

• Windows SharePoint Services 3.0 Series 1: Foundations - Session 1: Introducing Windows SharePoint Services https://training.partner.microsoft.com/plc/details.aspx?systemid=1786628&page=/plc/search.aspx
• Windows SharePoint Services 3.0 Series 1: Foundations - Session 2: What’s New — Document Management and Collaboration https://training.partner.microsoft.com/plc/details.aspx?systemid=1786629&page=/plc/search.aspx
• Windows SharePoint Services 3.0 Series 1 Foundations - Session 3: What’s New — Business Process and Workflow https://training.partner.microsoft.com/plc/details.aspx?systemid=1786627&page=/plc/search.aspx
• Windows SharePoint Services 3.0 Series 2 Session 4: Site and Site Collection Administration https://training.partner.microsoft.com/plc/details.aspx?systemid=1786631&page=/plc/search.aspx
• Windows SharePoint Services 3.0 Series 2 Session 5: Farm Administration: Maintenance, Optimization and Best Practices https://training.partner.microsoft.com/plc/details.aspx?systemid=1786632&page=/plc/search.aspx
• Windows SharePoint Services 3.0 Series 2 Session 6: Authentication, Permissions and Security https://training.partner.microsoft.com/plc/details.aspx?systemid=1786633&page=/plc/search.aspx
• Windows SharePoint Services 3.0 Series 3: Customization and Development with Windows SharePoint Services 3 Session 7 https://training.partner.microsoft.com/plc/details.aspx?systemid=1786636&page=/plc/search.aspx
• Windows SharePoint Services 3.0 Series 3: Customization and Development Session 8: Customizing Sites and Applications with SharePoint Designer 2007 https://training.partner.microsoft.com/plc/details.aspx?systemid=1786635&page=/plc/search.aspx
• Windows SharePoint Services 3.0 Series 3: Customization and Development Session 9: Developing Custom Applications using Visual Studio https://training.partner.microsoft.com/plc/details.aspx?systemid=1786634&page=/plc/search.aspx

Sharepoint Exam Prep

• Windows SharePoint Services Exam 70-631 Prep, Part 1 https://training.partner.microsoft.com/plc/details.aspx?systemid=1775029&page=/plc/search.aspx
• Windows SharePoint Services Exam 70-631 Prep, Part 2 https://training.partner.microsoft.com/plc/details.aspx?systemid=1775030&page=/plc/search.aspx
• Windows SharePoint Services  Exam 70-631 Prep Session 1 (a second series with a different instructor) https://training.partner.microsoft.com/plc/details.aspx?systemid=1798707&page=/plc/search.aspx
• Windows SharePoint Services  Exam 70-631 Prep Session 2 https://training.partner.microsoft.com/plc/details.aspx?systemid=1798743&page=/plc/search.aspx
• Windows SharePoint Services  Exam 70-631 Prep Session 3 https://training.partner.microsoft.com/plc/details.aspx?systemid=1798744&page=/plc/search.aspx

Finally don’t forget to do a search for Web Parts occasionally. Doing so will give you more ideas for what is possible.

Pentalogic http://www.pentalogic.net/Default.aspx

Bamboo Solutions http://store.bamboosolutions.com/bamboomainweb/

Smiling Goat http://smilinggoat.net/stuff.aspx

Microsoft http://search.microsoft.com/results.aspx?q=web+part+download&qsc0=0&FORM=QBME1&l=1&mkt=en-US&PageType=99

Last weekend was the 2008 IT Pro conference in New Orleans organized by SBSmigration.com.

Jeff Middleton, aka King of New Orleans, put on an amazing conference. IT business focused with a smooth migration every night taking the whole conference into party/social/networking mode until the wee hours of the morning. You walk away from this conference with new found friends and colleagues. He manages to weave a story from keynote to Q&A covering all of the aspects of Transition. The transition he is referring to is of course the talk of the town: the coming obsolesce of the IT infrastructure service provider.

Start transitioning your business from service provider to "trusted advisor" or prepare to close up shop. The message was loud and clear throughout the sessions.

Some feel that the trusted advisor is like an interior designer. You take what the company has, add a few key pieces and voila, everyone is happier. It could be true. However, not everyone hires an interior designer and I’d argue that small businesses are primarily working class and don’t want to pay interior designers or IT consultants. They want to purchase a service that they require. Educating them on the benefits of paying a consult, who may not actually be doing the work, is going to be an up hill battle.

I noticed a disturbingly large portion of IT Pros at the conference that did not feel it was in their best interest or comfort zone to talk to their clients business owner to business owner, as a consultant and trusted advisor. I’m certain that to not do so, is like signing the death sentence for your business.

Think of it like this. Not too long ago, a lot of people made their career delivering milk to individual households. The Milk Man was as tradition. Around here, every pre-1965 built home has a standard issue milk chute. But in the flash of a few short years almost every milk man was out of a job. The job of delivering milk became mass delivery in bulk to shopping centers. Each bulk delivery truck put hundreds of milk men out of business.  So goes software with SAAS or SAS. Software as a service will put thousands upon thousands of IT infrastructure pros out of work. Instead of individually delivered software, it will now be delivered in bulk at the data center.

Trusted advisor is the only way to go. I hope you were at the conference so you can be my future colleague in the new world order. There won’t be very many of us.

Last week I gave my 5w/50 presentation on Configuring ISA for Common SMB Scenarios. During the webcast I mentioned that I would post resources to the skydrive. I’ve sent those into the powers that be, but I hear that he’s basking in the sunshine in Hawaii. So I thought I’d post them here. (see below)

I also wanted to thank everyone for attending and providing such glowing feedback <blush>. Of the many times I’ve spoken this is the first time that I’ve ever seen the feedback and I’m really glad to know that everyone enjoyed it and learned something.

Students are a random number when I see the survey results but I wanted to point out one comment that really hit home for me.

About time there was a seminar (could have had more - longer - content) for SBS and ISA 2004.

I have thought this for a long time too. It’s my feeling that ISA was the one component of SBS that most consultants and users were not familiar with. Training early and often would have helped the sales of SBS Premium and everyone would have understood the enormous benefits that ISA can bring to the table for small businesses. If I was in charge this would have happened. But I’m just a consultant out here trying to make a living just like you. Fortunately for us, the firewall market has matured significantly over the last several years and so now we have some decent choices for SMB firewalls. I’ll be providing my impressions of those in the coming months. I’m testing a couple now.

Here are the instructions for installing SP2 on an SBS server:

Windows Service Pack 2 instructions. Keep an eye on that last one. It’s what you really want.

Update for HTTP issues in Internet Security and Acceleration Server 2004 Service Pack 2

http://support.microsoft.com/kb/916106/en-us

Windows 2003 service pack 2 known issues on Small Business Server 2003

http://support.microsoft.com/kb/555912/en-us

An update to turn off default SNP features is available for Windows Server 2003-based and Small Business Server 2003-based computers

http://support.microsoft.com/kb/948496

Websites you should visit:

http://isainsbs.blogspot.com

http://securresmb.harborcomputerservices.net

http://www.isatools.org

http://www.isaserver.org