On Tue, 18 Jan 2005 08:14:30 -0800, Susan Bradley, CPA aka Ebitz - SBS
Rocks [MVP] <sbradcpa@pacbell.net> wrote:
...well... not exactly [sorry folks for hijacking this again] as we can
indeed expand and quite frankly big server folks are drooling over our
Remote Web workplace feature and Monitoring functions.
The big server folks are drooling over the wizards?
You hit the 75 max brick wall and we have a transition pack that
"un-does" the 75 limit and allows us to break the parts off into
separate boxes.
I did not know about this transition pack - I am just reading about it
now. Once installed, does it allow you to implement another DC for AD
replication -- an inherent limitation of SBS 2003, correct?
I'll be honest with you ...our biggest threat vector IMHO are stupid
passwords and that Mail server [smtp auth attacks and what not].
Passwords - they are fun! If you can't afford [1] biometric
authentication, then your best bet is to educate your users and
enforce a policy -- thereby decreasing your threat vector.
As for your mail server, none of my Microsoft based (Exchange is a
popular one) email server implementations are accessible from the
Internet. Instead, it's my personal preference to implement a real
mail gateway MTA, such as Postfix on FreeBSD, which then seamlessly
transports the email to the Exchange server(s). This combination is a
weapon of mass destruction against malware, spam, and other nasty
email borne crap. A 486 clunker could easily handle any SBS MTA
requirements, so cost is not a factor; the aforementioned software is
"free". You don't need to be a Unix buff to set it up, either.
For small businesses in SBSland we truly recommend a web server on the
side in a DMZ or outsourcing the web site. [see even we don't want IIS
or any web site to be straight exposed on that DC]
I concur.
I just cringe these days at the words "best practices" as I think it's
too "checklisty". I think you need to evaluate the entire
risk/threat/vulnerability factors in your network and know what works
for you. Like the upcoming Security Configuration Wizard coming out in
Windows 2003 sp1... you run that "best practice tool" on our SBS 2003
box and you break the monitoring email and you possibly break our
backup. Now tell me... how did that make me safer?
Personally I believe "wizards" are for non-wizards who don't know what
they are doing and need their hand held, so why would you run the
Wizard anyway?
[1] - If biometrics was affordable relative to the cost of a security
breach due to weak passwords, then we all should be able to justify
the cost of such a system. In the mean time, I try my best to educate
my users and enforce a balanced password policy.
...D
---------------------------------------------------------------------------
---------------------------------------------------------------------------
