Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IIS6 on W2k3 DCs

from [Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]] Network Security [Permanent Link]
Subject: Re: IIS6 on W2k3 DCs
Date: Tue, 18 Jan 2005 14:48:55 -0800 
They are drooling over Remote Web workplace
Ninja Feature: Remote Web Workplace in SBS2003:
http://blogs.msdn.com/tristank/archive/2004/10/14/242211.aspx

You can have a backup domain controller now....okay here goes the myths of SBS again... we HAVE to be the PRIMARY domain controller [hold all the FSMO roles] but we can have BACKUP domain controllers all we want.

And our SBScals cover a member server so we don't have to buy server cals.

Why wizards? Because they keep people from being stupid. There are over 500 commands in scripting the firewall and email setup in SBS to nicely and correctly configure email, Internet access, and do it securely. 

Understand the wizards...but once you understand them...you let them run.

Show me a screwed up SBS box and I'll show you an Enterprise-y Gold Certified partner who "thinks" they know what they are doing and end up mucking up everything. The number of Enterprisey folks who come in saying "I need to dcpromo this SBS" and we freak out and tell them that all of those steps are in the scripted install setup. Install this guy several times to see what it does ...but the wise person let's "it" do the heavy lifting.

The reality is many people do not truly understand what they are doing and would indeed be better served by guidance or ...at least.. reading the documentation.

Susan [somehow this is turning into a "educate the folks on what SBS is and can be post" which tends to happen when I enter into conversations...sorry about that...]

[and like I posted to Jim Harrison...even WE know better not to try to put SMS on our SBS boxes ;-)

Danny wrote:

On Tue, 18 Jan 2005 08:14:30 -0800, Susan Bradley, CPA aka Ebitz - SBS
Rocks [MVP] <sbradcpa@pacbell.net> wrote:


...well... not exactly [sorry folks for hijacking this again] as we can
indeed expand and quite frankly big server folks are drooling over our
Remote Web workplace feature and Monitoring functions.



The big server folks are drooling over the wizards?



You hit the 75 max brick wall and we have a transition pack that
"un-does" the 75 limit and allows us to break the parts off into
separate boxes.



I did not know about this transition pack - I am just reading about it
now.  Once installed, does it allow you to implement another DC for AD
replication -- an inherent limitation of SBS 2003, correct?



I'll be honest with you ...our biggest threat vector IMHO are stupid
passwords and that Mail server [smtp auth attacks and what not].



Passwords - they are fun!  If you can't afford [1] biometric
authentication, then your best bet is to educate your users and
enforce a policy -- thereby decreasing your threat vector.

As for your mail server, none of my Microsoft based (Exchange is a
popular one) email server implementations are accessible from the
Internet.  Instead, it's my personal preference to implement a real
mail gateway MTA, such as Postfix on FreeBSD, which then seamlessly
transports the email to the Exchange server(s).  This combination is a
weapon of mass destruction against malware, spam, and other nasty
email borne crap.  A 486 clunker could easily handle any SBS MTA
requirements, so cost is not a factor; the aforementioned software is
"free". You don't need to be a Unix buff to set it up, either.



For small businesses in SBSland we truly recommend a web server on the
side in a DMZ or outsourcing the web site. [see even we don't want IIS
or any web site to be straight exposed on that DC]



I concur.



I just cringe these days at the words "best practices" as I think it's
too "checklisty". I think you need to evaluate the entire
risk/threat/vulnerability factors in your network and know what works
for you. Like the upcoming Security Configuration Wizard coming out in
Windows 2003 sp1... you run that "best practice tool" on our SBS 2003
box and you break the monitoring email and you possibly break our
backup. Now tell me... how did that make me safer?



Personally I believe "wizards" are for non-wizards who don't know what
they are doing and need their hand held, so why would you run the
Wizard anyway?

[1] - If biometrics was affordable relative to the cost of a security
breach due to weak passwords, then we all should be able to justify
the cost of such a system. In the mean time, I try my best to educate
my users and enforce a balanced password policy.

...D

---------------------------------------------------------------------------
---------------------------------------------------------------------------





---------------------------------------------------------------------------
---------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IIS6 on W2k3 DCs, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Next by Date:  RE: IIS6 on W2k3 DCs, Depp, Dennis M.
Previous by Thread:  Re: IIS6 on W2k3 DCs, Danny
Next by Thread:  RE: IIS6 on W2k3 DCs, Laura A. Robinson
Indexes:  [Date] [Thread] [Top] [All Lists]