I can't say much with regards to the configuration of SBS. It sounds like
you should be ok with they way you have things setup, but I cannot say for
sure.
However, I *can* tell you that the newer versions of SBS do not require
special SP's. This was true of SBS back in the NT 4.0 days, but not since
Windows 2000. I'm sure that was a major headache for MS to maintain, so
they stopped doing that.
Hope this helps.
Steve
-----Original Message-----
From: Dan Tesch [mailto:dan.tesch@comcast.net]
Sent: Friday, February 18, 2005 7:49 AM
To: Security Basics
Subject: Re: Windows 2003 SBS for web server?
Jonathan-
Thanks for the input, maybe I should clarify a little; The company
I am working with already has two W2K IIS servers and we are
replacing the hardware w/newer & faster - one box already went
up with Server 2003 and we are now building the next - my question
was regarding having an available license of SBS to use - our only
requirement is IIS6 and load bal. which this contains.
Specifically, I wanted to know if there is anything else I should be
aware of outside of the normal securing and hardening of IIS which
for this company - switching to an alternative is not on their agenda.
I already did the install and after the normal 2003 install the server
booted and asked to continue the install to which I replied cancel
and a shortcut was left on the desktop to continue w/the other two
disks for I guess Exchange.
I have never managed a SBS and I thought I read something about
a separate line of SP's - is this infact the case? do they come out at
the same time as normal SP's? from a security standpoint is anything
else different about a SBS edition? - I don't anticipate even setting
up a domain - just left it at a workgroup - file sharing and client are
unbound and I am going through hardening guidelines as if this were
a normal 2003 server -am I missing something?
Thanks
Do you really want to expose a Windows/IIS server to the Internet?
Are you planning on storing any sensitive data on it? If you really
want to use IIS, I'd strongly recommend that you (a) put it in a DMZ,
(b) run ONLY IIS on that box, (c) rename the administrator account,
and use that account/passwd combo on THAT box ONLY, (d) use the ODBC
logging feature of IIS to log your IIS accesses & errors to a database
server (you can run MySQL for free on an internal host, and install
the MySQL ODBC drivers on the IIS box).
If you don't have to run Active Server Pages (or any other dynamic
content), consider a minimal installation of any Linux distro running
the TUX web server. Much faster and easier to secure than IIS or
Linux + Apache. If you DO need ASP, stick to IIS. If you can use
PHP/JSP/Perl/CGIs, then consider Linux + Apache.
Thanks & HTH
Jonathan Glass
On Wed, 16 Feb 2005 09:23:25 -0600, Dan Tesch <dan.tesch@comcast.net>
wrote:
Hello, can I get some feedback on using Windows 2003 Small Business
Edition
as a web server? Can I just turn off the Exchange stuff? What might I
need
to
worry about with the built in Active Directory? - does SBS have it's own
line of
service packs?
I have an extra license available but is this a bad idea from a security
standpoint
or other reasons?
Thanks
--
Jonathan Glass
678-768-1445
