Giving Them the (Small) Business
Microsoft's Small Business Server 2003 is a big leap forward for security.
It’s time for those of you who know Windows, and something about security, to turn your attention to the small business. Information security for small businesses is important to all of us, even those who don’t work in, or never thought of working in, that environment. It’s important for a number of reasons.
Small businesses computer systems endanger your networks. Small business
owners and employees have little training, motivation or expertise in
information security. They’re likely to place desktops, servers and domain
controllers on the Internet with no protection at all. This means their
systems could well serve as vectors for new attacks or, if they’re compromised,
serve as bases for attacks on your systems.
As IT pros, you get asked by friends and casual acquaintances about networks
and increasingly, about computer security. What do you tell them?
This market could provide additional income for those with strong networking
and security skills.
Small businesses could be your ticket to employment—not as an underpaid
clerical-level worker who also administers the 50-or-fewer-node network,
but as a consultant who builds a practice around providing networking
and/or information security services for these companies.
So what do you tell the small business owner about computer security?
Let’s step beyond the “use a firewall, use anti-virus, patch your systems”
mantra. While that’s good advice, what next? What do you say when they
say, “How do I do that?” How do you get small business owners to actually
do something about security? And, maybe most importantly, how do you get
them to pay you to help them do something?
Providing the Plan
So how do you provide a security plan that the small business can swallow?
How do you provide them with a solution they can afford, but one that
won’t have you working for pennies per hour? There’s a securable business
computer solution right under your nose. I’m talking about Small Business
Server 2003 (SBS 2003), which provides sound business value for the buck.
This release is slated for two versions:
Standard, a specially crafted version of Windows Server 2003, Exchange,
Sharepoint Services and a few other goodies.
Premium, which also includes SQL Server, ISA Server and FrontPage 2003.
The big news here isn’t just the two different versions, but also the price. Standard costs $600. Add a special Hewlett-Packard or other OEM “starter server” for $359, and you have a server for under a grand. Many small businesses don’t need SQL Server, and many, while they need a firewall, can be equally protected by using a separate hardware-based appliance or configuring the basic firewall services of the Routing and Remote Access Service (RRAS) service.
SBS offers all the security values of Windows 2003, like Group Policy,
security configuration and analysis, the Group Policy Management Console,
shadow copy, Software Restriction policies and EFS. And it offers something
more, in the form of easy-to-use, straightforward wizards that can save
you a lot of time, as well as remind you to configure security features
and use security best practices. The wizards simplify much of the management
of a Windows SBS domain. It’s not that you need anyone to dummy the product
down for you; it’s that we all benefit when the application of security
is straightforward and painless. Here’s a taste of what I mean.
Greetings! Configure Me
Log on for the first time to a newly installed Windows 2003 domain running
SBS 2003 and the first thing you’ll see is the To Do list. This is, unsurprisingly,
a list of items to get the network up and running. As you’d expect, there
are wizards for configuring users, creating computer accounts and the
like. The No. 1 item, however, isn’t a wizard. It’s a simple statement:
“View Security Best Practices,” and it leads to a Help file. I don’t know
how many new SBS users will read it, but making it the first item on the
list emphasizes its importance and provides an ever-ready link to security
Next in importance is the “Connect to the Internet Wizard.” This is the best thing, in my opinion, the product design team has done for SBS. Here’s what it can do:
Configure firewall services. In the Standard edition, this means the RRAS
basic firewall is configured to block all access to the Internet, and
then opened up for those services you select such as Web and e-mail.
Configure Web Services. You get to decide what services are accessible
from the Internet, as seen in Figure 1.
|Figure 1. Small Business Server 2003 lets you
decide what services are available from the Internet.
Support SSL. The wizard allows you either to import an SSL certificate
for use in protecting Outlook Web Access (OWA) with SSL or create a self-signed
SSL certificate, as Figures 2 and 3 show. The certificate is then installed
and the proper virtual directories set to require SSL. As the Exchange
server should only be accessed by employees, using a self-signed certificate
is acceptable. Later, when configuring clients, the client configuration
wizard will install a copy of a certificate on the client. How’s that
for hands-off security? Small business won’t have to purchase commercial
SSL certificates to secure remote access to e-mail, and you won’t have
to configure SSL manually for the server or the clients.
|Figure 2. Use the wizard page to request a self-signed
certificate. The wizard will make one for you.
|Figure 3. The created certificate.
Configure attachment blocking for Exchange server. A list of the attachment
file types is displayed and is configurable, as seen in Figure 4.
|Figure 4. Blocking e-mail attachments couldn't
Configure a password policy. At the end of the Internet wizard, a prompt
to configure the password policy, shown in Figure 5, is displayed. Password
length, complexity and maximum password age are presented as configurable
options. No one has to figure out which group policy to set this in; it’s
just done. You do have to visit Group Policy to add the requirement for
password history and minimum password age, but for the basics, there’s
no guess work. You don’t have to understand Group Policy to set the password
|Figure 5. During Setup, you're prompted to set
some basic password policies, making security administration more
of a no-brainer than ever.
Caveats, Concerns and Next Steps
You’re not done when you finish the wizard. Before you connect the server
to the Internet, I’d recommend a few things.
Take a quick look to make sure things are configured the way you think
they are. Visit RRAS and view the basic firewall services and ports, as
in Figure 6. This is also where ports that weren’t choices in the wizard
need to be configured. Note, if you will, how the list is by service,
not by port number. What could be easier? Want to use a custom port for
a service? No problem. Don’t use the offered check boxes, but add your
own custom service and enter the port number desired.
|Figure 6. Check your firewall configuration and
make sure the settings are right before connecting your server to
Of course, running the Internet Connection Wizard isn’t the only security
configuration needed. You still have to add users and computers, configure
NTFS Access Control Lists (ACLs), share resources, provide secure remote
access, adjust security using Group Policy, set up patch management and
implement a backup plan. You’ll probably also need to train users and
figure out a polite way to keep the business owner from getting administrator
rights on the server.
Consider implementing a hardware-based firewall, too. If you do, you may
want to forgo configuration of the RRAS basic firewall. If the hardware
firewall is Plug and Play, you may be able to do its initial configuration
by using the wizard. I don’t have any problems with the security of the
RRAS basic firewall; I just like to hedge my bets. If someone does compromise
my firewall, I’d rather they not find themselves connected to my domain
controller. If I’m monitoring the network, maybe that’ll give me enough
warning to disconnect the DC, or maybe the hardware-based firewall will
fail in a closed state and provide no entrance to my network at all.
Use the basic firewall if necessary. Let’s be realistic: Even a cheap
firewall appliance will cost the small business owner more money. Sometimes
you’ll be able to put one in place, sometimes you won’t. But the RRAS
firewall is already there. Use it.
Use the SBS Monitoring Configuration Wizard to configure monitoring and
set up monitoring of the security log. This wizard can be used to watch
the security log and send an alert when a number of failed logons or other
security event occurs. You can build a simple intrusion detection system
using the monitoring tools on SBS. This feature is so cool that it should
be implemented on Windows 2003.
Disable EFS. The Encrypting File System is enabled by default. You need
to disable EFS until you can develop a solid plan to implement it so it
can be secured.
Don’t forget antivirus. There is no built-in antivirus protection. It
is, however, prominently listed on the security best practices pages.
If you’re going to sell small business on SBS, don’t forget to add in
the cost of antivirus products.
I really believe SBS presents the right way to introduce security to small business. By leading with notes on best practices and then providing a wizard to lock down the Internet connection, the very first security configuration steps become the first steps taken on the server. This is what we need.
However, that does actually raise a concern that it might be too simple.
If we teach Mr. and Ms. small business owner that all they have to do
is run a few wizards, we’re right back where we started. They’ll run the
wizards but won’t know the right answers to the questions. They’ll think
they’re secure, but they won’t be. That’s where you’ll come in. The small
business owner has enough to do running the business. He or she needs
to know what to do to secure information systems but shouldn’t have to
know how to do it. You do. You become the added value in the secure IT
solution for small business.
Getting someone to act is only difficult if you can’t provide a compelling
reason to and if you can’t provide a solution. I’ve presented one possible
solution. I’m sure you can develop others. If you choose, however, to
invest some time in promoting security, I’m sure you’d like to get paid.
The answer to getting small business owners to secure their information—and
paying you to show them how to do it—is simple. No small business owner
is going to pay you for anything he or she doesn’t feel has business value.
Is there business value to security? Does the small business put locks
on its doors? Just remember this: Small businesses buy computers because
computers help them do their work more efficiently and accurately and
reduce the cost of doing business. Small businesses will buy into security
for the following reasons:
It’s a legal requirement. You can help them meet regulations dealing with
the Health Insurance Portability and Accountability Act (HIPAA) and other
regulations concerning patient data, personal data and so on. Doctors,
for example, must follow HIPAA regulations.
They understand the need for confidentiality. Lawyers and doctors must
keep client information from unauthorized users, which includes some employees
in their own firms.
A clear and present danger exists. One or many of the various worms and
viruses may have caused damage, loss of business or otherwise hampered
operations. The damage may have even come from the inside, from an employee
who stole information or harmed computer systems.
They think it’ll reduce the cost of doing business. If desktops are locked
down, employees can’t load software, change configuration settings or
do something they’re not supposed to be doing; but they can do their work
because the computer is always working.
Small businesses need computers because computers make them more efficient, more accurate and ultimately, more profitable. Small businesses need security in order to keep them in business.