Security Advisor

Giving Them the (Small) Business

Microsoft's Small Business Server 2003 is a big leap forward for security.

• By Roberta Bragg
• 12/01/2003

Small businesses computer systems endanger your networks. Small business owners and employees have little training, motivation or expertise in information security. They’re likely to place desktops, servers and domain controllers on the Internet with no protection at all. This means their systems could well serve as vectors for new attacks or, if they’re compromised, serve as bases for attacks on your systems.

As IT pros, you get asked by friends and casual acquaintances about networks and increasingly, about computer security. What do you tell them?

This market could provide additional income for those with strong networking and security skills.

Small businesses could be your ticket to employment—not as an underpaid clerical-level worker who also administers the 50-or-fewer-node network, but as a consultant who builds a practice around providing networking and/or information security services for these companies.

So what do you tell the small business owner about computer security? Let’s step beyond the “use a firewall, use anti-virus, patch your systems” mantra. While that’s good advice, what next? What do you say when they say, “How do I do that?” How do you get small business owners to actually do something about security? And, maybe most importantly, how do you get them to pay you to help them do something?

Providing the Plan
So how do you provide a security plan that the small business can swallow? How do you provide them with a solution they can afford, but one that won’t have you working for pennies per hour? There’s a securable business computer solution right under your nose. I’m talking about Small Business Server 2003 (SBS 2003), which provides sound business value for the buck. This release is slated for two versions:

Standard, a specially crafted version of Windows Server 2003, Exchange, Sharepoint Services and a few other goodies.

Premium, which also includes SQL Server, ISA Server and FrontPage 2003.

The big news here isn’t just the two different versions, but also the price. Standard costs $600. Add a special Hewlett-Packard or other OEM “starter server” for $359, and you have a server for under a grand. Many small businesses don’t need SQL Server, and many, while they need a firewall, can be equally protected by using a separate hardware-based appliance or configuring the basic firewall services of the Routing and Remote Access Service (RRAS) service.

SBS offers all the security values of Windows 2003, like Group Policy, security configuration and analysis, the Group Policy Management Console, shadow copy, Software Restriction policies and EFS. And it offers something more, in the form of easy-to-use, straightforward wizards that can save you a lot of time, as well as remind you to configure security features and use security best practices. The wizards simplify much of the management of a Windows SBS domain. It’s not that you need anyone to dummy the product down for you; it’s that we all benefit when the application of security is straightforward and painless. Here’s a taste of what I mean.

Greetings! Configure Me
Log on for the first time to a newly installed Windows 2003 domain running SBS 2003 and the first thing you’ll see is the To Do list. This is, unsurprisingly, a list of items to get the network up and running. As you’d expect, there are wizards for configuring users, creating computer accounts and the like. The No. 1 item, however, isn’t a wizard. It’s a simple statement: “View Security Best Practices,” and it leads to a Help file. I don’t know how many new SBS users will read it, but making it the first item on the list emphasizes its importance and provides an ever-ready link to security information.

Next in importance is the “Connect to the Internet Wizard.” This is the best thing, in my opinion, the product design team has done for SBS. Here’s what it can do:

Configure firewall services. In the Standard edition, this means the RRAS basic firewall is configured to block all access to the Internet, and then opened up for those services you select such as Web and e-mail.

Configure Web Services. You get to decide what services are accessible from the Internet, as seen in Figure 1.

Figure 1. Small Business Server 2003 lets you decide what services are available from the Internet.

Support SSL. The wizard allows you either to import an SSL certificate for use in protecting Outlook Web Access (OWA) with SSL or create a self-signed SSL certificate, as Figures 2 and 3 show. The certificate is then installed and the proper virtual directories set to require SSL. As the Exchange server should only be accessed by employees, using a self-signed certificate is acceptable. Later, when configuring clients, the client configuration wizard will install a copy of a certificate on the client. How’s that for hands-off security? Small business won’t have to purchase commercial SSL certificates to secure remote access to e-mail, and you won’t have to configure SSL manually for the server or the clients.

Figure 2. Use the wizard page to request a self-signed certificate. The wizard will make one for you.

Figure 3. The created certificate.

Configure attachment blocking for Exchange server. A list of the attachment file types is displayed and is configurable, as seen in Figure 4.

Figure 4. Blocking e-mail attachments couldn't be simpler.

Configure a password policy. At the end of the Internet wizard, a prompt to configure the password policy, shown in Figure 5, is displayed. Password length, complexity and maximum password age are presented as configurable options. No one has to figure out which group policy to set this in; it’s just done. You do have to visit Group Policy to add the requirement for password history and minimum password age, but for the basics, there’s no guess work. You don’t have to understand Group Policy to set the password policy.

Figure 5. During Setup, you're prompted to set some basic password policies, making security administration more of a no-brainer than ever.

Caveats, Concerns and Next Steps
You’re not done when you finish the wizard. Before you connect the server to the Internet, I’d recommend a few things.

Take a quick look to make sure things are configured the way you think they are. Visit RRAS and view the basic firewall services and ports, as in Figure 6. This is also where ports that weren’t choices in the wizard need to be configured. Note, if you will, how the list is by service, not by port number. What could be easier? Want to use a custom port for a service? No problem. Don’t use the offered check boxes, but add your own custom service and enter the port number desired.

Figure 6. Check your firewall configuration and make sure the settings are right before connecting your server to the Internet.

Of course, running the Internet Connection Wizard isn’t the only security configuration needed. You still have to add users and computers, configure NTFS Access Control Lists (ACLs), share resources, provide secure remote access, adjust security using Group Policy, set up patch management and implement a backup plan. You’ll probably also need to train users and figure out a polite way to keep the business owner from getting administrator rights on the server.

Consider implementing a hardware-based firewall, too. If you do, you may want to forgo configuration of the RRAS basic firewall. If the hardware firewall is Plug and Play, you may be able to do its initial configuration by using the wizard. I don’t have any problems with the security of the RRAS basic firewall; I just like to hedge my bets. If someone does compromise my firewall, I’d rather they not find themselves connected to my domain controller. If I’m monitoring the network, maybe that’ll give me enough warning to disconnect the DC, or maybe the hardware-based firewall will fail in a closed state and provide no entrance to my network at all.

Use the basic firewall if necessary. Let’s be realistic: Even a cheap firewall appliance will cost the small business owner more money. Sometimes you’ll be able to put one in place, sometimes you won’t. But the RRAS firewall is already there. Use it.

Use the SBS Monitoring Configuration Wizard to configure monitoring and set up monitoring of the security log. This wizard can be used to watch the security log and send an alert when a number of failed logons or other security event occurs. You can build a simple intrusion detection system using the monitoring tools on SBS. This feature is so cool that it should be implemented on Windows 2003.

Disable EFS. The Encrypting File System is enabled by default. You need to disable EFS until you can develop a solid plan to implement it so it can be secured.

Don’t forget antivirus. There is no built-in antivirus protection. It is, however, prominently listed on the security best practices pages. If you’re going to sell small business on SBS, don’t forget to add in the cost of antivirus products.

I really believe SBS presents the right way to introduce security to small business. By leading with notes on best practices and then providing a wizard to lock down the Internet connection, the very first security configuration steps become the first steps taken on the server. This is what we need.

However, that does actually raise a concern that it might be too simple. If we teach Mr. and Ms. small business owner that all they have to do is run a few wizards, we’re right back where we started. They’ll run the wizards but won’t know the right answers to the questions. They’ll think they’re secure, but they won’t be. That’s where you’ll come in. The small business owner has enough to do running the business. He or she needs to know what to do to secure information systems but shouldn’t have to know how to do it. You do. You become the added value in the secure IT solution for small business.

Getting Paid
Getting someone to act is only difficult if you can’t provide a compelling reason to and if you can’t provide a solution. I’ve presented one possible solution. I’m sure you can develop others. If you choose, however, to invest some time in promoting security, I’m sure you’d like to get paid. The answer to getting small business owners to secure their information—and paying you to show them how to do it—is simple. No small business owner is going to pay you for anything he or she doesn’t feel has business value. Is there business value to security? Does the small business put locks on its doors? Just remember this: Small businesses buy computers because computers help them do their work more efficiently and accurately and reduce the cost of doing business. Small businesses will buy into security for the following reasons:

It’s a legal requirement. You can help them meet regulations dealing with the Health Insurance Portability and Accountability Act (HIPAA) and other regulations concerning patient data, personal data and so on. Doctors, for example, must follow HIPAA regulations.

They understand the need for confidentiality. Lawyers and doctors must keep client information from unauthorized users, which includes some employees in their own firms.

A clear and present danger exists. One or many of the various worms and viruses may have caused damage, loss of business or otherwise hampered operations. The damage may have even come from the inside, from an employee who stole information or harmed computer systems.

They think it’ll reduce the cost of doing business. If desktops are locked down, employees can’t load software, change configuration settings or do something they’re not supposed to be doing; but they can do their work because the computer is always working.

Small businesses need computers because computers make them more efficient, more accurate and ultimately, more profitable. Small businesses need security in order to keep them in business.