Meeting the goals of the Trustworthy Computing initiative
Microsoft is positioning Microsoft Small Business Server (SBS) 2003 as a one-stop technology solution for the small-business market—ideally, companies with 75 or fewer workstations. Within this market, SBS wizards are fine-tuned to address common business needs, such as connecting to the Internet with or without a firewall, running a local mail server, providing remote email access, preconfiguring an Internet-accessible company Web site, and providing local and remote access to a variety of HTML-based collaboration resources. In August, I tested the SBS 2003 Standard Edition release candidate (RC) to determine the product's security strengths and weaknesses and to see how well the product meets the goals of Microsoft's Trustworthy Computing initiative.
The standard setup procedure installs, configures, and activates Windows Server 2003, Microsoft Internet Information Services (IIS) 6.0, Windows 2000 Server Terminal Services, Windows SharePoint Services, Microsoft Exchange Server 2003, and Microsoft Database Engine (MSDE—the desktop version of Microsoft SQL Server). For more information about SBS 2003, see "SBS 2003 Overview," December 2003, http://www.winnetmag.com, InstantDoc ID 40708.
To smooth the SBS installation and to facilitate ongoing management, monitoring, and maintenance, Microsoft has layered an impressive array of wizards on top of the core product. SBS command central is in the Server Management console, which you open from the Start Menu. The improved SBS console presents the two SBS views, which Figure 1 shows. Under Standard Management, you'll see a user-friendly, wizard-driven version that lists various tools and tasks; under Advanced Management, you'll find the familiar Microsoft Management Console (MMC) snap-ins for Active Directory Users and Computers, Group Policy, Computer Management, Exchange Server, Terminal Services, and IIS.
Under Standard Management in the Server Management console is a link to the To Do List, which guides you through necessary system configuration tasks. To configure networking, expand the To Do List and select Step 2, Connect to the Internet, which launches the Configure E-Mail and Internet Connection Wizard. After one pass through the wizard, setup configured SBS 2003 with a DNS server with forward and reverse lookup zones for the local domain, a DHCP server, a WINS server, an IIS 6.0 server with four default Web sites, an Exchange 2003 server with a registered domain name (if applicable) ready to send and receive SMTP and Web-based email, a running version of Windows SharePoint Services that hosts a generic Remote Web Workplace, the desktop version of SQL Server 2000 Service Pack 3 (SP3) (with the Slammer fix applied) for monitoring and reporting, and a directory of SBS client setup scripts and software.
Using an External Firewall
You can configure SBS 2003 to operate with or without an external firewall, so your first decision is whether to use a firewall appliance between the server and the Internet connection. If you already have a firewall, you need only one network adapter in the server. If the existing firewall isn't Universal Plug and Play (UPnP)compatible, you'll need to modify the firewall port-filtering rules to let users access SBS from the Internet. If the existing firewall supports UPnP, SBS will attempt to automatically configure the firewall.
The sidebar "SBS Firewall Ports" defines the ports you must open for each type of remote access that you enable on the server. Most firewalls are preconfigured to deny access to all requests. If you manually modify the firewall, you'll need to add a rule that enables incoming traffic on the specified port for each service you plan to host on the SBS machine. If you have a UPnP firewall, I recommend that you compare the firewall port settings with those in "SBS Firewall Ports" after you install and configure the server.
Using the Native Firewall
If you don't have an external firewall, you can install two network adapters in the server and activate the basic SBS firewall. To avoid setup problems, be sure you select network adapters for which native driver support exists. When you have two network adapters, one connects to a hub for the internal network and one connects to the DSL or cable modem that provides Internet access. With this setup, the RRAS basic firewall protects internal systems against accidental or malicious access and potential compromise.
The SBS Standard Edition RRAS basic firewall doesn't log port-filtering and blocking activity, which severely limits its use as a real-time monitoring and warning device. However, Microsoft says it will improve the basic logging capabilities before the final product ships. For better monitoring and more sophisticated filtering capabilities, consider installing a software-based firewall and the security analysis utilities I describe in the sidebar "Tools for Your Security Arsenal." In SBS 2003 Premium Edition, Microsoft Internet Security and Acceleration (ISA) Server 2000 provides robust firewall capabilities and numerous monitoring tools. If you want to implement SBS 2003 and a powerful firewall in one box, use the premium edition.
Configuring the Internet Connection
After you decide on the type of firewall configuration, use the Configure E-Mail and Internet Connection Wizard to complete the server's configuration. The wizard walks you through 15 screens to configure the Internet connection, the native firewall, IIS Web sites, Exchange server, and services you want to publish on the Internet. First, you select the correct Internet interface, either dial-up or broadband (an always-on connection). There are three common broadband connection types—static (when the system accesses the Internet through a router that has a registered IP address), dynamic (your ISP assigns a DHCP address to the Internet connection when you log on), or broadband (your DSL or cable modem doesn't assign DHCP addresses and performs no routing but simply passes network packets directly to the server). Select static if your ISP has given you a permanent static address (for the firewall appliance or the network adapter that connects to the Internet), select dynamic if your ISP assigns your connection a DHCP address, and select passthrough if you have a passive DSL modem or a cable modem that has no TCP/IP address but simply forwards packets to a network card or firewall that has a TCP/IP address. Next, the wizard prompts you to enter TCP/IP settings for the Internet connection, the default gateway and external DNS server addresses, and the TCP/IP domain for the internal network.
Configuring the Basic Firewall
Next, you use the Configure E-Mail and Internet Connection Wizard to configure the RRAS basic firewall. Assuming both network adapters are present and recognized, setup prompts you to unplug the Internet connection so that it can discover and configure the adapter for the internal network. By default, setup assigns the public TCP/IP subnet 192.168.16.0 to systems on the internal network, reserving the first nine addresses (192.168.16.1 to 192.168.16.9) for servers and other devices that might require a fixed address. If you have an external firewall, you can enable the basic firewall on the internal network adapter to block ports from access by internal systems.
After you enable the firewall, setup creates a firewall rule that enables external access to the Exchange server for incoming and outgoing SMTP mail on TCP port 25. You can add rules that enable VPN connections, Terminal Services client sessions, and FTP client sessions by clicking the appropriate check boxes in the wizard's Services Configuration screen, as Figure 2 shows. If you need to enable remote access for another service, such as AOL Instant Messenger (AIM), click the Add button to bring up a window in which you can enter a description of the incoming service, the protocol (TCP or UDP), and port number.
You complete the initial firewall configuration by enabling remote access to some or all of the default IIS Web sites. Figure 3 depicts the wizard's Web Services Configuration screen, which shows that setup automatically enables remote access to Microsoft Outlook Web Access (OWA), Remote Web Workplace, server performance and usage reports, and the locally hosted company Web site (i.e., the Business Web entry at the bottom of the list). To enable other IIS-based services, simply select the check boxes for those services.
To open or close firewall ports after the initial configuration, go to Administrative Tools, Routing and Remote Access. Expand the IP Routing key and navigate to NAT/Basic Firewall. In the right pane, highlight the adapter connected to the Internet, click Properties, then click the Services and Ports tab to open the window that Figure 4 shows. This window displays all the firewall's preconfigured services, including options such as IP Security (IPSec) that aren't available in the Configure E-Mail and Internet Connection Wizard. To enable access for a service not on the list, click the Add button, then enter a description, the port on which the firewall will accept incoming traffic, the internal destination address (typically a machine on the internal network with a public address in the 192.168.16.* subnet), and the port the firewall should use when it forwards traffic to the destination machine.
Automating Setup with a Script
The Configure E-Mail and Internet Connection Wizard summary window displays all the tasks the wizard will perform. The first few times you configure SBS, I recommend you click the Details link below the scroll window to view and save the configuration information. The wizard performs these tasks by modifying and running the .vbs file c:\program files\microsoft small business server\networking\icw\config.vbs. Every time you run the wizard, it creates a new version of the script with the format config<n>.vbs. If you run the wizard twice, you'll find config.vbs and config1.vbs in the ICW directory.
The script documents every configuration change you make, so you can easily revert to an earlier setup by manually running the earlier script. After you become familiar with the script, you'll discover that directly editing the script is much faster than paging through the wizard's 15 screens, especially if you want to make only one modification. To edit the script, load the script in a text editor, modify the configuration, save the file as a new version, and run the script from a command prompt. If the most recent version of the script file is config4.vbs, type the command
c:\program files\microsoft small business server\networking\icw\config4.vbs
The script appends a record of the operations it performs, including errors, to the log file c:\program files\microsoft small business server\support\icwlog.txt.
Top 10 Security Recommendations
To expedite installation and configuration, setup doesn't enable several obvious security controls. Here's a list of 10 adjustments you can implement to make the server more secure and to monitor events that might warn of malicious activity. The fastest way to implement these controls on workstations and servers that aren't domain controllers (DCs) is to modify the Domain Security Policy settings under Administrative Tools. The price you pay for using the fastest method is that, after you alter the default policies, you can't revert to a previously working Group Policy. If you prefer to work with a guaranteed fallback position, you should create separate Group Policy Objects (GPOs) that implement these settings on the server and SBS clients.
- Administrator account: To eliminate a well-known target, rename the administrator account on the server. Perform this task manually in the Server Management Users key (right-click Administrator and select Rename User from the drop-down menu). The online Help gives step-by-step instructions for using a GPO to automatically rename the Administrator account on the server and all Windows XP and Win2K workstations.
- Passwords: Setup prompts you several times to enable a password policy that enforces length, complexity, and password-history rules. If you don't enable the password policy during the initial setup, you can enable the default password policy later by expanding the Users link in the Server Management console and clicking Configure Password Policies. You can also enable a password policy by modifying the Domain Security Policy under Administrative Tools. The Server Management Users link displays only accounts that you add after the server is up and running; to view the built-in accounts and groups, open the Active Directory Users and Computers link under Advanced Management.
- Interactive and network account lockout: Setup doesn't enable account lockout for failed local or network logon attempts. To enable account lockout for failed interactive and network logons, go to Start Menu, Administrative Tools and open the Default Domain Security Policy. Expand the Account Policies key and define all three account-lockout controls. I routinely set the lockout threshold to 3 and the duration and reset values to 47.
- Remote access account lockout: If you offer VPN access to the server, you should also enable remote access account lockout. Remote account lockout has no GUI interface, so to implement this feature you must modify the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout registry subkey as follows:
- The value entry MaxDenials:REG_DWORD enables or disables remote access account lockout. This feature is disabled by default, so MaxDenials is initially set to 0. To enable lockout, set MaxDenials to the desired number of failed logon attempts that will lock out the account.
- The value entry ResetTime:REG_DWORD defines the number of minutes the account will remain locked out. By default, this value is 2880 minutes. I recommend you change the ResetTime to a more reasonable value between 30 and 47 minutes.
- Security auditing: Setup enables success auditing for six of the eight security audit categories on SBS DCs. Although success auditing helps you track user activity, failure auditing is the only way you can track potential intrusion attempts. At a minimum, enable failure auditing for account logon events, account management, logon events, policy change, and system events. On SBS workstations, enable failure audits for account management, logon events, policy change, and system events. Workstation Security event logs can expedite the process of diagnosing and isolating an infected system.
- NetBIOS and WINS: SBS supports legacy Windows 9x clients that rely on NetBIOS name resolution. When you consider how unreliable these old systems are and the long history of successful NetBIOS exploits, the decision to support legacy clients is difficult to understand. If you can mandate that all SBS customers use XP and Win2K workstations, you can tighten security by stopping the WINS service (this closes two open TCP ports and two open UDP ports) and setting the startup type to disabled. If you can live without NetBIOS, you should also disable LMHOSTS lookup and NetBIOS over TCP/IP (NetBT) on all network adapters. Setup enables both these features by default on the adapter for the internal network.
- Remote access connections: If your site has more stringent security requirements, for example, a law office or drug-testing facility, I recommend you modify the default Remote Access Policy to negotiate Layer Two Tunneling Protocol (L2TP) instead of PPTP connections. When you enable any type of incoming VPN connections, the remote access wizard automatically creates an IP spoofing filter on the external interface to prevent users on the Internet from masquerading as an internal system to gain access to network resources.
- Server monitoring and reporting: Configure and activate the Monitoring and Reporting tool. This utility uses a SQL Server MSDE 2000 database engine to store and report data that affects system performance, preconfigured and site-specific alerts, services that should be running but are stopped (e.g., the spooler service or WINS), warning and error messages in the six event logs, and system shutdown and restart activity. Review the logs frequently to monitor server usage and critical security events.
- Client administrator group: The SBS client setup utility automatically adds local user accounts to the workstation's Administrator group. To limit potential damage from malicious software (malware) that runs in the context of the locally logged-on user, you might want to move local accounts out of the Administrators group and into the Users group.
- Test your firewall: Regardless of whether you have a separate firewall or you enable the SBS basic firewall, run Nmapwin (see "Tools for Your Security Arsenal") to probe the Internet connection and the internal network connection. After you identify the firewall's attack surface, run Active Ports to identify which process or service is listening on which port (and which TCP/IP address). Using information from both tools, you can further reduce the network's exposure by adding firewall rules or stopping services that aren't required.
A Good Start
SBS 2003 does a reasonable job of meeting the goals of the Trustworthy Computing initiative: Secure by design, secure by default, and secure in deployment. The first item in the Server Management console's To Do List, Security Best Practices, contains excellent advice about protecting the system from internal and external threats and monitoring the system for unexpected activity. Windows 2003's default configuration is more secure than any previous platforms. The top 10 security recommendations will help you close the gaps that the default installation doesn't address. You might also want to change the internal IP subnet address from the default of 192.168.16.0 to something less obvious during the initial configuration. Also, review IIS Web site defaults and the controls that restrict or enable remote access to ensure that the default controls adequately protect your environment. Given the large number of Web-based resources that SBS hosts and the new emphasis on remote procedure call (RPC) over HTTP, I anticipate a flurry of hotfixes to correct as yet undiscovered vulnerabilities in OWA, Outlook Mobile Access (OMA), and the Remote Web Workplace. What a delight it will be if my suspicions are wrong.