Wednesday, July 9, 2008

SBS 2003 security - revisiting setup and automatic updates

hi everyone - Harrybbbb here, the author of the Windows Small Business Server 2003 Best Practices book and a fellow Microsoft Small Business Specialist (SBSC). Today I am posting up moreof Chapter 5from my purple book.
This chapter is about security and we now discuss SBS setup fundamentals that impact security. Enjoy!
harrybbbbb Harry Brelsford CEO at SMB Nation
SBS Setup Revisited
Believe it or not, you’ve already taken significant steps so far in making your SBS network secure. For example, you have deployed the SPRINGERS network with two network adapter cards (aka network interface card or NIC) that will create something of a “Great Barrier Reef” (GBR) to create a division between good and evil (Figure 5-1). The GBR will make even more sense in a few more passages when you explore the Routing and Remote Access Service (RRAS) basic firewall capability in SBS 2003.
Visit for the latest updates for any Microsoft product.
Figure 5-1
This figure shows at a high-level how two network adapter cards work in conjunction with SBS 2003.
BEST PRACTICE: You’ll recall that the two network adapter cards were suggested during the SBS setup at mid-point via a setup warning message. This was discussed in Chapter 3. And I’m honor bound to comment that while the two network adapter card method is much preferred, remember that the crown jewels are sitting atop the “reef,” to follow my analogy. You have been so advised.
Another task you completed in the SBS 2003 setup phase was naming the internal domain (SPRINGERSLTD.LOCAL). This act laid the foundation for having separate DNS domains and creating separation from the outside world. Read on to the next paragraph to “hear the rest of the story” on this.
You also completed the E-mail and Internet Connection Wizard (EICW) in the prior Chapter (Chapter 4). It was necessary to complete that wizard, which applied many security configurations to SBS 2003, in that particular chapter to maintain “order” in the SPRINGERS methodology. In the EICW, you referred to and configured SBS 2003 to realize and recognize the external domain (SPRINGERSLTD.COM). So between the SBS 2003 setup process and completing the EICW, you effectively created domain separation, which is a good thing. Why? Because you’ve shielded the internal domain from external viewing. But heed this disclaimer: The outsiders can still see the external IP address of the wild side network adapter card on the SBS server machine.
Whether you knew it or not, basic auditing was turned on as part of the SBS setup process so that logons are recorded in the Security log under Event Viewer (this is located under System Tools beneath Computer Management (Local) under Advanced Management). My forthcoming advanced text on SBS 2003 will cover auditing in much more detail.
And finally, you completed the password policies settings, read the security best practices stuff from the To Do List, completed the remote access configurations (which inherently have security in mind), and so on. So you’re not new to security in SBS.
With SBS 2003, as soon as you’re connected to the Internet, you need to RUN, NOT WALK to implement the very latest patches. This will make your machine “fit” for service, and should be done given the speed in which gremlins travel on the Internet. As elegantly pointed out by Microsoft CEO Steve Ballmer at the SBS 2003 launch at the WWPC, the time between identification of vulnerability and acts that exploit said vulnerability has been dramatically compressed. Waiting only minutes prior to implementing the latest patches clearly exposes your “naked” SBS 2003 server machine to worms and other bad stuff. And if your SBS server machine is located in New Delhi, India, be sure to immediately secure it physically so it’s not attacked and stolen by monkeys! (An almost-true story here as told to yours truly).
Visit for the latest updates for any Microsoft product.
Automatic Updates!
Because this is such an easy step, it’s easy to overlook. In fact, overlooking this task is one of Microsoft’s great fears and was the subject of extensive media coverage in the fall of 2003. Why? Because Microsoft, as displayed by Ballmer in his WWPC keynote address, has typically released a patch to correct a vulnerability before someone exploits that vulnerability (e.g., Microsoft released its SQL Server Slammer patch before the worm was released in the wild). But the problem is that folks don’t take the time update their computers. So while the patch existed, in many cases it hadn’t been applied. That certainly reflected some “dark days” in the world of network administration and exposed some of us to be less than competent at our SBSer job.
This specific issue about getting folks to update their system has spawned significant debate in the technology community and media. One side believes that Microsoft should automatically update your system as its default, out of the box configuration. Others are concerned about the privacy issues involved in allowing Microsoft to collect machine configuration information (so it can decide what to apply!). You are encouraged to follow popular journals such as CRN ( to monitor this technical/social/political debate.
Note that you will remember in Chapter 4 the automatic update function started to run at the conclusion of the E-mail and Internet Connection Wizard (EICW). However, I elected to defer the in-depth updating discussion until this chapter to make it “fit” the security discussion.
You might be amazed at how easy it is to actually update your SBS 2003 system with the latest patches. Follow these steps.
1 Log on to your SBS 2003 server machine (e.g., SPRINGERS1) as Administrator (which in the case of SPRINGERS would use the password Husky9999!).
2 Click Start, All Programs, Windows Update.
3 Click Next at the Automatic Updates Setup Wizard page where you are welcomed.

BEST PRACTICE: Perhaps the socio-political discussion earlier in this section hit home with you. On the Automatic Updates Setup Wizard page, there are links that allow you to learn how automatic updates
Visit for additional SMB and SBS book, newsletter and conference resources.
impact your licensing agreement and how Microsoft’s privacy policy affects you when Automatic Update is run.
4. The Notification Settings page (Figure 5-2) allows you to configure the Automatic Update settings. This relates to the degree in which you want the update function to be automatic. For example, are you interested in having the updates automatically updated and applied? Probably not, as I’ll explain in the next Best Practice. The default selection regarding downloading updates automatically and notify­ing you is the preferred method (this is advisory mode).
Figure 5-2
For SPRINGERS, please make your screen look similar to this figure.
BEST PRACTICE: Civil liberties and privacy concerns aside, you want some control over how your updates are applied and the automatic deployment of updates is typically frowned upon. Why? Because you may well want to test the updates on a sample network (e.g., SPRINGERS with a live Internet connection on a test server) before applying the updates to a real production machine. Once in a blue
Visit for the latest updates for any Microsoft product.
moon, a patch will fix one thing and break two (that statement isn’t to fault Microsoft, but rather speak the truth and appreciate the complexities of software interaction).
So test and verify whenever possible before deploying patches on a production server machine!

5. Click Finish on the Completing the Automatic Updates Setup Wiz­ard page. Note there is no link titled “here” to save this as part of your SBS 2003 network notebook, because this isn’t a native SBS 2003 Wizard.

6. An Internet Explorer Web browser will launch and connect to Microsoft’s automatic update site (http://v4.windowsupdate.micro­ Note in the case of your imaginary imple­mentation of SPRINGERS, it may well be that you aren’t truly connected to the Internet. But in the “real world” you likely would be connected to the Internet and could complete this task as expected.

7. Approve the request from Microsoft to download a component called “Windows Update” to analyze your machine by clicking Yes. It is this process that will assess what patches are missing and need to be applied. Oh, and you may select the checkbox to Always trust con­tent from Microsoft Corporation.

8. On the Welcome to Windows Update page that appears, click Scan for updates.

9. A screen of suggested updates will be displayed next (titled Pick updates to install). Click Review and install updates.

10. The actual updates to approve and install are shown in Figure 5-3 on the Total Selected Updates screen. You may remove updates at this point that you do not care to install. Because this book, being written in the fall of 2003, is only as current as the day on which I wrote it, I can’t even hope to recreate a figure that displays the update you’re likely to see at a future date. Bear with me. Assuming the suggested updates are acceptable, click Install Now.

Figure 5-3
Carefully review each update before proceeding. If in doubt, remove the update and reconsider it at a future time (don’t wait too long though, but be careful nonetheless).
Visit for the latest updates for any Microsoft product.
11. You will likely need to approve a license agreement for one or more of the updates being applied. Such an agreement might look like Fig­ure 5-4. Click Accept.
Figure 5-4
Accept any necessary license agreements so that you can proceed.

12. A component progress dialog box will be displayed similar to Figure 5-5.

13. You will arrive at the Installation Complete page seen in Figure 5­6 and you will likely be asked for a reboot at this stage. This is nor­mal; see my further discussion under patch management.

Figure 5-5
You can monitor the status of the updates being applied.
Visit for the latest updates for any Microsoft product.
Figure 5-6
Success followed by a reboot.
BEST PRACTICE: Don’t forget to run Automatic Update on all of your workstations. These individual workstations on the SBS network need to stay-ship shape as well!
BEST PRACTICE: Sometimes you’ll have a configuration that is slightly different from what Automatic Update expects to see and what it can report. For example, perhaps Automatic Update isn’t the best way to keep your legacy NetMeeting application patched because it doesn’t necessarily know about, care about, and have the smarts to deal with that application. So some updates are applied manually by visiting the Microsoft security Web site at
Of course the above paragraph only begs the question: HOW
Visit for additional SMB and SBS book, newsletter and conference resources.
MANUAL UPDATES? Calm down! You can subscribe to my SBS newsletter wherein I’ll announce such updates and you can subscribe to the Microsoft security bulletins at the aforementioned site to receive similar notices. See the resources section near the end of this chapter for more information.

No comments: