Thursday, July 17, 2008

When do you need ISA Server in SBS 2003? (book excerpt)

Good day - I am harry brelsford, author of Windows Small Business Server 2003 Best Practices, and I am posting up a few pages per day until SBS 2008 ships! Today we complete chapter 5 and look at the case FOR having ISA server plus talk about next steps in securty and review a column by Frank Ohlhorst on security appliances!
enjoy the read....harrybbbbb
Harry Brelsford, CEO at SMB Nation,
When Do You Need ISA Server?
Well, you’ll certainly need ISA server 2000 by the time your reach Chapter 13, which is dedicated to this application in the SBS 2003 premium edition. But, seriously, ISA Server 2000 fits my favorite analogy about shoes and pornography. With respect to shoes, you’ll use ISA Server 2000 when said shoe fits. With respect to pornography, simply recall the famous US Supreme Court opinion on obscenity and community standards: You know it (pornography) when you see it. Translation: You’ll know when you need ISA Server 2000. But enough teasing.
This chapter was written to demonstrate the security in SBS 2003 standard edition. Period. If you want to peek at Chapter 13 to learn more about ISA Server 2000 usage, go for it. I’ll see you back here.
BEST PRACTICE: Keep this in mind. If you purchase the premium edition of SBS 2003 and deploy ISA Server 2000, you will not configure and utilize the security features supported by RRAS. You would let ISA Server 2000 do the heavy lifting.
Security Resources
Given by now we all agree that security is a fluid, dynamic concept and not static, you need to take a long coffee break and go learn more about the following security resources:
Visit for the latest updates for any Microsoft product.

• Microsoft security site. First and foremost would be to spend a few hours poking around the Microsoft security web site at www.micro­ Enough said.
• Read Ballmer’s WWPC keynote. Believe it or not, it might be valuable for you to read the keynote given by the CEO of the richest company on earth at the October 2003 WWPC conference. There are tons of details on Microsoft’s view of security and that’s something you should know. Click over to to find the transcripts of his speech.
• Roberta and Thomas. Can’t say enough about the security books by Roberta Bragg and Dr. Thomas Shinder. Read all about it by searching on these author names at Amazon ( See Roberta’s excellent article titled “Giving The the Small Business” discussing SBS 2003 security at
• Small Business Best Practices. Be sure to sign up for my SBS newslet­ter at where I’m honor-bound to present to you the latest SBS-related security matters.
• Review security in the To Do List in SBS 2003. Believe it or not, a great use of time right now would be to read, print, and read again the information contained beneath the View Security Best Practices link on the SBS 2003 To Do List. Note that we’ll walk through a few of these suggestions you’ll see when we get to Chapter 11 and discuss SBS 2003 administration.

Next Steps
Before you get to the summary and move on, a few final thoughts. Security is all about next steps. It never ends. Some days you’re just trying to stay one step ahead of the bad guys. Other days the bad guys are one step ahead of you. Be active, be diligent, and never rest for a mere second.
More advanced topics to be covered either later in this book and/or in my forthcoming advanced SBS 2003 book include:
• Auditing (I hinted at this earlier)
• Time synch with Internet clock
• Group Policy stuff and its mysterious powers
• Software restrictions policies
• IPSec
• More details on Network Monitor (Roberta Bragg’s fave)
• The dangers of encrypted file system (EFS).
• Learn about the Microsoft software asset management program at

So stand by and hold your horses!
Guest Column Leveraging Security Appliances
Frank J. Ohlhorst
Spam has become the scourge of every business. Today, almost every mailbox is clogged up with unwanted content, becoming both a space hog and a drain on productivity. Unsolicited email can be more than a nuisance; some spam messages contain viruses or worms which can do incredible damage to Windows based systems.
Small Business Server 2003 includes very little in spam and virus fighting capabilities, although the latest version of Microsoft Outlook does offer some malicious code protection and spam filtering capabilities, most users will not find it enough when it comes to optimally controlling the problem. What’s more, relying on desktop applications for virus control and spam is far from ideal,
Visit for the latest updates for any Microsoft product.
after all, messages and files are still passed through the SBS server via Microsoft Exchange. The real key here is to prevent viruses, worms and spam from getting to the server in the first place.
Salvation comes in the form of hardware based security appliances. Those units, which are firewalls with added features, come in all shapes and sizes; complicating what makes a good fit for a SBS 2003 network. Those security appliances offer additional valuable features, ranging from content filtering to web caching. Once the gains in productivity are considered by eliminating spam and malicious code, security appliances become quite affordable. What’s more, additional savings can be had by choosing SBS2003 Standard Edition over Premium Edition, after all if a hardware firewall is in place, why bother with the cost and management overhead of ISA server.
Although plenty of software products exist that integrate with ISA server to handle critical security concerns, integrators will find moving those tasks off of the server will net increased performance and reduce complexity. SBS2003 is a single server solution, that prevents integrators from economically moving ISA server off to another server to reduce the overhead created by firewalls and add on products.
The key is to look for a unit which acts as a proxy for internet traffic and examines every incoming data packet. Those requirements will help to thin the heard a little when selecting a unit. Several vendors offer units that are tuned to small business needs, those looking for strong antivirus and content control should consider units from Fortinet (, which makes a whole host of scalable solutions for the SOHO/SMB market. Sonicwall ( is another vendor that creates comprehensive hardware security solutions for the SMB market. In some cases it might be advisable to go straight to the source for strong firewall and security features; which is where CheckPoint ( excels with their S-Box line of security appliances.
Regardless of what vendor’s product is implemented, integrators need to consider more than just the feature set. Ease of management and adding options should be at the top of the list, especially if ISA server is to be eliminated. Here is where browser based interfaces rule and setup wizards show their value.
Both Fortinet and Sonicwall strive to ease the administrative burden. Ideally, the selected unit should also offer remote management capabilities, which allows integrators to remotely tune and update the appliance, eliminating the need for a site visit. Another key feature to consider is automatic updating of virus signatures and spam lists, most of the products on the market successfully handle those tasks.
All things considered, spam and virus concerns only strengthen the argument for adding a hardware firewall. The trick is to select an economical product that can grow with networking needs by offering expansion options, such as content filtering, VPN or dialup failover support.
Okay - we’ve done the drill on security. This chapter focused on the standard version of SBS 2003 and the RRAS-based security features at the bits level. But really, this chapter was much more than service port openings in a firewall. Security is a multifaceted matrix of endless threats. These threats are both bits and business, virtual and physical. It’s kinda like a popular Western belief in God: Security will never end!
Meet me in the next chapter to explore Exchange Server 2003 and, later on, in Chapter 13 to discuss security once again as part of the SBS 2003 premium edition and ISA Server 2000.

No comments: