Security experts criticize an SBS installation
Victor Banks
client has a 15-user network and has been running SBS 2003 Premium with ISA
2004 for well over a year now with no problems. Three weeks ago the owner
fired his office manager under rather mysterious circumstances. We were not
told that he had been dismissed until a week after the fact. We still have
not been told what the office manager is suspected of doing. When we were
finally contacted, the place was swarming with the client's lawyer and
"security experts" who started tearing the place to pieces. They now intend
to install a video camera system and spy software on the server and all the
workstations. They sent the office manager's workstation to a laboratory to
be imaged and analyzed (even though we already had images that could have
been provided). But beyond that, we have basically been told that the SBS is
to be bulldozed and replaced with a plain Windows server, and even that step
is to be taken grudgingly, as the line of business application is an old DOS
program and could run from a mapped drive on a NAS. They already have
installed a hardware firewall in front of the SBS and shut off RRAS. (The
"hardware is better than software" canard.) We still have no remote access.
Yet the office manager's password had not been changed and the account was
still active until I arrived a week later. The rational for this revolution
is that the SBS is horribly insecure; one of the guys on this team claims to
have broken through ISA in 20 minutes. Exchange is to be outsourced to an
external hosted Exchange provider, as even that is too risky to keep
in-house.
Here is my question. I have another 30 or so of these networks out
there. Do I take this seriously or are my SBS installations reasonably
secure? I have to provide straight answers to my clients. If it's as bad as
these guys say, I have no business selling it to anyone.
Russ - SBITS.Biz (MCP SBS)
Do I smell something?
Smells like BS to me..
Let me guess they also Volunteer to install this new Secure Cough System?
Russ
--
Russell Grover
Microsoft Certified Small Business Specialist.
MCP, MCPS MCNPS, (MCP-SBS)
Portland/Beaverton Oregon USA
Win Free Copy of SBS2003 R2
http://www.sbits.biz/free.html
Remote SBS Support
MSN Messenger
Support @ SBITS.Biz
http://www.SBITS.Biz
"Victor Banks" <v...@nospam.local> wrote in message
news:uzmnoiuz...@TK2MSFTNGP05.phx.gbl...
![Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjVWEHNriBiYPzXk-vgDPwHLgmiXqqoZ_BdoNm0rTxa-ZYFnAw=s40-c)
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Microsoft products were insecure I'd have a lot of dimes and a lot of
folks that haven't looked at Microsoft products since WinNT.
The reality is Victor, a properly maintained network of any flavor is
safe as secure whether that network is SBS or anything else. The key is
maintenance.
Show me a compromised network of any size and I'll show you one
improperly configured, monitored and managed.
I have a GSEC security credential, volunteer for the Center for Internet
Security and know that my security of my network is based more on the
lack of control of my workstations than it is with that ISA box.
I cannot, to the best of my knowledge, remember a SBS box that has been
hacked when the passwords are long/strong/secure, the box is patched,
and the workstations are configured based on the risk of each person.
In my office that means that many are non admin. It also means you
don't surf from the server.
But a SBS server ..even with that "so called" hacked in umpteen minutes
ISA server ...Get him to tell you in details how he hacked into ISA server.
I'll bet you a mountain dew that he used a sucky password, or the server
wasn't patched, or some other way that I'm sorry, doesn't prove didly
squat that ISA is inherently more insecure. It's more likely that
someone doesn't know how to set up ISA.
Do now understand that ISA server no matter where that ISA server is ...
is only as secure as the weakest link .. therefore if it's not patched,
the network has lousy passwords, etc etc..that's the important issue
these days.
Look around this newsgroup Victor... do you see blood guts and gore of
hacked up boxes?
Anyone that has a nailed box around here does so because they violated
the rules of using a stupid password, surfed at the server and
introduced malware, or the workstations have introduced the risk. Which
honestly these days.. 99.99999999% of my risks come from stupid users...
and not from that SBS.
Isn't that proof to you right there that the risk we take is certainly
manageable when you look at this newsgroup?
Look around. We do just fine. That security "expert" is no expert in
my book.
I'd love to chat one on one with these folks.. they prob haven't used
windows since the NT era.
Susan Bradley
MCP, SBSC, GSEC
SBS MVP
Security MVP
And .. "gimme a break" on those security experts advice to you
Kevin Weilbacher [SBS-MVP]
--
Kevin Weilbacher [SBS-MVP]
"The days pass by so quickly now, the nights are seldom long"
"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbra...@pacbell.net>
wrote in message news:44FA33E0...@pacbell.net...
Kevin Weilbacher [SBS-MVP]
ISA Firewall Fairy Tales - What Hardware Firewall Vendors Don't Want You to
Know (v1.02)
http://www.isaserver.org/articles/2004tales.html
--
Kevin Weilbacher [SBS-MVP]
"The days pass by so quickly now, the nights are seldom long"
"Victor Banks" <v...@nospam.local> wrote in message
news:uzmnoiuz...@TK2MSFTNGP05.phx.gbl...
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Russ - SBITS.Biz (MCP SBS)
bends over to talk?
(If you get the Picture.)
Russ
--
Russell Grover
Microsoft Certified Small Business Specialist.
MCP, MCPS MCNPS, (MCP-SBS)
Portland/Beaverton Oregon USA
Win Free Copy of SBS2003 R2
http://www.sbits.biz/free.html
Remote SBS Support
MSN Messenger
Support @ SBITS.Biz
http://www.SBITS.Biz
"Kevin Weilbacher [SBS-MVP]" <kweil...@gte.net> wrote in message
news:%23S7fY5v...@TK2MSFTNGP03.phx.gbl...
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Send them my contact information.
It saddens me that you have deemed them "security experts" when they are
so sadly misguided and uninformed.
Charlie Russel - MVP
Hello. Now, some "security experts" want to install things that will make
your network completely vulnerable to those experts, change all your server
software, sell you a new hardware firewall, and send your client a really
big bill. Gee, and whose security is being protected? Horsemanure.
Charlie.
"Victor Banks" <v...@nospam.local> wrote in message
news:uzmnoiuz...@TK2MSFTNGP05.phx.gbl...
--
Charlie.
http://msmvps.com/blogs/xperts64
Joe
<snip details>
>
> Here is my question. I have another 30 or so of these networks out
> there. Do I take this seriously or are my SBS installations reasonably
> secure? I have to provide straight answers to my clients. If it's as bad as
> these guys say, I have no business selling it to anyone.
>
>
I wouldn't worry. What you hear is the delicate sound of hugely overpaid
people justifying their existences. You probably have to write off this
client as being too traumatised to see reason after this.
How long is a piece of string? Any system is hackable if the incentive
is high enough, like the burglary of premises. If the CIA wants to break
into a system, they will, whether it runs on an SBS or an IBM Z.
Probably they'll do it the easy way, by bribing or blackmailing an
employee.
There's no reason to believe SBS is seriously at risk. It is potentially
less safe than a system with its services all running on separate
servers, but hey, what system can't be improved by spending a lot more
money on it? (Wisely, of course).
I'd agree with the use of a separate firewall, for a variety of reasons
which don't include thinking that ISA is a heap of rubbish. I'm paranoid
enough not to connect a Microsoft OS straight to the Internet, without
at least a packet filter between, but that's just a personal preference.
A great many problems seen in this newsgroup could be solved much more
quickly with a separate box capable of logging traffic in and out of
SBS, but that's a network admin issue, not security. Mostly, two
entirely different devices controlling traffic is safer than one, and
safer than two identical devices.
If the security newsgroups and mailing lists were full of woe about SBS,
I'd be worried. If one particular commercial organisation is spreading
FUD around, my reaction would be to try an alternative supplier. Clearly
your client is not in a position to do this, for reasons you don't know.
Kevin Weilbacher [SBS-MVP]
your client is facing is an internal one, and not an external one (someone
trying to hack or break in from the outside). would suspect that well over
70% of security issues that are discovered are internal ones.
The strongest, most expensive firewall will not prevent an internal user
from copying files from their computer to a thumb drive - but a group policy
rule might.
The strongest, most expensive firewall will not prevent someone from
installing illegal or pirated software on a computer - but proper setup of
user rights might.
The strongest, most expensive firewall will not prevent a user from logging
onto their computer after they have been fired - but proper policies that
require IT to be notified and user access shutdown immediately might. There
was a story of a company in New York where a former employee stole
confidential information electronically from a computer. The employee had
been fired two years prior. Guess what? They had never disabled or deleted
that employees logon!
--
Kevin Weilbacher [SBS-MVP]
"The days pass by so quickly now, the nights are seldom long"
"Victor Banks" <v...@nospam.local> wrote in message
news:uzmnoiuz...@TK2MSFTNGP05.phx.gbl...
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Seriously.
Get me data, hard facts.
Leythos wrote:
> In article <uw#oW$vzGHA...@TK2MSFTNGP06.phx.gbl>, sbra...@pacbell.net
> says...
>> http://blogs.isaserver.org/shinder/2006/09/02/why-has-no-one-every-proved-a-hardware-firewall-is-more-secure-than-an-isa-firewall/
>
> And again, the are clearly talking about ISA setup as a firewall, not on
> a non-Dedicated box.
>
> There are SO MANY MISTAKES a SBS Admin can make that could impact the
> security of the ISA protection. Yes, the same could be said about the
> same person doing ISA on a dedicated box, but, the same person, on a
> appliance is less likely to make those same type of mistakes without
> knowing it.
>
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Leythos wrote:
> In article <#KtTJ6vz...@TK2MSFTNGP06.phx.gbl>, kweil...@gte.net
> says...
>> Victor, as to ISA vs Hardware firewalls, give that "expert" this link:
>>
>> ISA Firewall Fairy Tales - What Hardware Firewall Vendors Don't Want You to
>> Know (v1.02)
>> http://www.isaserver.org/articles/2004tales.html
>
> I would agree that ISA running on a "DEDICATED" box is as secure as any
> appliance, as I would with FW-1 on a dedicated server, or any other
> solution on a DEDICATED SERVER.
>
> I would never trust a Firewall product running on a NON-DEDICATED
> server, it's just a matter of reality.
>
> Why do people that run Premium in two-nic mode always suggest that you
> install a NAT router in front of the ISA NIC?
>
Russ - SBITS.Biz (MCP SBS)
Serious!
--
Russell Grover
Microsoft Certified Small Business Specialist.
MCP, MCPS MCNPS, (MCP-SBS)
Portland/Beaverton Oregon USA
Win Free Copy of SBS2003 R2
http://www.sbits.biz/free.html
Remote SBS Support
MSN Messenger
Support @ SBITS.Biz
http://www.SBITS.Biz
"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbra...@pacbell.net>
wrote in message news:OncfWh3z...@TK2MSFTNGP03.phx.gbl...
SuperGumby [SBS MVP]
stopping incoming attacks on unexpected ports before they get to ISA. A good
argument can be made for not doing this, instead allowing all traffic to hit
ISA so that it can be logged by it, allowing you to fingerprint the attack.
Another minor consideration in this respect is that the attack must be able
to traverse the router and ISA, two systems operating via very different
mechanisms.
The main function of the NAT router (for me, personal opinion) is to provide
a stable IP interface, under my control, to the external ISA NIC. I can
change internet connection method, or ISP, and no change is required to the
ISA. Handy for me when I recently (actually not so recently, 18mths ago)
changed house from a cable serviced building to one where cable was
unavailable, handy for a client who recently, much more recently, changed
from one ADSL provider to another. Handy if there is a problem with the ISP
service, say the public IP cannot be acquired from the ISP (this doesn't
happen a lot, even in poor backward AU, but in the 18 mths I've been at this
address there have been several outages of this kind). When a storm frazzled
my ADSL modem I was glad to have another device between it and my server.
"Leythos" <vo...@nowhere.lan> wrote in message
news:5oDKg.99292$vl5....@tornado.ohiordc.rr.com...
> In article <#KtTJ6vz...@TK2MSFTNGP06.phx.gbl>, kweil...@gte.net
> says...
>> Victor, as to ISA vs Hardware firewalls, give that "expert" this link:
>>
>> ISA Firewall Fairy Tales - What Hardware Firewall Vendors Don't Want You
>> to
>> Know (v1.02)
>> http://www.isaserver.org/articles/2004tales.html
>
> I would agree that ISA running on a "DEDICATED" box is as secure as any
> appliance, as I would with FW-1 on a dedicated server, or any other
> solution on a DEDICATED SERVER.
>
> I would never trust a Firewall product running on a NON-DEDICATED
> server, it's just a matter of reality.
>
> Why do people that run Premium in two-nic mode always suggest that you
> install a NAT router in front of the ISA NIC?
>
> --
>
> spam9...@rrohio.com
> remove 999 in order to email me
SteveB
for specific industries. If you run a brokerage or a bank, email is
proxied on an SMTP server on a DMZ before being sent to an internal mail
server. The firewall would never be on an application server or directory
server, like SBS2003.
If you run a business that is not subject to annual 3rd party security
audits by parties who cater to regulated financial organizations, SBS2003
with integrated ISA is a fine solution. On the other hand, it will never
get past 3rd party security auditors if it is running in bank.
The concept is simple. For example, Microsofts' corporate risk management
model includes a blanket policy to eliminating every possible vulnerability.
That why they have a multi-layered security defense for their own networks
that would not resemble the security archtiecture of an SBS2003/ISA
configuration.
None of this means there is anything wrong with SBS2003 for small business,
unless your are a small bank, and then it is going to get dumped by every
security consultant who caters to that sector.
There are only about 10 organizations in the 5 state area around Minnepolis
who do bank security pen tests and audits. Whether the SBS2003 community
agrees or not, none of them would give a pass on SBS2003/ISA as a
appropirate security architecture for a financial instituion. If one of
these guys came into a hardware store, I would hope they would adjust their
standards for those appropriate for a hardware store.
"Victor Banks" <v...@nospam.local> wrote in message
news:uzmnoiuz...@TK2MSFTNGP05.phx.gbl...
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
checking boxes on a checklist. (from a beancounter who sees those
checklists)
And your set up is fine for your risk evaluation for your clients.
Others show that their setups are fine as well.
The point is that a SBS box is not inherently insecure, rather it's
dependent on how the network is set up and your level of paranoia.
I have determined that my risk factors are on the desktop, others deem
it in other places is all.
Leythos wrote:
> In article <eyRESc6z...@TK2MSFTNGP05.phx.gbl>, n...@your.nellie
> says...
>> The NAT router is only very simply another layer of security, basically
>> stopping incoming attacks on unexpected ports before they get to ISA. A good
>> argument can be made for not doing this, instead allowing all traffic to hit
>> ISA so that it can be logged by it, allowing you to fingerprint the attack.
>> Another minor consideration in this respect is that the attack must be able
>> to traverse the router and ISA, two systems operating via very different
>> mechanisms.
>>
>> The main function of the NAT router (for me, personal opinion) is to provide
>> a stable IP interface, under my control, to the external ISA NIC. I can
>> change internet connection method, or ISP, and no change is required to the
>> ISA. Handy for me when I recently (actually not so recently, 18mths ago)
>> changed house from a cable serviced building to one where cable was
>> unavailable, handy for a client who recently, much more recently, changed
>> from one ADSL provider to another. Handy if there is a problem with the ISP
>> service, say the public IP cannot be acquired from the ISP (this doesn't
>> happen a lot, even in poor backward AU, but in the 18 mths I've been at this
>> address there have been several outages of this kind). When a storm frazzled
>> my ADSL modem I was glad to have another device between it and my server.
>
> I like a firewall, a real one, dedicated, and I've had all our clients
> pass the SOX/HD audits with this method. I can see using ISA packaged
> with SBS in small installs of noncritical information, but I would never
> consider ISA with SBS package for Medical, Financial, Research, or
> anyplace that needs data security.
>
Victor Banks
"Russ - SBITS.Biz (MCP SBS)" <sup...@REMOVETHIS.sbits.biz> wrote in message
news:uzADdlvz...@TK2MSFTNGP04.phx.gbl...
Victor Banks
to see that it's considered authoritative.
"Kevin Weilbacher [SBS-MVP]" <kweil...@gte.net> wrote in message
news:%23KtTJ6v...@TK2MSFTNGP06.phx.gbl...
Victor Banks
make changes easy. I also sometimes use an inexpensive router in front of
SBS to give casual/transient users open Internet access without allowing
them behind the firewall. But I've not been concerned about exposing ISA
directly to Internet on security grounds-- after all, by itself, it retails
for as much as hardware firewalls.
"SuperGumby [SBS MVP]" <n...@your.nellie> wrote in message
news:eyRESc6z...@TK2MSFTNGP05.phx.gbl...
Victor Banks
have two conflicting assertions. Both cannot be true. Right now I'd bet on
you and Shinder, though.
"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbra...@pacbell.net>
wrote in message news:uw%23oW$vzGHA...@TK2MSFTNGP06.phx.gbl...
Victor Banks
they are I'd probably get myself into some sort of trouble.
Let me check with my boss and see how we will handle this. If
he's willing, I would love to get some real experts involved here- people I
can trust. The boss may just want to go along with the charade for fear of
losing the client or straining the working relationship further. Me- I'd
have dumped the client altogether by now, after telling the owner what I
thought of his so-called experts.
"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbra...@pacbell.net>
wrote in message news:ujGxVSyz...@TK2MSFTNGP02.phx.gbl...
Victor Banks
while the "expert" is spouting nonsense? If he wanted to add hardware in
front of ISA that would be one thing, but flattening because ISA is too
risky even to have on the server is stupid. Now, if they don't trust the
server because the office manager had the administrator password, that's
something also, but that is not the reason that I've been given for
flattening. And we could flatten and reinstall ISA and have two great
firewalls instead of one.
My problem is that I"ve lost control of this client. Unless I can
get this guy alone and talk some sense into him away from the lawyer and all
these "experts" I don't know if the situation is salvageable.
"Joe" <j...@jretrading.com> wrote in message
news:utT87G1z...@TK2MSFTNGP05.phx.gbl...
Victor Banks
asked me about thumb drives and the like. I disabled local drive access with
a GPO just two weeks ago at a client. And the local administrators are on
the way out too. But unfortunately, you're talking sense. Sense seems in
short supply at my problem client.
"Kevin Weilbacher [SBS-MVP]" <kweil...@gte.net> wrote in message
news:ec5K%23X1zG...@TK2MSFTNGP03.phx.gbl...
Victor Banks
"SteveB" <swb...@msn.com> wrote in message
news:eIgsk16z...@TK2MSFTNGP03.phx.gbl...
AFF
ISA is a piece of shit and I never even bothered with it. As far as
SBS, here is my situation:
I work for a financial institution, 40 users, 7 servers (one SBS of
course), with more then 500K records holding CC#, bank accounts, SSN and
what not. We use Cisco firewall, CSA and very tight policies, following
the guide line of the NSA(http://www.nsa.gov/snac/downloads_all.cfm).
When ever someone tells me my SBS is week, I tell them to go for it. If
they hack it, the information is all theirs. I still have my job...
The point is, that no system is safe if you think it is. There are
endless steps to take, and after you took all of them, someone breaks
into you office and steals the hardware.
Since I also have a Linux server on site, please save the usual rhetoric
about how safe it is.
The office manager probably stole info since he had access everywhere.
The security experts must justify their paycheck.
My 2 cents.
AFF
AFF
this is the best one! man am I LOLING all over the place.
"Russ - SBITS.Biz (MCP SBS)" <sup...@REMOVETHIS.sbits.biz> wrote in message
news:uqjQMHwz...@TK2MSFTNGP04.phx.gbl...
AFF
The owner of the company made his mnd up, the owner of the screwity company
is a great sales man. That'sall it takes this days
"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbra...@pacbell.net>
wrote in message news:ujGxVSyz...@TK2MSFTNGP02.phx.gbl...
Russ - SBITS.Biz (MCP SBS)
Of course it's Unsecured,
I've seen this a Million times, "Security Experts" Come in and Claim That
your server is CRAP
and Offer to FIX your Solution. (Which Doesn't need Fixing to begin with.)
To me these guys should be shot just like Used Car Salesmen...
They are just trying to Make money off you. (Selling you something you don't
need)
Hopefully your boss is smart enough, not to fall for this BS...
I would imagine any one of us would be more than happy to talk to your boss.
(FOR FREE)
If your boss needs someone to talk to for a "Second Opinion"
Let us know!
Russ
--
Russell Grover
Microsoft Certified Small Business Specialist.
MCP, MCPS MCNPS, (MCP-SBS)
Portland/Beaverton Oregon USA
Win Free Copy of SBS2003 R2
http://www.sbits.biz/free.html
Remote SBS Support
MSN Messenger
Support @ SBITS.Biz
http://www.SBITS.Biz
"Victor Banks" <v...@nospam.local> wrote in message
news:%23NY7KNG...@TK2MSFTNGP04.phx.gbl...