Small Business Server 2008 - Network Security

Over the last ten years or so, Microsoft has demonstrated that the company is making serious efforts to address security concerns. SBS 2008 continues that move towards improved security by moving to a single-NIC solution. Yes, you read that correctly.

Let's take a quick look back. Outlook Web Access in Exchange 2000 and earlier versions did not require an SSL certificate, meaning you could sniff out user names and passwords from an OWA connection. SBS 2003 included the ability to create a self-signed SSL certificate so OWA and other web-based communications with the server could be encrypted and less vulnerable to sniffing. In the initial release of Windows XP and earlier versions of the desktop OS, there was no desktop-level firewall in the OS, so if a localized network-based attack was launched against a port-level vulnerability on the internal network, there was nothing to protect against that. XP Service Pack 2 introduced the workstation-level firewall to help guard against unwanted and unexpected inbound network connections to further protect the desktop.

So how does all this relate to the networking change in SBS 2008? Simple. By removing the ability for SBS 2008 to act as an internet router, the potential attack vector is significantly reduced. In SBS 2003, if you ran the Standard edition as a two-NIC configuration, you had to rely on the Routing and Remote Access service to determine what traffic on the external interface would get routed to the internal interface. But if there was a vulnerability in, say, the RPC service, RRAS might not have been able to prevent an attack on the external NIC directed at RPC, adn the box could be compromised. The risk was significantly reduced if you ran SBS 2003 Premium with ISA in a two-NIC configuration, but had there been a vulnerability found in ISA, the box would have little to no protection against that.

SBS 2008 includes the Windows Firewall and, just like Vista desktops, that firewall is enabled to block all incoming network connections unless specific services are opened in the firewall configuration. This allows us to "lock down" the server against unwanted/unexpected network access just like we've been doing at the desktop. Yes, the SBS2008 configuration does allow the SBS server to act as a file server, e-mail server, web server, etc., so those services are properly configured in the Windows Firewall. And we have Group Policy that we can use to configure the firewall settings for both the server and the workstations on the network, so should we need to make changes to the firewall configuration, we can do so systematically through Group Policy.

If you ask Microsoft why the two-NIC configuration is gone in SBS 2008, you'll get a technical response dealing with how the networking features in Server 2008 are different, and you can't use the Routing and Remote Access service in conjunction with the Windows Firewall service. And I'm OK with that explanation.

But for me, the real improvement is in the change of the "best practice" philosophy regarding SBS. In SBS 2000 and SBS 2003, a two-NIC configuration was required if you wanted to use ISA properly (ISA was included with SBS 2000 and was an option available in SBS 2003 Premium). But with SBS 2003 Standard, you could still use the server in a two-NIC router-type configuration, and that was touted as a best practice by Microsoft and many members of the community. Unfortunately, what I saw in a lot of the systems I've worked with for the DIY crowd as well as other IT Professionals is a setup where an SBS 2003 Standard box was built in a two-NIC configuration and the external NIC was plugged directly into the Internet connection without any kind of firewall or NAT device in front of it.

Even in most of my ISA installations of SBS 2003 with my customers, I have put some type of firewall/NAT device between the external NIC and the Internet connection. In an ISA setup, even adding a basic NAT device helps reduce the attack vector against the SBS/ISA server if you only allow ports 25 (SMTP), 443 (HTTPS), 444 (Companyweb in SBS 2003), 4125 (Remote Desktop Proxy), and optionally 1723 (PPTP VPN) and 3389 (Remote Desktop) through to the external NIC on the box. In many of those cases, though, I still would use a business-class firewall in front of ISA as opposed to just a NAT router.

SBS 2008 forces the issue and pretty much requires the use of a business-class firewall as the edge device. Can you use a basic, consumer-grade NAT router as an edge device in an SBS 2008 network? There's nothing technically preventing you from doing so, but as quality business-class firewalls are becoming more and more affordable and including more and more important features, is it really worth the risk of using a consumer-grade NAT router to protect your network? At the very least, I look for a device that can block outbound port 25 from any device on the network except the server to help reduce the risk of becoming a spammer and getting put on blacklists, etc.

But I digress. In my operation, we haven't deployed a two-NIC SBS server in several years. Our philosophy has been to go with a business-class firewall at the edge and have the SBS server as an end node on the network, just like the workstations. So this change in approach from Microsoft hasn't really impacted our operations. Yet I keep seeing IT Pros, well, panicking for lack of a better word, because they are not comfortable with this change. And yes, for many organizations it probably will be a change. But it's certainly not the most significant change in the SBS 2008 product.

SBS 2008 as a single-NIC solution is still a secure solution. Provided you make an investment in a proper business-class firewall and configure it correctly, your internal network will be at least as secure as with a two-NIC SBS 2003 server, if not more so.