Securing Your Windows Small Business Server 2003 Network
On This Page
Introduction
This document helps you configure your Microsoft Windows Small Business Server 2003 network more securely. Completing the tasks in this document helps to protect the availability, integrity, and confidentiality of your local network. The tasks covered in this document for helping to secure your network follow:
| • | Verifying your topology and firewall configuration |
| • | Configuring your local router for secure access |
| • | Configuring network, firewall, Web, and e-mail services on the computer running Windows Small Business Server 2003 |
| • | Keeping software up-to-date |
| • | Implementing strong passwords |
| • | Configuring remote access to the local network |
| • | Verifying users have only necessary permissions |
| • | Changing the account name for the built-in Administrator account |
| • | Securing the computer running Windows Small Business Server 2003 |
| • | Implementing an antivirus solution |
| • | Upgrading client computers |
| • | Monitoring the computer running Windows Small Business Server 2003 for security issues |
In addition to the methods described in this document for securing your Windows Small Business Server network, many security features are configured by default at Setup. For more information about the default settings configured by Windows Small Business Server 2003 Setup, see Appendix D in the Windows Small Business Server 2003 Getting Started Guide on the Microsoft Web site at http://www.microsoft.com/downloads/details.aspx?FamilyID=483b6e22-8ed2-420b-915e-96d469347fb2&DisplayLang=en.
IMPORTANT: All the step-by-step instructions included in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.
Before You Begin
This document assumes that you have already completed Windows Small Business Server 2003 Setup, which includes the To Do List. The To Do List appears at the end of Setup and is used to complete the configuration of Windows Small Business Server 2003. If you did not complete all tasks on the To Do List, this document will assist you in completing those tasks that help to secure your computer that is running Windows Small Business Server 2003. If you have completed all of the tasks on the To Do List, this document will assist you in verifying that you used options that help to keep your network secure.
Note: To return to the To Do List, click Start, and then click Server Management. In the console tree, click To Do List.
Verifying Your Topology and Firewall Configuration
If you are using a broadband (high-speed) connection to the Internet for Windows Small Business Server 2003, the physical topology (the physical layout of devices on your network) is typically better protected if you have a firewall that helps to protect your local network. A firewall is designed to prevent unauthorized access to your local network.
Using the diagrams below, identify the topology for your Windows Small Business Server 2003 network and then verify that the placement of your firewall is correct for this topology.
Note: If you have a dial-up connection to the Internet, see the section "Configuring Network, Firewall, Web, and E-mail Services on the Computer Running Windows Small Business Server 2003." It describes how to enable the firewall on the computer running Windows Small Business Server 2003.
There are basically two broadband topologies:
| • | One that uses the internal firewall provided by Windows Small Business Server 2003. This topology has two network adapters in the server. |
| • | One that uses an external firewall. This topology has a router and one network adapter in the server. |
Using the Internal Firewall Provided by Windows Small Business Server 2003
To use the firewall provided by Windows Small Business Server 2003 with a broadband connection, the computer running Windows Small Business Server 2003 must use two network adapters. In this case, your topology is represented as follows:
If you are using the internal firewall provided by Windows Small Business Server 2003 to protect your local network from unauthorized Internet access, but your topology does not reflect the topology shown in the diagram, you must correct your configuration. Otherwise, the internal firewall provided by Windows Small Business Server 2003 will not protect your local network.
Requirements
| • | The computer running Windows Small Business Server 2003 must use two network adapters. One network adapter connects to the local network, and one connects to the Internet using an Internet connection device. If you do not have two network adapters, you must either use an external firewall as described in the next section or install a second network adapter. Note: Even if you have a broadband connection and two network adapters in the computer running Windows Small Business Server 2003, you can still use an external firewall. In that case, you can use the firewall provided by Windows Small Business Server 2003, the firewall on the router, or both. If you are using both firewalls, ensure that you have configured the router as discussed in the section "Configuring Your Local Router for Secure Access." |
| • | You must be logged on to the computer running Windows Small Business Server 2003 as a member of the Domain Admins security group. |
| • | This procedure assumes that you have already connected to the Internet using the Configure E-mail and Internet Connection Wizard. If you have not run the wizard, follow the wizard instructions to complete it. When you reach the Broadband Connection Type page, see Step 5 of the following procedure for more information about how to complete the page. If you need help completing the wizard, click More Information on the wizard page. |
| • | To run the Configure E-mail and Internet Connection Wizard
|
Using an External Firewall
If you have only one network adapter in the computer running Windows Small Business Server 2003, your topology is represented as follows:
If you are using an external firewall (this may also be the same device as your local router) to protect your local network from unauthorized Internet access and the computer running Windows Small Business Server 2003 uses one network adapter, your topology should reflect the one shown in the diagram, otherwise you must correct your configuration. Improperly configuring your network topology can result in the external firewall not protecting your local network.
Requirements
| • | The computer running Windows Small Business Sever 2003 uses one network adapter to connect to both the Internet and the local network. If instead it is using two network adapters, and you are using an external firewall, your topology most likely looks like the one described in the previous section. |
| • | To protect your local network from unauthorized Internet access, either the Internet connection device must provide a firewall service or you must add an external firewall. In this topology, you cannot use the firewall on the computer running Windows Small Business Server 2003 because that computer is not the gateway between the Internet and the client computers. If you want to use that firewall, you must install a second network adapter in the computer running Windows Small Business Server 2003 and use the topology described in the previous section. |
| • | You must configure an external firewall on the local network with the necessary settings for your Windows Small Business Server network. For more information, see the section "Configuring Network, Firewall, Web, and E-mail Services on the Computer Running Windows Small Business Server 2003." If you change the topology of your network, follow the procedure "To run the Configure E-mail and Internet Connection Wizard" to update your settings. |
Configuring Your Local Router for Secure Access
If you are using a local router to connect to the Internet and the device provides wireless networking or firewall capabilities (or both), ensuring that the device is properly configured can help to secure your local network. Consider taking the following steps:
| • | Secure the wireless access point on the router |
| • | Verify the firewall configuration on the router |
Secure the Wireless Access Point on the Router
If the router provides a wireless networking access point (also called a base station) and you do not have wireless devices on your network, disabling the access point can help reduce unauthorized access to your local network. If you have wireless devices on the network, you should consider configuring the access point so that it is secure. This helps to prevent an unauthorized user from gaining access to your local network by connecting to your wireless access point.
| • | To disable the wireless access point on the router
|
| • | To help secure the wireless access point on the router
|
Verify the Firewall Configuration on the Router
Allowing network traffic to pass through defined port numbers on the firewall in order to access only known services on your computer running Windows Small Business Server can help protect your network. These ports were automatically configured on the computer running Windows Small Business Server 2003 when you completed the Connect to the Internet task on the To Do List (this task opens the Configure E-mail and Internet Connection Wizard).
Note: Opening a port number may be referred to as port forwarding in the documentation of some router manufacturers.
Requirements
| • | Access to the administration feature of your router (usually a Web page where you manage the router). For information about how to access the administration feature, see your router manufacturer's documentation. |
| • | If you did not complete the Connect to the Internet task on the To Do List (this task opens the Configure E-mail and Internet Connection Wizard), you should do so before completing the following procedure. For more information about completing the wizard, see the section "Configuring Network, Firewall, Web, and E-mail Services on the Computer Running Windows Small Business Server 2003." |
| • | To verify the firewall configuration on the router
|
Note: For more information about each of the services discussed in this table, see the appendices in the Windows Small Business Server 2003 Getting Started Guide on the Microsoft Web site at http://www.microsoft.com/downloads/details.aspx?FamilyID=483b6e22-8ed2-420b-915e-96d469347fb2&DisplayLang=en.
Configuring Network, Firewall, Web, and E-mail Services on the Computer Running Windows Small Business Server 2003
Using the Configure E-mail and Internet Connection Wizard can help correctly configure settings for the network, firewall, secure Web site, and e-mail services that are used after you connect your computer running Windows Small Business Server 2003 to the Internet (on the To Do List, this task is called Connect to Internet). The wizard automatically configures these services; however, you should check the following:
| • | Verify the firewall configuration to ensure only necessary services are allowed through the firewall. |
| • | Verify that the option to remove e-mail attachments is enabled. |
Verify the Firewall Configuration
You can use the wizard to help configure the firewall properly on the computer running Windows Small Business Server 2003. In Windows Small Business Server 2003, Standard Edition, the wizard configures Basic Firewall service in the Routing and Remote Access service. In Windows Small Business Server 2003, Premium Edition, it configures Microsoft Internet Security and Acceleration (ISA) Server.
When you enable the firewall, you should consider allowing only the services that your server needs to access the Internet or that users need to complete their work. For example, if users are using Remote Web Workplace to connect to the local network from the Internet, you should evaluate whether you also need to enable the Virtual Private Network (VPN) service.
Additionally, if you allow access to either the Business Web site (wwwroot) or to the entire Web site, your Web sites might be listed by Web search sites, such as Google. For example, a Web search site might list Remote Web Workplace. To prevent this, see Windows Small Business Server 2003 Troubleshooting on the Microsoft Web site at http://download.microsoft.com/download/5/6/1/561c9fd7-0e27-4525-94ec-4d2d38f61aa3/TSHT_SBS.htm.
Requirements
| • | You must be logged on as a member of the Domain Admins security group. |
| • | To review and remove services allowed through the firewall on the server
|
Verify that the Option to Remove E-mail Attachments is Enabled
If Exchange Server is installed on the computer running Windows Small Business Server 2003, you should consider using the wizard to properly configure your server to send and receive e-mail through the Internet. When you enable Internet e-mail, the option to remove specific types of e-mail attachments from incoming e-mail is selected by default. Removing certain type of attachments from incoming e-mail helps to prevent a virus or malicious program from spreading to your local network.
When you completed the Connect to the Internet task on the To Do List, if you chose not to remove e-mail attachments, it is recommended that you run the wizard again to change this selection.
Requirements
| • | You must be logged on as a member of the Domain Admins security group. |
| • | To enable the removal of e-mail attachments
|
Keeping Software Up-to-Date
One way to help keep your computing environment safe is to promptly install software updates, also known as fixes, security patches, service packs, and security-rollup packages. Software updates either fix vulnerabilities in software or they introduce additional security features. It is recommended that you install updates as soon as they become available. The following methods help keep your software up-to-date:
| • | Install Software Update Services. |
| • | Check for updates to server applications. |
| • | Check for Microsoft Office updates. |
| • | Check for updates to other applications. |
Install Software Update Services
Microsoft Software Update Services (SUS) can be used to update computers running Windows XP Professional, Windows 2000 Professional, Windows 2000 Server, or Windows Server 2003. SUS helps you to collect, approve, and distribute critical operating system updates to resolve known security vulnerabilities and stability issues.
To install and configure SUS on your Windows Small Business Server network, see "Updating a Windows Small Business Server 2003 Network Using Software Update Services Server 1.0" in the Security Guidance Kit.
If you have operating systems other than Windows XP Professional, Windows 2000 Professional, Windows 2000 Server, or Windows Server 2003 on the network, they are not automatically updated by SUS. Users running Windows XP Home Edition should configure the computer for automatic updates using the procedure that follows. Users running Windows 95, Windows 98, Windows Millennium Edition, or Windows NT Workstation 4.0 should use the Windows Update site to check periodically for updates that need to be installed. For more information about Windows Update, see the Microsoft Web site at http://windowsupdate.microsoft.com.
Requirements
| • | You must be logged on as a member of the Domain Admins security group. |
| • | To configure automatic updates for Windows XP Home Edition
|
Check for Updates to Server Applications
Checking for updates to any applications that you use on the computer running Windows Small Business Server 2003 helps to ensure that you have the most current fixes, security patches, service packs, and security-rollup packages. For example, you should check for updates to Exchange Server 2003. Additionally, if you have Premium Edition, you should check for updates for ISA Server and SQL Server? 2000.
| • | To check for updates to Exchange Server 2003, see the Microsoft Web site at http://www.microsoft.com/exchange/downloads/2003/default.mspx. |
| • | To check for updates to ISA Server, see the Microsoft Web site at http://www.microsoft.com/isaserver/downloads/2004/default.mspx. Note: The version of ISA Server 2000 included with Windows Small Business Server 2003 Premium Edition includes ISA Server 2000 Service Pack 1 and hotfixes 177, 255, 256, 257, 265, and 277. |
| • | To check for updates to SQL Server 2000, see the Microsoft Web site at http://www.microsoft.com/sql/downloads/default.mspx. |
| • | To check for updates to all Microsoft products, see the Microsoft Download Center on the Microsoft Web site at http://www.microsoft.com/downloads/search.aspx?displaylang=en. |
Check for Microsoft Office Updates
Files created by some Microsoft Office applications might be used to transmit viruses and other malicious programs. To help prevent this, keep Office applications on client computers up-to-date by doing the following:
| • | For more information about having Office Update check your system automatically, see the Microsoft Web site at http://office.microsoft.com/en-us/officeupdate/default.aspx. Downloading the Outlook E-mail Security Update can help guard your computer against viruses that travel in executable or high-risk attachments and against worm attacks that replicate through Outlook. Note: To download individual updates from the Office Download Center, see the Microsoft Web site at http://office.microsoft.com/en-us/officeupdate/default.aspx. |
| • | To be notified when new updates are released, you can sign up for the Inside Office—Product Updates Alert Office Newsletter on the Microsoft Web site at http://www.microsoft.com/office/using/newsletter.mspx. |
Check for Updates to Other Software
If you run other software, check the manufacturer's Web site to see if it supports automatic updates of the application to help keep your computers on the local network secure and reliable. If the software does not support automatic updates, periodically check the manufacturer's Web site for updates to help to ensure that you have the most current fixes, security patches, service packs, and security-rollup packages.
Implementing Strong Passwords
Using strong password provides an additional layer of defense against an unauthorized user gaining access to your network. To implement strong passwords, you can complete the following steps:
| • | Enable password policies. |
| • | Educate users. |
Enable Password Policies
Enabling password policies to enforce the use of strong passwords is a critical step in helping to secure your network. If you ran the Configure E-mail and Internet Connection Wizard to configure your Internet connection, you were prompted at the end of the wizard to enable password policies. If you are unsure whether you enabled password policies when you ran the wizard, completing the following procedure to enable password policies that enforce strong passwords can help limit unauthorized access to your local network.
Requirements
| • | You must be logged on as a member of the Domain Admins security group. |
| • | To enable password policies
|
Educate Users
After implementing strong password policies, educate users about strong and weak passwords. Ask users to treat their password as they would private information, such as a credit card PIN number. Below are typical guidelines that, when implemented, help ensure a strong password and more protection for your local network.
A password should not include any of the following:
| • | A user's name or e-mail alias |
| • | The name of the user's child, parent, spouse, or friend |
| • | Any word found in a dictionary |
| • | An old password that is reused by appending numbers |
| • | A birth date |
| • | A phone number |
| • | A social security number or other identification number |
| • | Any easily obtained personal information |
A strong password consists of the following:
| • | It does not contain all or part of the user's account name. | ||||||||
| • | It contains at least six characters. | ||||||||
| • | It contains characters from three of the following four categories:
|
For more information about password policies, see "Selecting Secure Passwords" in the Security Guidance Kit.
Configuring Remote Access to the Local Network
You can efficiently use Remote Web Workplace to remotely access the Windows Small Business Server local network. You can also use a virtual private network (VPN) connection. However, using Remote Web Workplace is an easier method than using a VPN connection for authorized users to gain access to the local network.
With either option, telling users that they should always log out when they are done with the session helps prevent an unauthorized user from gaining access to the network.
You can help securely configure remote access for Windows Small Business Server 2003 using one or both of the following options:
| • | Use Remote Web Workplace. |
| • | Use the Remote Access Wizard. |
Use Remote Web Workplace
Remote Web Workplace enables users to access important features of Windows Small Business Server 2003 when they are away from the office. Using Remote Web Workplace, they can check e-mail and calendars, connect to their computers at work by using Remote Desktop, use shared applications, access the company's internal Web site, view performance reports, or join a computer to the Windows Small Business Server network by downloading Connection Manager.
If users do not need to remotely access the local network, disabling access to Remote Web Workplace helps to limit the likelihood of unauthorized access to your network. To disable access to Remote Web Workplace, complete the procedure "To review and remove services allowed through the firewall on the server."
Note: To connect to a remote desktop on the local network using Remote Web Workplace, the remote computer must be running Windows 2000 Server or Windows XP Professional. A remote computer running any other operating system must use a VPN or dial-in connection as discussed in the section "Use the Remote Access Wizard."
Use the Remote Access Wizard
Using the Remote Access Wizard, you can enable virtual private network (VPN) access, dial-in access, or both. VPN access enables remote client computers to connect securely to your local network over the Internet. Users first connect to their local Internet service provider (ISP) and then securely connect to the local network using special protocols based on TCP/IP, called tunneling protocols. Dial-in access allows remote computers to connect over a phone line to a modem on the computer running Windows Small Business Server 2003.
If users do not require VPN or dial-in access, you should disable the access.
Requirements
| • | You must be logged on as a member of the Domain Admins security group. |
| • | To disable VPN access, dial-in access, or both
|
Verifying Users Have Only Necessary Permissions
You can help to secure the network by ensuring that users have only the permissions they need to do their jobs and by limiting the use of accounts with administrative rights and permissions. To verify that users have only the permissions they need, do the following:
| • | Use the correct Windows Small Business Server template. |
| • | Do not use Administrator or Power User accounts for daily work. |
| • | Assign permissions to shares. |
Use the Correct Windows Small Business Server Template
Windows Small Business Server 2003 comes with predefined templates that are designed to give users only the level of access they need. For example, user accounts that are based on the User template do not have remote access to the local network by using a VPN connection, but user accounts based on the Mobile User template do have this access. The four templates are as follows:
Template Names and Descriptions
| Template Name | Description |
User | Accounts based on this template have access to shared folders, printers and faxes, e-mail, and the Internet. Accounts assigned this template can access the local network from a remote location using Remote Web Workplace. Additionally, user accounts assigned with this template can open a Remote Desktop Connection to a computer running Windows XP Professional but not to a computer running Windows Small Business Server 2003. |
Mobile User | Accounts based on this template have all the permissions of the User Template and can also access the local network from a remote location using Remote Web Workplace or a remote access connection. |
Power User | Accounts based on this template have all the permissions of the Mobile User Template and can also perform delegated management tasks. A Power User can log on remotely to a computer running Windows Small Business Server 2003, but it cannot log on locally. |
Administrator | Accounts based on this template have unrestricted system access to the Windows Small Business Server network. |
Reviewing the template currently assigned each user and ensuring that users have only the minimum level of access they need to perform their daily tasks helps reduce the chance that they will inadvertently delete important files or gain unintended access to an Administrator account. Additionally, if you allow access to Remote Web Workplace from the Internet and you do not want a user to have access to the local network from the Internet, you should disable access to Remote Web Workplace for that user's account.
Requirements
| • | You must be logged on as a member of the Domain Admins security group. |
| • | To review the template assigned each user
|
| • | To disable user access to Remote Web Workplace
|
| • | To change permissions for a user account
|
Do Not Use Administrator or Power User Accounts for Daily Work
Because user accounts based on the Administrator and Power User templates are very powerful, consider basing user accounts on the less powerful User template. Using the Administrator or Power User templates even though a user does not need the more powerful access privileges increases the chance that the user will inadvertently delete important files or gain unintended access to an account with administrative or power user permissions.
For instance, if a user on your network wants administrative or power user permissions but does not need them for daily tasks, you can assign the user two accounts. The first account is a typical user account for daily tasks, based on the User template. The second account is based either on the Administrator Template, which provides the user with unrestricted access to the domain, or on the Power User Template, which provides the user with the ability to remotely connect to the server and to perform designated management tasks. You should then instruct the user to use the account with administrator or power user permissions only to complete specified tasks.
Because the Administrator account is a well-known and powerful account and the Power User account allows a user to access the server for management tasks, having users adhere to the following procedures can help reduce unauthorized access to your network and the misuse of more powerful access privileges:
| • | Use strong passwords at all times. |
| • | Log on with your user account to perform daily tasks, not with an Administrator or Power User account. |
| • | Never leave a computer unattended while you are logged on to an Administrator or Power User account. |
| • | Do not give others the password for an Administrator or Power User account. |
| • | Never leave a written record of the password for an Administrator or Power User account near the computer. |
Requirements
| • | You must be logged on as a member of the Domain Admins security group. |
| • | To create a user account for daily tasks
|
Note: If the user has been using the administrative account for any length of time, it may be easier for the user if you restrict the permissions of the existing administrative account (see the procedure "To change permissions for a user account") and then use the previous procedure to add a new administrative account.
Assign Permissions to Shares
By assigning which users or groups of users can access information shared from the computer running Windows Small Business Server 2003, you can help prevent an unauthorized user from accessing your company's data. By default, any share created during the Setup of Windows Small Business Server 2003 is assigned permissions to secure the share. If you have created additional shares on the server, ensuring that the shares have only the necessary permissions can help you limit access permissions to only those who need it.
Requirements
| • | You must be logged on as a member of the Domain Admins security group. |
| • | To determine the list of shares on the server
|
| • | To review and assign permissions to non-default shares
|
Changing the Account Name of the Built-in Administrator Account
Renaming the built-in Administrator account on all computers in the Windows Small Business Server network or at least on the computer running Windows Small Business Server 2003 is a standard security practice that can help reduce unauthorized network access. The built-in Administrator account is a well-known and powerful account. Malicious users often attempt to log on to computers by guessing the password of the Administrator account. Because the account is necessary for many functions, it cannot be locked. However, if you change the name of this account, you make it more difficult for unauthorized users to discover the password and gain access to the network. Additionally, you should consider using a strong password for the Administrator account as an added precaution in case an attacker is able to determine the new account name. For more information about strong passwords, see the section "Implementing Strong Passwords."
Note: After renaming the built-in Administrator account on the computer running Windows Small Business Server 2003, it is very important that you log off the server and then log on using the renamed account. Otherwise, you may be denied access to resources or may not be able to successfully use some of the Windows Small Business Server tools.
Requirements
| • | You must be logged on as a member of the Domain Admins security group. |
| • | To rename the Administrator account on the computer running Windows Small Business Server 2003
|
| • | To rename the local Administrator account on a client computer
|
Note: If you have many client computers, it may be more efficient to use Group Policy Management Console (GPMC) to automatically rename all the Administrator account names in the network (including the server). For step-by-step instructions for this method, from the computer running Windows Small Business Server 2003, click Start, click Help and Support, and then search for "rename the Administrator account using Group Policy Management Console."
Securing the Computer Running Windows Small Business Server 2003
Using the following methods can help secure the computer running Windows Small Business Server 2003:
| • | Physically secure the computer running Windows Small Business Server 2003 from on-site attacks. |
| • | Do not use the computer running Windows Small Business Server 2003 as a workstation. |
| • | Do not install unnecessary software on the computer running Windows Small Business Server 2003. |
| • | Configure backup. |
Physically Secure the Computer Running Windows Small Business Server 2003 from On-Site Attacks
All networks are vulnerable to on-site attacks, which may include, but are not limited to: booting the computer running Windows Small Business Server 2003 from a floppy disk and reformatting the hard disk; opening the computer case and replacing the system basic input/output system (BIOS) chips; removing the hard disk from the computer running Windows Small Business Server 2003 and reading information from it; or replacing keyboards with those that can help monitor everything you type, including passwords. Physically securing the computer running Windows Small Business Server 2003 can help restrict these on-site attacks.
| • | To help physically secure the computer running Windows Small Business Server 2003
|
Do Not Use the Computer Running Windows Small Business Server 2003 as a Workstation
Consider not using the computer running Windows Small Business Server 2003 as a workstation, because this increases the surface area for attacks and affects the performance of the network. The surface area for attacks increases because you need to install client applications on the server. If there is a security-related issue for any client application, the server is vulnerable to attack until a security patch is installed. Additionally, if a user other than an administrator logs on to the server, the chance increases that the user will accidentally delete critical information or an application.
Do Not Install Unnecessary Software on the Computer Running Windows Small Business Server 2003
Consider installing only the software on the computer running Windows Small Business Server 2003 that is necessary for your business operations to reduce the surface area of attacks and help maximize the server's performance.
Configure Backup
Backing up data on the computer running Windows Small Business Server 2003 can help prevent data loss that results from user error, data tampering, or virus attack. Backing up data is especially critical for small businesses, because a total system failure results not only in the loss of critical data, but also in the loss of essential services such as e-mail and Internet connectivity. Without a current backup, even companies that use a mirrored hard disk configuration may recover only a portion of their loss. You should keep the backup media in a secure location, because a malicious user can use this data to reconstruct the server at an alternate location. Additionally, consider testing the integrity of the backup by selecting random files from your backup, restoring them to an alternate location, and then confirming that the files have not changed.
Windows Small Business Server 2003 provides an integrated backup solution. When you configure your backup using the integrated backup solution, the entire server is backed up by default, including your intranet, mailboxes, and user files.
To configure backup, see "Backing Up and Restoring Windows Small Business Server 2003" in the Security Guidance Kit.
Note: To open the backup management taskpad, click Start, click Server Management, and then click Backup.
Implementing an Antivirus Solution
Computer viruses can spread quickly and overwhelm network resources. In addition to arriving through e-mail, a virus can propagate from services running on the computer running Windows Small Business Server 2003, from a shared folder on the network, from the Internet, or from infected files on removable media, such as floppy disks and CDs. For more information about antivirus software, see Frequently Asked Questions About Antivirus Software on the Microsoft Security Web site at http://www.microsoft.com/athome/security/protect/antivirus.mspx.
Using an antivirus solution that protects the entire network, including the server and client computers helps you to prevent computer viruses from accessing your local network. Additionally, consider ensuring that you have a good backup and recovery plan because you may need to restore the system to its state before the virus infection occurred. To help implement an effective antivirus solution, do the following:
| • | Choose an antivirus solution. |
| • | Implement a virus-reaction plan. |
Choose an Antivirus Solution
If you are not currently running an antivirus solution, consider purchasing one that meets the following criteria:
| • | It supports Windows Small Business Server 2003. |
| • | It supports Exchange Server 2003 and supports Microsoft Virus Scanning API 2.5. For more information about antivirus software and Exchange server, see article 82366, "Overview of Exchange Server 2003 and Antivirus Software," in the Microsoft Knowledge Base at http://support.microsoft.com/. |
| • | It should protect both the computer running Windows Small Business Server 2003 and the client computers. |
| • | The antivirus software vendor should release updates quickly. |
Additionally, once you install an antivirus solution, configuring the solution to automatically check for antivirus updates (also called signatures) and automatically install the updates on a specified schedule can help reduce the likelihood that your network will become infected with a virus or other malicious program.
For a list of antivirus partners, see the Microsoft Security Web site at http://www.microsoft.com/security/partners/antivirus.asp.
Implement a Virus-Reaction Plan
In some cases, you might receive a warning about a new virus before an update to your antivirus software is available. If this occurs, having a reaction plan in place for how best to handle the virus can help reduce the likelihood that your network will be infected by that virus. Additionally, you can temporarily disable your Internet connection.
| • | To implement a virus-reaction plan
|
| • | To temporarily disable your Internet connection
|
Upgrading Client Computers
If you have client computers running Windows 98 or earlier, or Windows NT 4.0 or earlier, consider upgrading these computers to either Windows XP Professional or Windows 2000 Professional. Windows XP Professional and Windows 2000 Professional are designed to work with the Windows Server 2003 network environment. This adds security while also improving reliability, performance, and functionality for the local network. In addition, some Windows Small Business Server 2003 applications, such as Outlook 2003, are specifically designed to work with Windows 2000 Professional Service Pack 3 or later.
For information about upgrading client computers, see the Windows XP Professional Upgrade Center page on the Microsoft Web site at http://www.microsoft.com/windowsxp/pro/upgrading/default.mspx.
Monitoring the Computer Running Windows Small Business Server 2003 for Security Issues
You can monitor the computer running Windows Small Business Server 2003 for security issues using the following methods:
| • | Configure monitoring. |
| • | Attach log files to monitoring reports. |
| • | Audit for failed logon events and account lockouts. |
| • | Keep up-to-date on security information. |
Configure Monitoring
Windows Small Business Server 2003 performance and usage reports contain detailed information about the overall health and use of the computer running Windows Small Business Server 2003. You can configure the reports by running the Monitoring Configuration Wizard.
If you are not receiving monitoring reports, you need to either configure monitoring or add your e-mail address to the list of report recipients.
Requirements
| • | You must be logged on as a member of the Domain Admins security group. |
| • | To configure performance and usage reports
|
Attach Log Files to the Monitoring Reports
Log files contain important information about application events, Internet Information Services (IIS), security events, and system events, including hardware and software problems. The information is recorded as chronological messages in the log. Some of these logs, such as the firewall logs and the security-event logs, can be used to help monitor the security of your network.
You can monitor the network for attacks by reviewing the firewall and the security-event logs. You can monitor these logs by using the monitoring tools available in Windows Small Business Server. These tools include alert notifications and performance and usage reports.
Requirements
| • | You must be logged on as a member of the Domain Admins security group. |
| • | To attach log files to the monitoring reports
|
Audit for Failed Logon Events and Account Lockouts
Auditing the number of a user's failed logon attempts helps you discover brute force, dictionary, and other password attacks on the computer running Windows Small Business Server 2003. By default, Windows Small Business Server 2003 enables auditing of logon failure events and account lockouts. If a user account has 50 invalid logon attempts within 10 minutes, the account will be locked out for 10 minutes. After 10 minutes, the account is reset and the user can attempt to logon again. Failure audits generate an audit entry when a logon attempt fails. Thus, every time an invalid logon attempt occurs on the computer running Windows Small Business Server 2003 or an account lockout occurs, a message is generated in the event log. Additionally, the Windows Small Business Server 2003 performance reports list whether an account lockout has occurred, which may indicate there was an attempt to gain unauthorized access to an account. If you selected the option to receive alert notifications when you ran the Monitoring Configuration Wizard, an e-mail alert will also be sent to specified users indicating that an account lockout has occurred.
Keep Up-to-Date on Security Information
Bulletins, newsletters, and newsgroups contain the latest information about security-related issues, what products are affected (if any), how to help protect your computers, and what needs to be done to fix a security problem. These resources also contain links to other sources of information. Staying current with security information to helps you protect your data and network from unauthorized access, viruses, and data theft.
Review Security Bulletins
Security bulletins provide the latest security information. The Microsoft Security Response Center regularly publishes hotfixes and security bulletins.
Sign Up for Security Newsletters
To receive e-mail concerning alerts and updates for all your Microsoft products, subscribe to the Microsoft Security Update Newsletter on the Microsoft Web site at http://www.microsoft.com/security/default.mspx. Also, stay current on updates for any other software that you may use by visiting the manufacturer's Web site.
Review Newsgroups
Review newsgroups to receive the latest security-related information.
| • | To review the Newsgroup for Windows Small Business Server 2003, see the Microsoft Web site at http://www.microsoft.com/windowsserver2003/sbs/community/newsgroup.mspx. |
Related Information
For more information about security, see the following:
| • | Microsoft Security on the Microsoft Web site. |
For more information about Windows Small Business Server 2003, see the following:
| • | Microsoft Windows Small Business Server 2003 on the Microsoft Web site. |
| • | Windows Small Business Server 2003 Getting Started Guide on the Microsoft Web site. |