Article ID: 303323 - View products that this article applies to.
This article was previously published under Q303323
This article describes how to maintain a secure Small Business Server (SBS) installation.
To maintain a secure network of any kind always demands diligence on the part of the system administrators that operate it. Because SBS is a comprehensive suite, administrators of SBS installations need to be aware of the security of each suite component. All patches and security bulletins will first appear on the following Microsoft Security Web site:
http://microsoft.com/securityAll SBS administrators are urged to subscribe to the Microsoft Security Notification service:
http://www.microsoft.com/technet/security/bulletin/notify.mspxFor a comprehensive list of all of the security patches that are available, use the following Microsoft Security Bulletin Search Web site:
http://microsoft.com/technet/security/current.mspxAdministrators are encouraged to use the Security Bulletin Search in conjunction with subscribing to the Security Notification Service to maintain their servers in the most secure state possible.
Hotfixes are patches that are released between service packs and that are designed to address one or more specific issues. After you apply a hotfix, you are normally required to restart your computer. If you do not restart your computer after you install a hotfix, the hotfix may not be installed properly. Note that you can use the QChain.exe tool to install multiple hotfixes in the same session, with only a single reboot. For additional information about the QChain.exe tool, click the article number below to view the article in the Microsoft Knowledge Base:
296861Service packs are larger, much more inclusive packages that are designed to address a wide range of issues, including security. Users that are running the latest service pack of a product are normally protected from most vulnerabilities that have been identified up to the date of the Service Pack release. To obtain a list of the latest service packs that are available for each SBS suite component, please see the following Microsoft TechNet Service Packs Web page:
(http://support.microsoft.com/kb/296861/EN-US/ )Use QChain.exe to Install Multiple Hotfixes with Only One Reboot
http://support.microsoft.com/default.aspx?PR=sp&FR=0&SD=TECH&LN=EN-US&CT=SD&SE=NONASmall Business Server 2000 Service Pack 1 (SP1) includes updates for the operating system, server applications, and security features that have been released since the general product availability date in April 2001. For more information, see the following Microsoft SBS Web page:
http://www.microsoft.com/downloads/details.aspx?familyid=F4FC58D0-1FAC-4927-84D7-189FA1B690BE&displaylang=enIMPORTANT: Unless a security bulletin specifically warns against installation on SBS, any security bulletin that is released for any of the suite components can be safely applied to SBS. As always, carefully read the release notes for any hotfix or service pack before you apply it to production computers.
You can use the following actions as part of your overall security strategy when you deploy SBS 2000 installations:
General Microsoft Security Information
Microsoft Security home page
Security Bulletin Search
Secure Internet Information Services 5 Checklist
Windows 2000 Internet Server Security Tool
http://www.microsoft.com/technet/security/tools/locktool.mspxMicrosoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
CERT Coordination Center: Steps for Recovering from a UNIX or NT System Compromise
http://www.cert.org/tech_tips/win-UNIX-system_compromise.htmlMicrosoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
URLScan Security Tool
http://www.microsoft.com/downloads/details.aspx?familyid=23d18937-dd7e-4613-9928-7f94ef1c902aURLScan is designed to make an IIS installation secure by default. This means that upon installation of the tool, IIS will not accept a variety of HTTP requests. Therefore, some SBS applications, like Outlook Web Access, may not function properly until the URLScan.ini file is edited to allow that functionality. Full details, including sample configurations, for editing URLScan can be found in the "urlscan.txt" file included with the download.