How to Maintain a Secure Small Business Server Installation

This article describes how to maintain a secure Small Business Server (SBS) installation.

To maintain a secure network of any kind always demands diligence on the part of the system administrators that operate it. Because SBS is a comprehensive suite, administrators of SBS installations need to be aware of the security of each suite component. All patches and security bulletins will first appear on the following Microsoft Security Web site: All SBS administrators are urged to subscribe to the Microsoft Security Notification service: For a comprehensive list of all of the security patches that are available, use the following Microsoft Security Bulletin Search Web site: Administrators are encouraged to use the Security Bulletin Search in conjunction with subscribing to the Security Notification Service to maintain their servers in the most secure state possible.

Hotfixes are patches that are released between service packs and that are designed to address one or more specific issues. After you apply a hotfix, you are normally required to restart your computer. If you do not restart your computer after you install a hotfix, the hotfix may not be installed properly. Note that you can use the QChain.exe tool to install multiple hotfixes in the same session, with only a single reboot. For additional information about the QChain.exe tool, click the article number below to view the article in the Microsoft Knowledge Base: Service packs are larger, much more inclusive packages that are designed to address a wide range of issues, including security. Users that are running the latest service pack of a product are normally protected from most vulnerabilities that have been identified up to the date of the Service Pack release. To obtain a list of the latest service packs that are available for each SBS suite component, please see the following Microsoft TechNet Service Packs Web page: Small Business Server 2000 Service Pack 1 (SP1) includes updates for the operating system, server applications, and security features that have been released since the general product availability date in April 2001. For more information, see the following Microsoft SBS Web page: IMPORTANT: Unless a security bulletin specifically warns against installation on SBS, any security bulletin that is released for any of the suite components can be safely applied to SBS. As always, carefully read the release notes for any hotfix or service pack before you apply it to production computers.

You can use the following actions as part of your overall security strategy when you deploy SBS 2000 installations:

• Subscribe to the following Microsoft Security Notification Service:
  http://www.microsoft.com/technet/security/bulletin/notify.mspx (http://www.microsoft.com/technet/security/bulletin/notify.mspx)
• Become familiar with the tools and concepts on the following Microsoft TechNet Security Web site:
  http://www.microsoft.com/technet/security/default.mspx (http://www.microsoft.com/technet/security/default.mspx)
• Install and configure the server as outlined in the latest SBS Release Notes that are available at the following SBS Web site:
  http://microsoft.com/sbserver (http://microsoft.com/sbserver)
• Apply the latest service packs for each suite component. The list of service packs can be found at the TechNet Service Packs Web page:
  http://support.microsoft.com/default.aspx?scid=fh;EN-US;sp (http://support.microsoft.com/default.aspx?scid=fh;en-us;sp)
• Use the following Security Bulletin Search Web page to make sure any post service pack updates are applied:
  http://www.microsoft.com/technet/security/current.aspx (http://www.microsoft.com/technet/security/current.aspx)
• Continue to monitor the Security Notification Service for any new updates that may be released. As new updates are released, tools (such as Terminal Services, QChain, VBScript, and so on) can be used to remotely apply the patches to your client's sites.

General Microsoft Security Information

Microsoft Security home page

Security Bulletin Search

Secure Internet Information Services 5 Checklist

Windows 2000 Internet Server Security Tool

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

CERT Coordination Center: Steps for Recovering from a UNIX or NT System Compromise

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

URLScan Security Tool

URLScan is designed to make an IIS installation secure by default. This means that upon installation of the tool, IIS will not accept a variety of HTTP requests. Therefore, some SBS applications, like Outlook Web Access, may not function properly until the URLScan.ini file is edited to allow that functionality. Full details, including sample configurations, for editing URLScan can be found in the "urlscan.txt" file included with the download.