Securing Your Windows Small Business Server 2003 Network

Updated: May 27, 2009

Applies To: Windows SBS 2003

This document helps you more securely configure your network that is running Windows SBS. Completing the tasks in this document helps to protect the availability, integrity, and confidentiality of your local network. The tasks covered in this document for helping to secure your network follow:

• Verify your topology and firewall configuration

• Configure your local router for more secure access

• Configure network, firewall, Web, and e-mail services on the computer that is running Windows SBS 2003

• Keep software up-to-date

• Implement strong passwords

• Configure remote access to the local network

• Verify that users have only the permissions that they need

• Change the account name for the built-in Administrator account

• Help to secure the computer that is running Windows SBS and 2003

• Implement an antivirus solution

• Upgrade client computers

• Monitor the computer that is running Windows SBS 2003 for security issues

In addition to the methods described in this document for securing your Windows SBS network, many security features are configured by default at Setup. For more information about the default settings that are configured by Windows SBS 2003 Setup, see Appendix D in the Windows Small Business Server 2003 Getting Started Guide at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=20122).

Before You Begin

This document assumes that you have already completed Windows SBS 2003 Setup, which includes the To Do List. The To Do List appears at the end of Setup and is used to complete the configuration of Windows SBS 2003. If you did not complete all tasks on the To Do List, this document will assist you in completing those tasks that help to secure your server. If you have completed all of the tasks on the To Do List, this document will assist you in verifying that you used options that help to keep your network secure.

Verify Your Topology and Firewall Configuration

If you are using a broadband (high-speed) connection to the Internet for Windows SBS 2003, the physical topology (the physical layout of devices on your network) is typically better protected if you have a firewall that helps to protect your local network. A firewall is designed to prevent unauthorized access to your local network.

Using the diagrams that follow, identify the topology for your Windows SBS 2003 network, and then verify that the placement of your firewall is correct for this topology.

There are basically two broadband topologies:

• One that uses the internal firewall Windows SBS 2003 provides. This topology has two network adapters in the server.

• One that uses an external firewall. This topology has a router and one network adapter in the server.

Use the Internal Firewall Provided by Windows Small Business Server 2003

To use the firewall provided by Windows SBS 2003 with a broadband connection, your server must use two network adapters. In this case, your topology is represented as follows:

If you are using the internal firewall provided by Windows SBS 2003 to help protect your local network from unauthorized Internet access, but your topology does not reflect the topology shown in the diagram, you must correct your configuration. Otherwise, the internal firewall provided by Windows SBS 2003 will not protect your local network.

Requirements

• The server must use two network adapters. One network adapter connects to the local network, and one connects to the Internet using an Internet connection device. If you do not have two network adapters, you must either use an external firewall as described in the next section or install a second network adapter.

• You must be logged on to the server as a member of the Domain Admins security group.

• This procedure assumes that you have already connected to the Internet using the Configure E-mail and Internet Connection Wizard. If you have not run the wizard, follow the wizard instructions to complete it. When you reach the Broadband Connection Type page, see Step 5 of the following procedure for more information about how to complete the page. If you need help completing the wizard, click More Information on the wizard page.

To run the Configure E-mail and Internet Connection Wizard

1. Click Start, and then click Server Management.

2. In the console tree, click Internet and E-mail.

3. In the details pane, click Connect to the Internet. The Configure E-mail and Internet Connection Wizard starts.

4. On the Connection Type page, ensure that Broadband is selected.

5. On the Broadband Connection Type page, ensure that A direct broadband connectionis selected.

6. If you are using both the firewall on the server and a firewall on your router, ensure that A local router device with an IP address is selected.

7. Follow the instructions to complete the wizard.

8. At the end of the wizard, if you have not yet enabled password policies to enforce strong passwords on your network, you are prompted to do so. It is strongly recommended that you click Yes, to enable password policies. For more information about enabling password policies, see the section "Implementing Strong Passwords."

Use an External Firewall

If you have only one network adapter in the server, your topology is represented as follows:

If you are using an external firewall (this may also be the same device as your local router) to help protect your local network from unauthorized Internet access and the computer running Windows SBS 2003 uses one network adapter, your topology should reflect the one shown in the diagram, otherwise you must correct your configuration. Improperly configuring your network topology can result in the external firewall not protecting your local network.

Requirements

• The computer running Windows SBS 2003 uses one network adapter to connect to both the Internet and the local network. If instead it is using two network adapters and you are using an external firewall, your topology most likely looks like the one described in the previous section.

• To help protect your local network from unauthorized Internet access, either the Internet connection device must provide a firewall service or you must add an external firewall. In this topology, you cannot use the firewall on the server because that computer is not the gateway between the Internet and the client computers. If you want to use that firewall, you must install a second network adapter in the server and use the topology described in the previous section.

• You must configure an external firewall on the local network with the necessary settings for your Windows SBS network. For more information, see the section "Configuring Network, Firewall, Web, and E-mail Services on the Computer Running Windows Small Business Server 2003." If you change the topology of your network, follow the procedure "To run the Configure E-mail and Internet Connection Wizard" to update your settings.

Configure Your Local Router for More Secure Access

If you are using a local router to connect to the Internet and the device provides wireless networking or firewall capabilities (or both), ensuring that the device is properly configured can help to secure your local network. Consider taking the following steps:

• Secure the wireless access point on the router

• Verify the firewall configuration on the router

Secure the Wireless Access Point on the Router

If the router provides a wireless networking access point (also called a base station) and you do not have wireless devices on your network, disabling the access point can help reduce unauthorized access to your local network. If you have wireless devices on the network, you should consider configuring the access point so that it is more secure. This helps to prevent an unauthorized user from gaining access to your local network by connecting to your wireless access point.

To disable the wireless access point on the router

1. Check the manufacturer’s documentation for the router. If the router does not have a wireless access point, skip to the section "Verify the Firewall Configuration on the Router."

2. If the router has a wireless access point but no devices on the network (such as a laptop) are using it, disable the wireless access point on the router. For more information, check the manufacturer’s documentation. After disabling the wireless access point, skip to the section "Verify the Firewall Configuration on the Router."

To help secure the wireless access point on the router

1. Help secure the router by requiring a password to access the router administration features (usually a Web page where you manage the router).

   • The password should be a strong password.

   • It should not be the default password, which may have been provided by the manufacturer.

   • Store your record of the password in a secure location. For more information about strong passwords, see the section "Implementing Strong Passwords."

2. Enable the security protocol supported by your wireless router. For example, enable either 802.1x authentication or Wired Equivalent Privacy (WEP).

   • Enable 802.1x authentication if it is supported by your router. 802.1x authentication is a security protocol for wireless local area networks that encrypts data for transmission over the radio waves from one wireless device to another; it is a newer and stronger security protocol than Wired Equivalent Privacy (WEP). For more information about configuring 802.1x authentication, see the manufacturer's documentation for the router.

   • Enable WEP, a security protocol for wireless local area networks. WEP helps encrypts data for transmission over the radio waves from one wireless device to another. When you configure WEP, you should manually configure the secret key (the key that is shared between the wireless device and the access point to encrypt the data) rather than having the secret key automatically configured on the wireless device. Additionally, you should use the longest possible key length. For more information about configuring WEP, see the manufacturer's documentation for the router.

3. Enable media access control (MAC) filtering. A MAC address is the unique address that identifies each network card on the network. By identifying the MAC address for each wireless network card on your local network, you can configure the wireless access point with a list of MAC addresses that will be allowed or not allowed to gain access to the rest of the network.

   1. Identify the MAC address of each wireless network card on the local network. On a client computer that is running the Windows® XP or Windows® 2000 Professional operating system, click Start, click Run, and then type Cmd. At the command prompt, type IPconfig /all.

   2. Under the section displaying the wireless network connection, record the Physical Address. You will use this address to configure MAC filtering on the router.

   3. Follow the router manufacturer’s documentation for configuring MAC filtering.

Verify the Firewall Configuration on the Router

To help protect your network, allow network traffic to pass through defined port numbers on the firewall in order to access only known services on your computer that is running Windows SBS. These ports are automatically configured on the server when you complete the Connect to the Internet task on the To Do List (this task opens the Configure E-mail and Internet Connection Wizard).

Requirements

• Access to the administration feature of your router (usually a Web page where you manage the router). For information about how to access the administration feature, see your router manufacturer's documentation.

• If you did not complete the Connect to the Internet task on the To Do List (this task opens the Configure E-mail and Internet Connection Wizard), you should do so before completing the following procedure. For more information about completing the wizard, see the section "Configuring Network, Firewall, Web, and E-mail Services on the Computer Running Windows Small Business Server 2003."

To verify the firewall configuration on the router

1. Determine if users are using the service or not. If users are not using the service, consider blocking (not allowing) the inbound port through the firewall on the router.

2. Check the ports allowed through the firewall on your router to determine if other services not listed in the table are allowed. If you have other ports allowed through the firewall, you can verify the purpose of the open port by checking the list of well-known ports on the IANA Web site (https://go.microsoft.com/fwlink/?LinkId=22654). For advanced information about ports, see "Reference: Network Ports Used by Key Microsoft Server Products" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=57925).

3. Check the router manufacturer's documentation to determine if the router supports logging. If it does, it is recommended that you configure logging to monitor the log files.

Table 1: Services and TCP Port Numbers

Service	TCP Port Number	Inbound Access Recommendations
E-mail	25	Allow if you are using Exchange to receive Internet e-mail.
Web server	80 (required for HTTP requests for your site) and 443 (required for HTTPS requests using Secure Sockets Layer (SSL), which secures communications from your server and a Web browser)	Allow if users on the Internet need to access specific Web-site services on your server. Web-site services that use port 80 and/or port 443 include the following: Microsoft Office Outlook® Web Access, which allows users to access their e-mail from the Internet using a Web browser. Windows SBS 2003 server performance and usage reports, which contain detailed information about the overall health and use of your server. Outlook Mobile Access, which allows users to access their e-mail from a mobile device. Business Web site (wwwroot), which allows users to access the company's intranet Web site from the Internet. Select this option only if you plan to host your business Web site on the computer that is running Windows SBS 2003 with SP1 or Windows SBS 2003 R2. If you choose this option, your Web sites on Windows SBS might be listed by Web search sites, such as Google.com. Outlook via the Internet, which uses the Remote Procedure Call (RPC) over HTTP feature of the Microsoft Office Outlook® 2003 messaging and collaboration client.
Windows SharePoint Services intranet site	444	Allow if users securely access the intranet Web site that is created by the Microsoft Windows SharePoint® Services from the Internet.
Remote Web Workplace	4125 and 443	Allow if users securely access Remote Web Workplace to: Connect to the local network from Outlook Web Access. Create a direct Remote Desktop Web Connection to client computers on the local network. Use the Windows SharePoint Services intranet site (this also requires port 444, as noted above). Download Connection Manager to configure the remote client computer for remote access (using remote access also requires that port 1723 be open, as noted below).
Allow access to the entire Web site from the Internet	Port 80 (required for HTTP requests for your default Web site), Port 443 (required for Secure Sockets Layer (SSL) for your default Web site), and Port 444 (required for SSL for the company's internal Web site). SSL helps secure communications between your server and a Web browser.	Allow if you want users on the Internet to able to access the entire default Web site, the company's internal Web site, or specific Web site services from the Internet. This includes the services listed above, plus any additional Web site directories that you may have created in the default Web site. Important If you choose this option, all Web site directories in the Default Web site folder become available on the Internet, including your company's internal site. By default, only authorized users can access your intranet site, and anonymous access is not allowed. Modifying the default intranet access permissions is not recommended.
Virtual private network (VPN)	1723	Allow if remote client computers connect securely to the network by using a VPN connection to use resources as if the client computer was connected locally.
Terminal Server	3389	Allow if remote client computers connect to the server by using Terminal Server.
File transfer protocol (FTP)	21	Allow if remote clients use file transfer protocol (FTP) to connect to the server.

Configure Network, Firewall, Web, and E-mail Services on the Computer That is Running Windows Small Business Server 2003

Using the Configure E-mail and Internet Connection Wizard can help you correctly configure settings for the network, firewall, Web site security, and e-mail services that are used after you connect your computer that is running Windows SBS 2003 to the Internet (on the To Do List, this task is called Connect to Internet). The wizard automatically configures these services; however, you should check the following:

• Verify the firewall configuration to ensure only necessary services are allowed through the firewall.

• Verify that the option to remove e-mail attachments is enabled.

Verify the Firewall Configuration

You can use the wizard to help configure the firewall properly on the server. In Windows SBS 2003, Standard Edition, the wizard configures the Basic Firewall service in the Routing and Remote Access service. In Windows SBS 2003, Premium Edition, it configures Microsoft Internet Security and Acceleration (ISA) Server.

When you enable the firewall, you should consider allowing only the services that your server needs to access the Internet or that users need to complete their work. For example, if users are using Remote Web Workplace to connect to the local network from the Internet, you should evaluate whether you also need to enable the Virtual Private Network (VPN) service.

Additionally, if you allow access to either the Business Web site (wwwroot) or to the entire Web site, your Web sites might be listed by Web search sites, such as Google. For example, a Web search site might list Remote Web Workplace. To prevent Web robots from cataloging all or part of your Web site, see “Allow Internal Web Sites to Be Discoverable by Internet Search Engines,” later in this section.

Requirements

You must be logged on as a member of the Domain Admins security group.

To review and remove services allowed through the firewall on the server

1. Click Start, click Server Management.

2. In the details pane, click Internet and E-mail, and then click Connect to Internet. The Configure E-mail and Internet Connection Wizard appears.

3. On the Connection Type page, click Do not change connection type.

4. On the Firewall page, click Enable firewall.

5. On the Services Configuration page, clear the check box for any service that your users do not use or that your server does not need to access the Internet.

6. On the Web Services Configuration page, clear the check box for any Web services that users do not use.

7. Follow the instructions to complete the wizard.

8. At the end of the wizard, if you have not enabled password policies to enforce strong passwords on your network, you are prompted to do so. Clicking Yes enables strong password policies. These policies provide an additional layer of protection against an unauthorized user gaining access to your network. For more information about enabling password policies, see the section "Implementing Strong Passwords."

Verify that the Option to Remove E-mail Attachments is Enabled

If Exchange Server is installed on the server, you should consider using the wizard to properly configure your server to send and receive e-mail through the Internet. When you enable Internet e-mail, the option to remove specific types of e-mail attachments from incoming e-mail is selected by default. Removing certain types of attachments from incoming e-mail helps to prevent a virus or malicious program from spreading to your local network.

When you completed the Connect to the Internet task on the To Do List, if you chose not to remove e-mail attachments, it is recommended that you run the wizard again to change this selection.

Requirements

You must be logged on as a member of the Domain Admins security group.

To enable the removal of e-mail attachments

1. Click Start, click Server Manager.

2. In the details pane, click Internet and E-mail, and then click Connect to Internet. The Configure E-mail and Internet Connection Wizard appears.

3. On the Connection Type page, click Do not change connection type.

4. On the Firewall page, accept the default of Do not change firewall configuration.

5. If you allowed access to a Web service, the Web Server Certificate page appears. Accept the default of Do not change current Web server certificate.

6. On the Internet E-mail page, accept the default of Enable Internet e-mail. Click Next on each of the following pages until you reach the Remove E-mail Attachments page.

7. On the Remove E-mail Attachments page, click Enable Exchange Server to remove Internet e-mail attachments that have the following extensions.

8. Follow the instructions to complete the wizard.

Allow Internal Web Sites to Be Discoverable by Internet Search Engines

Web robots are components of the Internet that automatically search and catalog documents and pages that are published on the Internet. The Web robots do this by following hyperlinks on the pages that have been published. But Windows SBS 2003 with SP1 and Windows SBS 2003 R2 prevent Web robots from automatically cataloging any of the Web sites on your server. They do this by creating a file named “Robots.txt” in the %systemdrive%\Inetpub\wwwroot folder.

If you want your business Web site indexed on the Internet, but you also want to hide the Remote Web Workplace logon page and other Web sites that are on your server, you can replace the default version of Robots.txt with an alternate version named Robots(AllowRoot).txt.

To allow the Business Web site to be discoverable on the Internet

1. In My Computer, navigate to %systemdrive%\Inetpub.

2. Right-click Robots(AllowRoot).txt, and then click Copy.

3. Navigate to %systemdrive%\Inetpub\wwwroot, and then paste Robots(AllowRoot).txt.

4. Delete the existing Robots.txt file in %systemdrive%\Inetpub\wwwroot.

5. Rename Robots(AllowRoot).txt to Robots.txt.

For more information about using robots.txt, see the Web Robots Pages Web site (https://go.microsoft.com/fwlink/?LinkId=25134).

Keep Software Up-to-Date

One way to help keep your computing environment safe is to promptly install software updates, also known as fixes, security patches, service packs, and security-rollup packages. Software updates either fix vulnerabilities in software or they introduce additional security features. It is recommended that you install updates as soon as they become available. The following methods help keep your software up-to-date:

• Set up regular software updates for your network.

• Check for non-critical updates for Windows SBS 2003.

• Check for Microsoft Office updates.

• Check for updates to third-party applications.

• Check for software and firmware updates for devices on your network.

Set Up Regular Software Updates for Your Network

Install Windows Server Update Services (WSUS) 3.0 on Windows SBS 2003 with SP1

An important way to help keep your network secure is to install the latest operating system updates on all computers that are on your network. By using Microsoft Windows Server Update Services (WSUS) 3.0, you can automatically install critical updates and service packs on computers on your Windows SBS network. For information about how to install WSUS 3.0, see “Installing Microsoft Windows Server Update Services 3.0 on Windows Small Business Server 2003” at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=109575).

If your computers are not running Windows XP Professional, Windows 2000 Professional, Windows 2000 Server, Windows Server 2003, or Windows Small Business Server 2003, WSUS does not automatically update those computers. You should configure computers that are running Windows XP Home Edition to be automatically updated by using the procedure that follows. For computers that are running Windows 95, Windows 98, Windows Millennium Edition, or the Microsoft Windows NT® Workstation 4.0 operating system, you should use the Windows Update Web site to check periodically for updates to install. For more information about Windows Update, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=22655).

To complete the following procedure, you must be logged on as a member of the Domain Admins security group.

To configure computers that are running Windows XP Home Edition to be automatically updated

1. Click Start, click Run, and then type Control. Click OK.

2. Double-click System. The System Properties dialog box appears.

3. Click the Automatic Updates tab.

4. Select the Keep my computer up to date check box.

5. Under Settings, select Automatically download the updates, and install them on the schedule that I specify, and then specify a time for the computer to download and install updates. Click OK.

Install Windows Small Business Server 2003 R2 Update Services on Windows SBS 2003 R2

To configure a proxy server

1. Click Start, click Administrative Tools, and then click Microsoft Windows Server Update Services. The Microsoft Windows Server Update Services Web site opens in Internet Explorer.

2. Click Options in the Windows Server Update Services toolbar, and then click Synchronization Options.

3. In the Proxy Server section, do the following:

   1. Select the Use a proxy server when synchronizing check box.

   2. Type the proxy server name in the Server name text box.

   3. Type 80 in the Port number text box.

4. Click Save Settings in the Tasks pane, and then close Internet Explorer.

To configure Update Services settings

1. Click Start, and then click Server Management.

2. Click Update Services in the console tree.

3. In the Manage Update Services task pane, click Change Update Services Settings.

4. In the Update Services Settings window, do the following:

   1. On the Schedule tab, set the servers and the client computers to be updated every day and specify the time for the update.

2.  On the **Included Computers** tab, verify that all computers that you want to update automatically are listed in the **Included** text box. To exclude a computer, click the name of the computer and then click **Remove**.

3.  On the **Email address** tab, choose when you want to receive notifications about updates, and enter your address in the **Email address** text box.

5. Click OK.

6. In the Manage Update Services task pane, click Refresh.

To accept or decline an update

1. Click Start, and then click Server Management.

2. In the console tree, click Update Services, and then click Waiting for Review.

3. In the Updates Waiting for Review task pane, click an update, and then click View Details and Approve. The Update Details window opens.

4. Review the information about the update, determine whether you want to approve or decline the update, and then click the appropriate button.

5. Proceed through the list until you have either accepted or declined all of the updates.

Check for Non-Critical Updates for Windows SBS 2003

Microsoft Update provides high-priority updates for Windows SBS, which include security and other critical updates that can help protect your server. Windows SBS 2003 is configured to notify you when critical updates become available for your server, and you can choose whether and when to install them automatically.

It is a good idea to visit the Microsoft Update Web site (https://go.microsoft.com/fwlink/?LinkId=66120) at least once a week to get non-critical updates, such as recommended software and hardware updates.

Checking for updates to any applications that you use on your server helps to ensure that you have the most current fixes, security updates, service packs, and security-rollup packages.

• To check for updates to SQL Server™ 2000, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=22658).

• To check for updates to all Microsoft products, see the Microsoft Download Center at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=22659).

Check for Microsoft Office Updates

Files that are created by some Microsoft applications, including Microsoft Office, might be used to transmit viruses and other malicious programs. Both WSUS and Windows Small Business Server 2003 R2 Update Services also check for updates for Office and for other Microsoft applications.

Check for Updates to Third-Party Applications

If you have third-party applications running on your Windows SBS 2003 network, check the manufacturer's Web site to see if the applications can be automatically updated to help keep your computers secure and reliable. If the applications cannot be automatically updated, periodically check the manufacturer's Web site for updates to help to ensure that you have the most current fixes, security updates, service packs, and security-rollup packages.

Check for Software and Firmware Updates for Devices on Your Network

If you have devices such as routers and switches on your Windows SBS 2003 network, check the manufacturer's Web site to see if the devices can be automatically updated to help keep your local network secure and reliable. If the devices cannot be automatically updated, periodically check the manufacturer's Web site for updates to help to ensure that you have the most current firmware, security updates, and security-rollup packages.

Implement Strong Passwords

Using strong password provides an additional layer of defense against an unauthorized user gaining access to your network. To implement strong passwords, you can complete the following steps:

• Enable password policies

• Educate users

Enable Password Policies

Enabling password policies to enforce the use of strong passwords is a critical step in helping to secure your network. If you ran the Configure E-mail and Internet Connection Wizard to configure your Internet connection, you were prompted at the end of the wizard to enable password policies. If you are unsure whether you enabled password policies when you ran the wizard, completing the following procedure to enable password policies that enforce strong passwords can help limit unauthorized access to your local network.

Requirements

You must be logged on as a member of the Domain Admins security group.

To enable password policies

1. Click Start, click Server Management.

2. In the details pane, click Users.

3. In the console page, click Configure Password Policies.

4. Select the check boxes for Minimum length, Complexity, and Maximum age, and then change Configure password policies to Immediately. Click OK.

   • Minimum length determines the least number of characters that a password can contain. Setting a minimum length helps protect your network by preventing users from having short or blank passwords. The default is 7 characters.

   • Complexity determines whether passwords must contain different types of characters. If this policy is enabled, passwords cannot contain all or part of a user's account name and must contain characters from three of the following four categories: uppercase letters (A through Z), lowercase letters (a through z), numerals (0 through 9), and non-alphanumeric characters (such as !, $, #, or %).

   • Maximum Age determines the period of time (in days) that a password can be used before the system requires the user to change it. The default is 42 days.

5. After you enable or change password policies, all users are required to change their passwords the next time they log on. Informing users about what requirements they must use when changing their password helps ensure that they understand how to choose a strong password.

Educate Users

After implementing strong password policies, educate users about strong and weak passwords. Ask users to treat their password as they would private information, such as a credit card PIN number. Below are typical guidelines that, when implemented, help ensure a strong password and more protection for your local network.

A password should not include any of the following:

• A user's name or e-mail alias.

• The name of the user's child, parent, spouse, or friend.

• Any word found in a dictionary.

• An old password that is reused by appending numbers.

• A birth date.

• A phone number.

• A social security number or other identification number.

• Any easily obtained personal information.

A strong password consists of the following:

• It does not contain all or part of the user's account name.

• It contains at least six characters.

• It contains characters from three of the following four categories:

• Uppercase letters (A through Z).

• Lowercase letters (a through z).

• Numbers (0 through 9).

• Non-alphanumeric characters (for example, !, $, #, %).

• For more information about password policies, see "Selecting Secure Passwords" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=50039).

Configure Remote Access to the Local Network

You can efficiently use Remote Web Workplace to remotely access the Windows SBS local network. You can also use a virtual private network (VPN) connection. However, using Remote Web Workplace is an easier method than using a VPN connection for authorized users to gain access to the local network.

With either option, telling users that they should always log out when they are done with the session helps prevent an unauthorized user from gaining access to the network.

You can help securely configure remote access for Windows SBS 2003 by using one or both of the following options:

• Use Remote Web Workplace.

• Use the Remote Access Wizard.

Use Remote Web Workplace

Remote Web Workplace enables users to access important features of Windows SBS 2003 when they are away from the office. Using Remote Web Workplace, they can check e-mail and calendars, connect to their computers at work by using Remote Desktop, use shared applications, access the company's internal Web site, view performance reports, or join a computer to the Windows SBS network by downloading Connection Manager.

If users do not need to remotely access the local network, disabling access to Remote Web Workplace helps to limit the likelihood of unauthorized access to your network. To disable access to Remote Web Workplace, complete the procedure "To review and remove services allowed through the firewall on the server."

Use the Remote Access Wizard

Using the Remote Access Wizard, you can enable virtual private network (VPN) access, dial-up access, or both. VPN access enables remote client computers to connect securely to your local network over the Internet. Users first connect to their local Internet service provider (ISP) and then securely connect to the local network using special protocols based on TCP/IP, called tunneling protocols. Dial-up access allows remote computers to connect over a phone line to a modem on the server.

If users do not require VPN or dial-up access, you should disable the access.

Requirements

You must be logged on as a member of the Domain Admins security group.

To disable VPN access dial-up access, or both

1. Click Start, and then click Server Manager.

2. In the details pane, click Internet and E-mail, and then click Configure Remote Access. The Remote Access Wizard starts.

3. On the Remote Access Method page, click Disable remote access.

4. Follow the instructions to complete the wizard.

Verify That Users Have Only the Permissions That They Need

You can help to secure the network by ensuring that users have only the permissions that they need to do their jobs and by limiting the use of accounts with administrative rights and permissions. To verify that users have only the permissions that they need, do the following:

• Use the correct Windows SBS template.

• Do not use Administrator or Power User accounts for daily work.

• Assign permissions to shared folders.

Use the Correct Windows Small Business Server Template

Windows SBS 2003 comes with predefined templates that are designed to give users only the level of access they need. For example, user accounts that are based on the User template do not have remote access to the local network by using a VPN connection, but user accounts based on the Mobile User template do have this access. The four templates are as follows:

Table 2: Template Names and Descriptions

Template Name	Description
User	Accounts based on this template have access to shared folders, printers and faxes, e-mail, and the Internet. Accounts assigned this template can access the local network from a remote location by using Remote Web Workplace. Additionally, user accounts assigned with this template can open a Remote Desktop Connection to a computer that is running Windows XP Professional but not to a computer that is running Windows SBS 2003.
Mobile User	Accounts based on this template have all the permissions of the User template and can also access the local network from a remote location using Remote Web Workplace or a remote access connection.
Power User	Accounts based on this template have all the permissions of the Mobile User template and can also perform delegated management tasks. A Power User can log on remotely, but not locally, to a computer that is running Windows SBS 2003.
Administrator	Accounts based on this template have unrestricted system access to the Windows SBS network.

Reviewing the template that is currently assigned each user and ensuring that users have only the minimum level of access they need to perform their daily tasks helps reduce the chance that they will inadvertently delete important files or gain unintended access to an Administrator account. Additionally, if you allow access to Remote Web Workplace from the Internet and you do not want a user to have access to the local network from the Internet, you should disable access to Remote Web Workplace for that user's account.

Requirements

You must be logged on as a member of the Domain Admins security group.

To review the template assigned each user

1. Click Start, and then click Server Management.

2. In the console tree, click Users.

3. In the details pane, review the Description column for each user.

To disable user access to Remote Web Workplace

1. Click Start, and then click Server Management.

2. In the console tree, click Users.

3. In the details pane, click the name of the user whose access you want to disable.

4. Click Change User Properties.

5. In the User Properties dialog box, click the Member Of tab.

6. Click Remote Web Workplace Users, and then click Remove.

To change permissions for a user account

1. Click Start, and then click Server Management.

2. In the console tree, click Users.

3. In the details pane, click the name of the user whose permissions you want to change.

4. Click Change User Permissions. The Change User Permissions Wizard appears.

5. On the Template Selection page, select the template you want to change to. For example, if you have an account with Administrator permissions that you want to change, you could assign either a User Template or Mobile User Template. By default, the previous permissions granted to the user are replaced.

6. Follow the instructions to complete the wizard.

Do Not Use Administrator or Power User Accounts for Daily Work

Because user accounts based on the Administrator and Power User templates are very powerful, consider basing user accounts on the less powerful User template. Using the Administrator or Power User templates even though a user does not need the more powerful access privileges increases the chance that the user will inadvertently delete important files or gain unintended access to an account with administrative or power user permissions.

For instance, if a user on your network wants administrative or power user permissions but does not need them for daily tasks, you can assign the user two accounts. The first account is a typical user account for daily tasks, based on the User template. The second account is based either on the Administrator template, which provides the user with unrestricted access to the domain, or on the Power User template, which provides the user with the ability to remotely connect to the server and to perform designated management tasks. You should then instruct the user to use the account with administrator or power user permissions only to complete specified tasks.

Because the Administrator account is a well-known and powerful account and a Power User account allows a user to access the server for management tasks, having users adhere to the following procedures can help reduce unauthorized access to your network and the misuse of more powerful access privileges:

• Use strong passwords at all times.

• Log on with your user account to perform daily tasks, not with an Administrator or Power User account.

• Never leave a computer unattended while you are logged on to an Administrator or Power User account.

• Do not give others the password for an Administrator or Power User account.

• Never leave a written record of the password for an Administrator or Power User account near the computer.

Requirements

You must be logged on as a member of the Domain Admins security group.

To create a user account for daily tasks

1. Click Start, and then click Server Management.

2. In the console tree, click Users.

3. In the details pane, click Add a User. The Add User Wizard appears.

4. Follow the instructions to complete the wizard to create a user account without administrative permissions.

5. Instruct the user to use the User account for daily activities and to use the Administrator or Power User account only when necessary to complete particular tasks.

Assign Permissions to Shared Folders

By assigning which users or groups of users can access information shared from the server, you can help prevent an unauthorized user from accessing your company's data. By default, any shared folder that is created during Windows SBS and 2003 Setup is assigned permissions to help secure the shared folder. If you have created additional shared folders on the server, ensuring that the shared folders have only the necessary permissions can help you limit access permissions to only those who need it.

Requirements

You must be logged on as a member of the Domain Admins security group.

To determine the list of shared folders on the server

1. On the server, click Start, click Run, and then type \\YourServerName. A list of shared folders appears. The following shared folders are created by Setup and are automatically assigned the appropriate permissions: Address, YourServerName**.log**, ClientApps, Clients, Faxclient, Netlogon, Sysvol, Tsclient, Tsweb, Users, and Printers and Faxes.

2. If the list includes any shared folders other than the default ones, record the names of the non-default shared folders.

To review and assign permissions to non-default shared folders

1. With the list of shared folders from the previous procedure still open, right-click the name of a shared folders, and then click Properties.

2. Click the Security tab.

3. Review the list of groups that are allowed to access the shared folders and the permissions associated with each group.

4. If a shared folders does not have security permissions assigned, assign permissions to groups of users based on your business needs. For more information about assigning permissions to a shared folders, from the server, click Start, click Help and Support, and then search for "shared folder permissions."

Change the Account Name of the Built-in Administrator Account

Renaming the built-in Administrator account on all computers in the Windows SBS network or at least on the server is a standard security practice that can help reduce unauthorized network access. The built-in Administrator account is a well-known and powerful account. Malicious users often attempt to log on to computers by guessing the password of the Administrator account. Because the account is necessary for many functions, it cannot be locked. However, if you change the name of this account, you make it more difficult for unauthorized users to discover the password and to gain access to the network. Additionally, you should consider using a strong password for the Administrator account as an added precaution in case an attacker is able to determine the new account name. For more information about strong passwords, see the section "Implementing Strong Passwords."

Requirements

You must be logged on as a member of the Domain Admins security group.

To rename the Administrator account on the computer that is running Windows SBS  2003

1. Click Start, and then click Server Management.

2. In the console tree, click Users.

3. In the details pane, right-click Administrator, and then click Properties.

4. On the General tab, in the Display name text box, replace the previous name (Administrator) with a new name.

5. On the Account tab, in the User logon name box, type the new name.

6. In the User logon name (pre-Windows 2000) box, replace the previous user logon name (Administrator) with the new name, and then click OK.

7. After changing the Administrator account name, you must log off and then use the new name to log back on as an administrator on the server.

To rename the local Administrator account on a client computer

1. On the client computer, click Start.

2. If the client computer is running Windows XP, click Control Panel, and then click Performance and Maintenance. If it is running Windows 2000, click Settings, and then click Control Panel.

3. Double-click Administrative Tools, and then double-click Computer Management.

4. In the console tree, click Local Users and Groups, and then click Users.

5. In the details pane, right-click Administrator, and then click Rename User. Enter a new name for the account.

6. After changing the Administrator account name, you must log off and then use the new name to log back on as an administrator on the client computer.

Help to Secure the Computer That is Running Windows Small Business Server 2003

Using the following methods can help secure the server:

• Physically secure the server from on-site attacks.

• Do not use the server as a workstation.

• Do not install unnecessary software on the server.

• Configure backup.

Physically Secure the Computer That is Running Windows Small Business Server 2003 from On-Site Attacks

All networks are vulnerable to on-site attacks, which may include, but are not limited to: starting the server from a floppy disk and reformatting the hard disk; opening the computer case and replacing the system basic input/output system (BIOS) chips; removing the hard disk from the computer running Windows SBS 2003 and reading information from it; or replacing keyboards with those that can help monitor everything you type, including passwords. Physically securing the server can help restrict these on-site attacks.

To help physically secure the server

1. Keep a tape backup in a secure off-site location. Store on-site tape backup in a secure place.

2. Lock the CPU case and ensure that the key is protected. Make a backup key and keep it in a safety-deposit box off-site.

3. Limit physical access to the server, preferably by placing it in a locked room and issuing keys only to users who need physical access to it. The server should be bolted down or secured to a rack. Alternatively, use a cable lock.

4. Ensure that the password is not written near the computer (for example, under the keyboard).

5. Protect the server with an uninterruptible power supply (UPS). UPS equipment helps protect the server from a temporary power loss, which can cause server failure or file corruption.

6. Ensure that all volumes use the NTFS file system.

7. Set a password for the system BIOS. For more information about setting a BIOS password, see the server manufacturer's documentation.

Do Not Use the Computer That is Running Windows Small Business Server 2003 as a Workstation

Consider not using the server as a workstation, because this increases the surface area for attacks and affects the performance of the network. The surface area for attacks increases because you need to install client applications on the server. If there is a security-related issue for any client application, the server is vulnerable to attack until a security update is installed. Additionally, if a user other than an administrator logs on to the server, the chance increases that the user will accidentally delete critical information or an application.

Do Not Install Unnecessary Software on the Computer That is Running Windows Small Business Server 2003

Consider installing only the software on the server that is necessary for your business operations, in order to reduce the surface area of attacks and to help maximize the performance of the server.

Configure Backup

Backing up data on the server can help prevent data loss that results from user error, data tampering, or virus attack. Backing up data is especially critical for small businesses, because a total system failure results not only in the loss of critical data, but also in the loss of essential services, such as e-mail and Internet connectivity. Without a current backup, even companies that use a mirrored hard-disk configuration may recover only a portion of their loss. You should keep the backup media in a secure location, because a malicious user can use this data to reconstruct the server at an alternate location. Additionally, consider testing the integrity of the backup by selecting random files from your backup, restoring them to an alternate location, and then confirming that the files have not changed.

Windows SBS 2003 provides an integrated backup solution. When you configure your backup using the integrated backup solution, the entire server is backed up by default, including your intranet, mailboxes, and user files.

To configure backup, see "Backing Up and Restoring Windows Small Business Server 2003" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=65186).

Implement an Antivirus Solution

Computer viruses can spread quickly and overwhelm network resources. In addition to arriving through e-mail, a virus can propagate from services running on the server, from a shared folder on the network, from the Internet, or from infected files on removable media, such as floppy disks and CDs. For more information about antivirus software, see "Frequently Asked Questions About Antivirus Software" at the Microsoft Security Web site (https://go.microsoft.com/fwlink/?LinkId=22661).

Using an antivirus solution that protects the entire network, including the server and client computers, helps you to prevent computer viruses from accessing your local network. Additionally, consider ensuring that you have a good backup and recovery plan, because you may need to restore the system to its state before the virus infection occurred. To help implement an effective antivirus solution, do the following:

• Choose an antivirus solution.

• Implement a virus-reaction plan.

Choose an Antivirus Solution

If you are not currently running an antivirus solution, consider purchasing one that meets the following criteria:

• It supports Windows SBS 2003.

• It supports Exchange Server 2003 and Microsoft Virus Scanning API 2.5. For more information about antivirus software and Exchange Server, see article 823166, "Overview of Exchange Server 2003 and Antivirus Software," in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=22662).

• If you are using Windows SharePoint Services to publish a company Web site on your intranet or extranet, it is important that the antivirus solution supports Windows SharePoint Services to monitor uploaded and downloaded files on your Web site.

• It should protect both the server and the client computers.

• The antivirus software vendor should release updates quickly.

Additionally, once you install an antivirus solution, configuring the solution to automatically check for antivirus updates (also called signatures) and automatically install the updates on a specified schedule can help reduce the likelihood that your network will become infected with a virus or other malicious program.

For a list of antivirus partners, see the Microsoft Security Web site (https://go.microsoft.com/fwlink/?LinkId=22663).

Implement a Virus-Reaction Plan

In some cases, you might receive a warning about a new virus before an update to your antivirus software is available. If this occurs, having a reaction plan in place for how best to handle the virus can help reduce the likelihood that your network will be infected by that virus. Additionally, you can temporarily disable your Internet connection.

To implement a virus-reaction plan

1. Verify that the virus is genuine by checking with your antivirus software vendor. Some virus notifications might be hoaxes.

2. If the virus is genuine and an update is available, download the update immediately. If an update is not yet available, it is recommended that you do the following to prevent the virus from accessing your local network:

   1. Check your antivirus software vendor's Web site to get details about how the virus infection is occurring.

   2. Prevent further spread of the virus by making sure that users know what actions cause the virus to spread.

To temporarily disable your Internet connection

• Physically disconnect your Internet connection device from the Internet. For example, if you have a broadband connection, disconnect the connection between your Internet service provider (ISP) and your broadband device.

Upgrade Client Computers

If you have client computers that are running Windows 98 or earlier, consider upgrading these computers to either Windows XP Professional or Windows 2000 Professional. Windows XP Professional and Windows 2000 Professional are designed to work with the Windows Server operating systems (which include the operating system for Windows SBS 2003). This adds security while also improving reliability, performance, and functionality for the local network. In addition, some Windows SBS 2003 applications, such as Outlook 2003, are specifically designed to work with Windows 2000 Professional Service Pack 3 or later.

For information about upgrading client computers, see the Windows XP Professional Upgrade Center page at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=22664).

Monitor the Computer That is Running Windows Small Business Server 2003 for Security Issues

You can monitor the server for security issues using the following methods:

• Configure monitoring.

• Attach log files to monitoring reports.

• Audit for failed logon events and account lockouts.

• Keep up-to-date on security information.

Configure Monitoring

Windows SBS 2003 performance and usage reports contain detailed information about the overall health and use of the server. You can configure the reports by running the Monitoring Configuration Wizard.

If you are not receiving monitoring reports, you need to either configure monitoring or add your e-mail address to the list of report recipients.

Requirements

You must be logged on as a member of the Domain Admins security group.

To configure performance and usage reports

1. Click Start, and then click Server Manager.

2. In the details pane, click Monitoring and Reporting.

3. In the console page, click Set Up Monitoring Reports and Alerts. The Monitoring Configuration Wizard appears.

4. Follow the instructions to complete the wizard.

Attach Log Files to the Monitoring Reports

Log files contain important information about application events, Internet Information Services (IIS), security events, and system events, including hardware and software problems. The information is recorded as chronological messages in the log. Some of these logs, such as the firewall logs and the security-event logs, can be used to help monitor the security of your network.

You can monitor the network for attacks by reviewing the firewall and the security-event logs. You can monitor these logs by using the monitoring tools available in Windows Small Business Server. These tools include alert notifications and performance and usage reports.

Requirements

You must be logged on as a member of the Domain Admins security group.

To attach log files to the monitoring reports

1. Click Start, and then click Server Management.

2. In the console tree, click Monitoring and Reporting.

3. In the details pane, click Change Server Status Report Settings.

4. In the reports list, click the report to which you want to attach a log file, and then click Edit.

5. On the Content tab, under Log files to send with the report, click the log files you want to attach to the report.

6. To attach a log file that does not appear under Log files to send with the report, click Add to browse for the log file.

It is recommended that you attach log files suitable for your particular business usage such as uninterruptible power supply (UPS) logs, line of business application logs, and antivirus software logs.

Audit for Failed Logon Events and Account Lockouts

Auditing the number of a user's failed logon attempts helps you discover brute force, dictionary, and other password attacks on the server. By default, Windows SBS 2003 enables auditing of logon failure events and account lockouts. If a user account has 50 invalid logon attempts within 10 minutes, the account is locked out for 10 minutes. After 10 minutes, the account is reset and the user can attempt to logon again. Failure audits generate an audit entry when a logon attempt fails. Thus, every time an invalid logon attempt occurs on the server or an account lockout occurs, a message is generated in the event log. Additionally, the Windows SBS 2003 performance reports list whether an account lockout has occurred, which may indicate there was an attempt to gain unauthorized access to an account. If you selected the option to receive alert notifications when you ran the Monitoring Configuration Wizard, an e-mail alert will also be sent to specified users indicating that an account lockout has occurred.

Keep Up-to-Date on Security Information

Bulletins, newsletters, and newsgroups contain the latest information about security-related issues, what products are affected (if any), how to help protect your computers, and what needs to be done to fix a security problem. These resources also contain links to other sources of information. Staying current with security information helps you protect your data and network from unauthorized access, viruses, and data theft.

Review Security Bulletins

Security bulletins provide the latest security information. The Microsoft Security Response Center regularly publishes hotfixes and security bulletins. For more information, see the "HotFix and Security Bulletin Service" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=16290).

Sign Up for Security Newsletters

To receive e-mail concerning alerts and updates for all your Microsoft products, subscribe to the Microsoft Security Update Newsletter at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=22339). Also, stay current on updates for any other software that you may use by visiting the manufacturer's Web site.

Review Newsgroups

Review newsgroups to receive the latest security-related information.

• To review the Newsgroup for Windows SBS 2003, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=16288).

• To review the Microsoft Security Newsgroups, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=17118).

Related Information

• For more information about security, see "Microsoft Security" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=102).

• For more information about Windows SBS 2003, see the following:

  • "Microsoft Windows Small Business Server 2003" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=22341).

  • Windows SBS 2003 "Getting Started" guide at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=20122).