Small Business Server 2008 & Security

Let’s get something out of the way up front. This is not a security system for banks, governments, or international spies. The security built into Microsoft’s Small Business Server 2008 is designed, like all facets of SBS, to be easily usable by non-technical business owners. That being said, SBS provides a much higher level of security than usually seen at most small businesses who put most of their stock in security through obscurity.

Like almost all SBS features, the various Security features are accessed via the SBS Console. The Network Essentials Summary panel on the home page displays Security prominently at the top as a constant reminder of its importance. Actually, manipulations of security features are done within the Security tab.

A prominent component of SBS security is reporting. Theoretically, a business owner alerted to a security threat will react quickly. However, in Windows Server 2008 Standard and other systems, security threats are often something you have to search out, and even worse, you have to know what you are looking for. Asking a small business owner to check log files in between calls to the bank and suppliers isn’t realistic.

Fortunately, the SBS security console is an easily readable display with colored icons that call attention to potential problems.

These days, email is one of the most common ways to get into a network. Attachments, of course, can carry numerous types of security threats, and most hosted email systems block images from untrusted senders for the same reason, but even the text of a carefully crafted email can contain a nefarious payload without the aid of an attachment thanks to the proliferation of HTML based emails.

If there is one glaring weakness in Microsoft’s Small Business Server, it is email security. Microsoft’s quest for an all-in-one fully integrated solution that is easy to use and implement without difficult decisions being made by people who may not have the technical expertise to use them, seems to have failed miserably here. The former security integrated into SBS 2003 has been replaced by Microsoft’s Forefront Security for Exchange Server which in and of itself wouldn’t be all that bad.

The problem is that Forefront isn’t really included with SBS 2008. Instead, it is a trial version of the software. Microsoft suddenly expects business owners to become much savvier here. First, the business owner needs to both fully understand that his security is provided by a demo product. Then, he needs to notice that his trial period is coming to an end, make an appropriate evaluation about whether or not it is worth continuing with Forefront, switch to another security product, or simply stop using anything at all.

As if that weren’t enough, if the business owner does decide to forgo extending the bait and switch security offering, he needs to uninstall Forefront for Exchange and then manually disable anti-spam updates. Um, Microsoft? What is the point of Small Business Server again? Easy to use, totally integrated, with no complicated tasks, or decisions? Does this fit?

Apparently having failed in its attempt to turn the operating system business into a subscription based model, the folks in Redmond have decided to ransom their SBS installations into a security subscription lest they be left to the wolves.

Fortunately, the remainder of SBS 2008 security is useful and integrated. Microsoft’s firewall service is built-in and is remarkably easy to operate. SBS takes one of the most complicated tasks, opening a firewall port, and makes it a point and click operation.

The Remote Web Workplace is an interesting addition. Virtual private networks, or VPNs, are often difficult and frustrating for non-technical users to implement and keep running. Microsoft alleviates this problem by offering Remote Web Workplace which uses a web browser on the client end to provide access to the protected network. The advantage of this scheme is that it requires no setup or configuration where it is most likely to occur, at the remote client. Instead, the built in HTTPS of the web browser, provides the necessary security.

VPN connections are available, though they are not installed by default.

For the small business owner, the security monitoring and remote access features should be solid enough. The Forefront thing is a bit of a problem, so have your vendor install your SBS system without Forefront and install an easy to use third-party security solution from day one. This eliminates the complexity of the expiring Forefront trial and ensures that your network won’t be exposed while you figure out what to do after the expiration date.