I, too, run SBS on the perimeter. I will phrase it differently following Troy's thought process. I have never noticed a breach. I am fairly confident that there's never been a breach since I have never seen any subsequent consequences I would expect with the nature of the businesses. SBS isn't necessarily less "secure", just makes it more difficult to implement your security policy. However, it comes down to more than who is securing it and who has access to it. These are critical aspects to security, to be sure, and there are other technical things such as the platform. But don't forget about softer issues such as "does anyone really care to hack you?". In other words, do you have anything worth hacking into? Has your organization recently pissed someone (internal/external) off? Have you as an admin recently pissed someone (internal/external) off. Also don't forget the high percentage of security breaches that come from within. Do you monitor outgoing mail enough to know for certain that someone isn't zipping company data up and emailing it to their home accounts or someone else's accounts? Is it worth it too? Etc, etc. "Secure" is a relative term, there is no absolute definition. It's a function of your $$ and your attitude. -Shawn ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CSA1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-6969 (F) shawn.quillman@xxxxxxxxxxxx -----Original Message----- From: Paul Nuernberger [mailto:pen@xxxxxxxxx] Sent: Thursday, July 29, 2004 1:36 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer http://www.ISAserver.org While I agree in principle with you - getting small companies to spend the extra cash is (usually) not possible. I have multiple SBS2k & SBS2k3 installs sitting right on the net - not one has ever been compromised (and believe me there have been and continue to be endless attempts). Granted, I am the ONLY one who has access to the units, and nothing extra gets installed except Symantec A/V & GFI DS & ME. It comes down to who is securing it, and who has access to it. -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, July 29, 2004 11:34 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer http://www.ISAserver.org Hey guys, I'll jump in here. I'd *never* put an ISA SBS box on the Internet edge of the network. ISA firewalls just won't get the respect they deserve if you put the kitchen sink on them. I'll fight this one tirelessly (or at least passively :-) until they SBS team unbundles a single OS lic to place the ISA firewall software on a white box in front of the family jewells. Just because something can be done, doesn't mean it should be done. I can make a Exchange/SQL/ISA/Kazaa/Morpheus/Doom server work, but it shouldn't be done. And even when you do it, there are other issues. Its just not worth it. You'll be able to get a fully loaded ISA 2004 firewall appliance for less than 2500US in a couple of months. Over 5 years, that's just 500/year or about $1.39 a day. IMHO, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Thursday, July 29, 2004 10:27 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer http://www.ISAserver.org Well articulated James, I have a client who has been running sbs 2000 with isa installed and has never in all these years had a security breach tho' many have tried. There is no problem with a loaded sbs server, 2000 or 2003...as long as it's done right. Steve -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, July 27, 2004 3:44 PM To: Isa Weblist Subject: [isalist] RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer http://www.ISAserver.org Unscrew the top of your head and let some light in. It's exactly this sort of self-serving, elitist rhetoric that causes folks to feel like they "just can't do it". There isn't and never will be "just one right way" to do something. There are external factors that are not always controllable. Security is and will always be a balancing act between requirements, money and hardware resources. "Fast, Secure or cheap; choose two" is one of my favorite quotes. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Troy Radtke" <TRadtke@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, July 27, 2004 06:31 Subject: [isalist] RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer http://www.ISAserver.org Which is why you'll never see anyone in their right mind running SBS who expects the same level of protection from a dedicated system. I forwarded that e-mail from Tom to the guys at work, and the first thing they did is say: Look at ISA! It's a piece of junk since you've gotta do a work around just to make stuff even work on the box! You never have that problem with a PIX! If you're boss won't look at the cost justification of buying a low end desktop to run a service, all I have to say to any financial institution is how much is the cost of an FDIC audit in terms of your labor? Pulling 50% of the IT staff into meetings with the FBI/FDIC/Secret Service (yes, the secret service is involved in these types of audits) for 2 months along with hiring a small army of people to produce all your audit trails for the past 7 years is by FAR more expensive than any server that I can think of.... What I was getting at in my first e-mail is that since you can't even install services on a PIX, you'd need to purchase or use another server anyways, which is why you should leave things off of an ISA box and just not even open yourself up to an service exploit..... Troy -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, July 27, 2004 12:16 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: 838376 - Cannot connect to a published service from the external network when the published service is running directly on the ISA Server 2004 computer http://www.ISAserver.org "Hardware"; thpthpthpthpthp Please drop this blatant BS; until it's implemented in the ASICs, it ain't "hardware". Facts: - Installing service on any machine is only as functional or secure as the person deploying / securing it. - There are folks with more motivation than $$ - These same folks need an answer, not attitude. - placing services on the firewall is not for the faint of heart; this is why the SBS folks spend years perfecting the compromise. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Troy Radtke" <TRadtke@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, July 26, 2004 09:10 Subject: [isalist] RE: 838376 - Cannot connect to a published service from the external network when the published service is running directly on the ISA Server 2004 computer http://www.ISAserver.org Installing services on your ISA box is like hiring a blind, deaf body guard and expecting him to walk you to the other side of the street..... Only bad things can happen..... Suggestion: The service you've installed can't be mission critical, otherwise you'd have a dedicated server..... BYOS (build your own @#(*$&)@(#*ing server) or put it on a cheap POJ (Piece of Junk) box.... Besides, I'd love to see someone try and install a service on a PIX box anyways...... so the hardware firewall people can't even bring this up as a 'flaw'...... even though i am a fan of hardware at the entrance for bulk processing of incoming/outgoing traffic...... -----Original Message----- From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx] Sent: Monday, July 26, 2004 10:35 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: 838376 - Cannot connect to a published service from the external network when the published service is running directly on the ISA Server 2004 computer http://www.ISAserver.org They left out the most obvious solution, and the one which is usually the most correct... Move the service to something besides your firewall. Ray Dzek Network Operations Supervisor Specialized Bicycle Components -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Monday, July 26, 2004 7:10 AM To: [ISAserver.org Discussion List] Subject: [isalist] 838376 - Cannot connect to a published service from the external network when the published service is running directly on the ISA Server 2004 computer http://www.ISAserver.org Very interesting KB article and an issue that I'm sure will generate a lot of heat in the coming months. 838376 - Cannot connect to a published service from the external network when the published service is running directly on the ISA Server 2004 computer: http://support.microsoft.com/default.aspx?scid=kb;en-us;838376 <http://support.microsoft.com/default.aspx?scid=kb;en-us;838376> ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: steve@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist This E-Mail is confidential. It is not intended to be read, copied, disclosed or used by any person other than the recipient named above. Unauthorised use, disclosure, or copying is strictly prohibited and may be unlawful. Optimum IT Solutions disclaims any liability for any action taken in connection of this E-Mail. The comments or statements expressed in this E-Mail are not necessarily those of Optimum IT Solutions or its subsidiaries or affiliates. administrator@xxxxxxxxxxxxxxxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: pen@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist