Microsoft KB Archive/303323

= How to Maintain a Secure Small Business Server Installation =

Article ID: 303323

Article Last Modified on 6/29/2007

-

APPLIES TO


 * Microsoft Small Business Server 2000 Standard Edition
 * Microsoft BackOffice Small Business Server 4.5

-



This article was previously published under Q303323



SUMMARY
This article describes how to maintain a secure Small Business Server (SBS) installation.



MORE INFORMATION
To maintain a secure network of any kind always demands diligence on the part of the system administrators that operate it. Because SBS is a comprehensive suite, administrators of SBS installations need to be aware of the security of each suite component. All patches and security bulletins will first appear on the following Microsoft Security Web site:

http://microsoft.com/security

All SBS administrators are urged to subscribe to the Microsoft Security Notification service:

http://microsoft.com/technet/treeview/default.mspx?url=/technet/security/bulletin/notify.mspx

For a comprehensive list of all of the security patches that are available, use the following Microsoft Security Bulletin Search Web site:

http://microsoft.com/technet/security/current.mspx

Administrators are encouraged to use the Security Bulletin Search in conjunction with subscribing to the Security Notification Service to maintain their servers in the most secure state possible.

Hotfixes are patches that are released between service packs and that are designed to address one or more specific issues. After you apply a hotfix, you are normally required to restart your computer. If you do not restart your computer after you install a hotfix, the hotfix may not be installed properly. Note that you can use the QChain.exe tool to install multiple hotfixes in the same session, with only a single reboot. For additional information about the QChain.exe tool, click the article number below to view the article in the Microsoft Knowledge Base:

296861 Use QChain.exe to Install Multiple Hotfixes with Only One Reboot

Service packs are larger, much more inclusive packages that are designed to address a wide range of issues, including security. Users that are running the latest service pack of a product are normally protected from most vulnerabilities that have been identified up to the date of the Service Pack release. To obtain a list of the latest service packs that are available for each SBS suite component, please see the following Microsoft TechNet Service Packs Web page:

http://support.microsoft.com/default.aspx?PR=sp&FR=0&SD=TECH&LN=EN-US&CT=SD&SE=NONA

Small Business Server 2000 Service Pack 1 (SP1) includes updates for the operating system, server applications, and security features that have been released since the general product availability date in April 2001. For more information, see the following Microsoft SBS Web page:

http://www.microsoft.com/downloads/details.aspx?familyid=F4FC58D0-1FAC-4927-84D7-189FA1B690BE&displaylang=en

IMPORTANT: Unless a security bulletin specifically warns against installation on SBS, any security bulletin that is released for any of the suite components can be safely applied to SBS. As always, carefully read the release notes for any hotfix or service pack before you apply it to production computers.

You can use the following actions as part of your overall security strategy when you deploy SBS 2000 installations:  Subscribe to the following Microsoft Security Notification Service:

http://www.microsoft.com/technet/security/bulletin/notify.mspx

 Become familiar with the tools and concepts on the following Microsoft TechNet Security Web site:

http://www.microsoft.com/technet/security/default.mspx

 Install and configure the server as outlined in the latest SBS Release Notes that are available at the following SBS Web site:

http://microsoft.com/sbserver

 Apply the latest service packs for each suite component. The list of service packs can be found at the TechNet Service Packs Web page:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;sp

 Use the following Security Bulletin Search Web page to make sure any post service pack updates are applied:

http://www.microsoft.com/technet/security/current.aspx

 Continue to monitor the Security Notification Service for any new updates that may be released. As new updates are released, tools (such as Terminal Services, QChain, VBScript, and so on) can be used to remotely apply the patches to your client's sites.</ul>

Microsoft Security home page
http://microsoft.com/security/

Security Bulletin Search
http://microsoft.com/technet/treeview/default.mspx?url=/technet/security/current.mspx

Secure Internet Information Services 5 Checklist
https://www.microsoft.com/technet/archive/security/chklist/iis5cl.mspx?mfr=true

Windows 2000 Internet Server Security Tool
http://www.microsoft.com/technet/security/tools/locktool.mspx

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

CERT Coordination Center: Steps for Recovering from a UNIX or NT System Compromise
http://www.cert.org/tech_tips/root_compromise.html

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

URLScan Security Tool
http://www.microsoft.com/downloads/details.aspx?familyid=23d18937-dd7e-4613-9928-7f94ef1c902a

URLScan is designed to make an IIS installation secure by default. This means that upon installation of the tool, IIS will not accept a variety of HTTP requests. Therefore, some SBS applications, like Outlook Web Access, may not function properly until the URLScan.ini file is edited to allow that functionality. Full details, including sample configurations, for editing URLScan can be found in the &quot;urlscan.txt&quot; file included with the download.

Additional query words: smallbiz sbs

Keywords: kbenv kbhowto KB303323

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.