SBS & Site Server Secure Installation

You might know me as the Accidental Hacker (see "The Accidental Hacker," February 1998), but my primary business is developing e-commerce Web sites. My customers aren't all big companies—some are rather small, and Microsoft Small Business Server (SBS) is a product of choice not only for these small businesses' internal needs but also for their e-commerce Web sites. Many of these companies use Microsoft Site Server 3.0 Commerce Edition as their e-commerce solutions' foundation. Microsoft developed Site Server mainly for installations on the full BackOffice platform. But for many small businesses, using only SBS and Site Server—rather than installing the full BackOffice solution—is an attractive idea. SBS and Site Server together provide most of the functionality that BackOffice provides, for a fraction of the cost. Although SBS and Site Server are easy to install and configure, making sure this solution works securely on the Internet is a complicated process.

Fortunately, I recently finished installing SBS and Site Server for a client, and I have all my installation records at hand. In this article, I share my checklist for installing SBS, Site Server, and the additional components you need to secure your e-commerce solution. If you follow my approach, you'll have a nicely secured SBS e-commerce installation.

Step 1:
Install SBS 4.0 on a Clean Server
I won't describe this procedure in depth—you can install SBS by following the installation wizard on the software's first installation CD-ROM if you have Windows NT Workstation 4.0 or Windows 9x installed on your system. You can also find complete installation instructions on Microsoft's Web site (http://microsoft.com/backofficesmallbiz/support/ setup.asp) or in the software's documentation. Before installing SBS, make sure your server complies with SBS's hardware requirements.

When I install SBS, I usually don't select any of the Microsoft Exchange Server installation options. The Exchange Server component in SBS 4.0 isn't the latest version and doesn't offer strong enough protection from mail relaying. If you install the SBS 4.0 version of Exchange Server, you'll open the door to bulk emailers who'll use this SMTP server as a relaying host.

Step 2:
Install SBS 4.0 SP1
The basic rule I live with is to install all the latest Microsoft releases and service packs on my servers. Site Server needs the NT 4.0 Option Pack installed, but to get the Option Pack running, you need to first install SBS 4.0 Service Pack 1 (SP1).

You can order the two SBS SP1 installation CD-ROMs from Microsoft at http://microsoft.com/backofficesmallbiz/guide/service.asp. Situations such as installing SBS and Site Server make me glad I have a TechNet subscription and access to all Microsoft service packs and patches on CD-ROM. If you install and support solutions on Microsoft products, a TechNet subscription can pay for itself many times over. For subscription information, go to http://www.microsoft.com/ technet/subscription/about.htm.

Step 3:
Run Proxy Server Upgrade Wizard for SBS
The Option Pack works only with Proxy Server 2.0, but SBS 4.0 includes Proxy Server 1.0. Fortunately, you can use a simple tool, the Proxy Server 2.0 Upgrade Wizard for Small Business Server, to prepare for the upgrade to Proxy Server 2.0 in SBS. To download a free copy of the Upgrade Wizard, go to http://backoffice.microsoft.com/ downtrial/moreinfo/proxywizard.asp.

Step 4:
Install Proxy Server 2.0
When you install SBS, you don't have the option not to install Proxy Server 1.0. However, you need to install Proxy Server 2.0 before installing the Option Pack. The good news is that you don't have to buy a Proxy Server 2.0 upgrade. A special offer from Microsoft gives SBS customers a Proxy Server 2.0 upgrade for only the cost of delivery. For information about this offer, go to http://microsoft.com/backofficesmallbiz/guide/ freeproxy.asp.

Step 5:
Install NT Server 4.0 Option Pack
Fortunately, Site Server Commerce Edition includes an installation CD-ROM for the NT 4.0 Option Pack, so you don't have to overwork your modem to download all this data. Install the Option Pack in custom mode: Add SMTP (remember that you didn't install Exchange Server when you installed SBS) and Windows Scripting Host (WSH) modules from Internet Information Server (IIS) 4.0. Don't install any samples for IIS—clear the selection when you install the Option Pack on any production server. I recommend deleting all sample content and HTML documentation, because intruders can use sample files to access hidden system information. For example, using http://victim/adsamples/config/site.csc, an intruder can find a copy of the site.csc file and the username and password of the Microsoft SQL Server system that functions as an advertising server. And http://victim/SiteServer/samples/knowledge/ search/viewcode.asp?source=/mystore/global.asa gives intruders the full source code of the global.asa file.

Step 6:
Reinstall Proxy Server 2.0
After you install the Option Pack, you need to reinstall Proxy Server 2.0 to get it working under the Microsoft Management Console (MMC). After this reinstall, Proxy Server will add its extensions to the MMC, and you'll have the fully operational Proxy Server that the README file in the Option Pack describes.

   Previous  [1]  2  Next