Why SBS is Insecure by Design

Dr. Thomas W. Shinder, Microsoft ISA Expert and contributor to ISAserver.org, has an excellent post detailing that inherent insecurities of Microsoft’s Small Business Server (SBS) 2003.

The general consensus among security professionals is that SBS is not, and cannot be made secure using generally accepted principles of network security.

It’s usually thought that the SBS’ers problem is that the ISA firewall is co-located on an SBS box and thus ISA can’t fully do its job as a network stateful packet inspection and application layer inspection firewall.

The major security problem with SBS isn’t that the ISA firewall is co-located on the box, although it is a big one. Conventional wisdom dictates that each non-firewall service loaded up on a firewall device significantly reduces the overall security provided by the firewall because of the increased “attack surface” exposed by the non-firewall components.

The actual security issue as it relates to SBS 2003 SP1 is that the SBS 2003 SP1 with the ISA firewall installed is an Internet facing device. Internet facing devices are by definition part of a security zone separate and distinct from security zones where a company’s core assets are located.

…does that mean I think that SBS is a bad solution for small business? It depends. Most small businesses really don’t take their information resources seriously and are unwilling to pay what it takes to create a secure infrastructure. They are willing to take on more risk than larger businesses. They often don’t have health insurance plans, even for the owners of the business. They are comfortable allowing employees unfettered access to the Internet. They’re comfortable allowing end-users RDP access to their network (in my opinion, one of the worst security moves anyone could ever make). They are more concerned with “making it work” than “making it safe”. Small business computers are typically unmanaged, and their networks usually look like something that “grew that way”. They claim that IT isn’t their business, at least until they lose everything, then suddenly IT appears to be a big part of their business.

If the small business fits within the above profile, then SBS is good enough for them. Not because it’s a secure solution, but because its a great deal with tons of useful software that they’re getting at loss leader pricing.

Perhaps its for this reason that a friend of mine, Tim Mullen (Thor from www.hammerofgod.com), an extremely well respected security expert and one of the smartest people I’ve ever had a chance to get to know, said the following about SBS:

“…I can say now that I would sooner sandpaper a bobcat’s ass in a telephone booth than flay my infrastructure with the product…”

Leave a Reply